[LARTC] iptables + tc + squid in one box..
hello all, I got little stuck with my configuration : I have network like this : ADSL---(ppp0 in eth0 : pppoe)--- [Linux BOX : squid+LAN portal+samba ] --- LAN ADSL link down/up = 256kbps/64kbps ADSL ppp0/eth0 = public IP eth1 = 172.16.1.1/24 LAN = 172.16.1.0/24 in linux box I run squid transparent proxy in port 8080, web server, and samba file sharing. I already masquerade all traffic in ppp0 using : iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE proxy redirection success with this command : iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 I have limit bandwidth for all client (one-by-one) with this script : #!/bin/sh tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default tc class add dev eth1 parent 1:0 classid 1:10 htb rate 100Mbit RATE=92kbit tc class add dev eth1 parent 1:10 classid 1:100 htb rate $RATE tc qdisc add dev eth1 parent 1:100 sfq quantum 1514b perturb 15 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 172.16.1.2/32 flowid 1:100 tc class add dev eth1 parent 1:10 classid 1:200 htb rate $RATE tc qdisc add dev eth1 parent 1:200 sfq quantum 1514b perturb 15 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 172.16.1.3/32 flowid 1:200 tc class add dev eth1 parent 1:10 classid 1:300 htb rate $RATE tc qdisc add dev eth1 parent 1:300 sfq quantum 1514b perturb 15 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 172.16.1.4/32 flowid 1:300 tc class add dev eth1 parent 1:10 classid 1:400 htb rate $RATE tc qdisc add dev eth1 parent 1:400 sfq quantum 1514b perturb 15 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 172.16.1.5/32 flowid 1:400 tc class add dev eth1 parent 1:10 classid 1: htb rate 8Kbit this is my problem: 1. how to make total bandwidth down/up for client only 48kbps/240kbps with class : - DNS, ssh and telnet, messenger (YM, MSN) - 1st priority - 30% of 48kbps/240kbps - http/https - 2nd priority - 50% of 48kbps/240kbps - others (online game, etc) - 20%. 2. how to make each class above shared fairly for all client, and all class able to share each other if there're any unused bandwidth. so, no one able use full bandwidth when other clients are online except able to use all 48kbps/240kbps if only himself online that time. 3. how to make all client able to access the router 172.16.1.1 services without queuing in these class above, so all client able access to router service (internal portal, samba file sharing) without any traffic limit (use full speed ~ 100Mbps). 4. how to make all client able to access cache that already exist in proxy without limit. I would be very grateful if you could give me any suggestions to solve this problem... regards, denny ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] one server with 4 port ethernet interfaces to four clients.
Dear all, I have a server with 4 ethernet port interfaces. Also, I have four clients that will connected directly (cross-cable) to one-by-one of each port ethernet interfaces of my server. |--SERVER--\ | eth0-- -- client A | eth1-- -- client B | eth2-- -- client C | eth3-- -- client D |--/ I want all IP address of my server ethernet is set to same IP (ex, 172.16.1.1). IP client A : 172.16.1.11 IP client B : 172.16.1.12 IP client C : 172.16.1.13 IP client D : 172.16.1.14 how to make that configuration working? Thanks for your response. Best regards, Denny Zulfikar ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Multiple uplinks, ssh connections hang
Hello korey, I don't think your configuration will work well, because there're balancing using weight connection. So, if you have connection-oriented-application that must sure passing their traffic only from one connection (such as ssh and https-please try to test open and login to hotmail.com), it will fail when the default routing switch from one gateway to another (round robin). Dont use this config for connection-oriented application. it's round robin rule, that will switch from one gateway to another without notice/know about traffic type. ip route add default scope global nexthop via 192.168.200.1 dev eth2 weight 1 nexthop via x.175.244.1 dev eth1 weight 1 please refer to this documentation howto develop multpile internet connection gateway. http://linux-ip.net/html/adv-multi-internet.html Best Regards, Denny Z On 2/27/07, Korey O'Dell [EMAIL PROTECTED] wrote: Folks, Ive got two ISP connections that I am using with: --- ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1 ip route add default via 192.168.200.1 table connection1 ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2 ip route add default via x.175.244.1 table connection2 ip rule add from 192.168.200.11 table connection1 ip rule add from x.175.244.2 table connection2 echo Enabling load balancing between ISP connections... ip route add default scope global nexthop via 192.168.200.1 dev eth2 weight 1 nexthop via x.175.244.1 dev eth1 weight 1 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2 iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] trouble https multiple uplinks... how?
hello, my name is Denny. I am new in this list. I am trying use multiple uplinks as describe in the lartc documentation (http://lartc.org/howto/lartc.rpdb.multiple-links.html) with squid transparent proxy in my gateway server. let me draw the configuration : /- -DSL1-| \ |Transparent proxy |Local network -DSL2-| / \- IP DSL1 : 172.17.1.2/30 IP DSL2 : 172.18.1.2/30 IP eth1(DSL1) : 172.17.1.1/30 IP eth2(DSL2) : 172.18.1.1/30 Local network : 10.14.1.0/24 each DSL links rate is 384 kbps downlink and 128 kbps uplinks. my ip route setting : ip route add equalize scope global \ nexthop via 172.17.1.2 dev eth1 weight 1 \ nexthop via 172.18.1.2 dev eth2 weight 1 my iptables setting : # proxy redirect iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 # postrouting iptables -t nat -A POSTROUTING -j SNAT -o eth1 --to-source 172.17.1.1 iptables -t nat -A POSTROUTING -j SNAT -o eth2 --to-source 172.18.1.1 squid config : visible_hostname my_isp.net icp_port 0 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_mem 512 MB cache_replacement_policy heap GDSF memory_replacement_policy heap GDSF cache_dir ufs /cache 6000 14 256 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 10.14.1.0/255.255.255.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost http_access allow localnet http_access allow manager localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all cache_mgr cache-me cache_effective_user squid cache_effective_group squid logfile_rotate 0 log_icp_queries off buffered_logs on half_closed_clients off maximum_object_size 2048 KB All Configuration is works. I can browsing most website. But, I have another problem when implementing this multiple uplinks methods. 1. Messenger tools like YM will disconnect and try to reconnect every 3-5 minutes. it's always happens. 2. HTTPS for hotmail/msn is always error. The connection was reset always appear in mozilla firefox. but, it never happens with yahoo-mail and gmail (https). 3. MSN messenger never connect successfully. All these problem never happens when I used conventional routing with only one gateway. After search articles in internet, I am trying to mark each connection for MSN messenger via only one gateway. this is my solve using iptables : -- iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 0x10 iptables -t mangle -A PREROUTING -p tcp --dport 1863:1864 -j MARK --set-mark 0x10 iptables -t nat -A POSTROUTING -m mark --mark 0x10 -j SNAT -o eth1 --to-source 172.17.1.2 -- It works!! My MSN messenger is able to connect now. but always disconnect every 3-5 minutes. The same way I try to fix my YM problem. I trying to mark YM port and postrouting the traffic to eth1. but, it's not solve my problem. YM always connect/disconnect every 5 minutes. (problem number 1) Another problem, why MSN/Hotmail webmail always refuse my connection? (problem number 2) Maybe somebody have idea how to solve this problem? I feel will give up soon... :( thanks alot for your information and helps.. :) best regards, Denny Zulfikar ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
