IMQ and NAT

Hi

I'm trying to use traffic shaping with IMQ, so that I can control incoming
traffic to my box and to other boxes in the same classful qdisc (HTB).

According to the IMQ documentation, the iptables IMQ target can only be used
in the PREROUTING and POSTROUTING chain of the mangle table.

This is what I want to do:

--> MYBOX: rate 85kbit/s ceil 256kbit/s
network --> BOX2: rate 85kbit/s ceil 256kbit/s (192.168.0.2)
--> BOX3: rate 85kbit/s ceil 256kbit/s (192.168.0.3)

Box2 and Box3 are in the internal network (eth1), and are being NAT'ed
through my box.

The problem is I can only use the IMQ target in the PREROUTING chain, which
is traversed before NAT takes place, or in the POSTROUTING chain, which
doesn't take into account packets that are delivered to my box.

According to http://www.docum.org/stef.coene/qos/kptd/ it seems that I
should put -j IMQ in the INPUT (-i eth0) and FORWARD (-i eth0 -o eth1)
chains of the mangle table, or INPUT (-i eth0) and POSTROUTING (-o eth1)
chains.

The problem is that -j IMQ in the INPUT chain of mangle doesn't work.
'iptables -t mangle -Lvn' shows that packets do go through that rule (-j
LOG works too), but the packets don't actually enter the imq0 device. (in
the FORWARD chain it works perfectly)

How can I correct this?

Thanks

Ricardo Correia wrote:

> Hi
>
> I'm trying to use traffic shaping with IMQ, so that I can control incoming
> traffic to my box and to other boxes in the same classful qdisc (HTB).
>
> According to the IMQ documentation, the iptables IMQ target can only be
> used in the PREROUTING and POSTROUTING chain of the mangle table.
>
> This is what I want to do:
>
> --> MYBOX: rate 85kbit/s ceil 256kbit/s
> network --> BOX2: rate 85kbit/s ceil 256kbit/s (192.168.0.2)
> --> BOX3: rate 85kbit/s ceil 256kbit/s (192.168.0.3)
>
> Box2 and Box3 are in the internal network (eth1), and are being NAT'ed
> through my box.
>
> The problem is I can only use the IMQ target in the PREROUTING chain,
> which is traversed before NAT takes place, or in the POSTROUTING chain,
> which doesn't take into account packets that are delivered to my box.
>
> According to http://www.docum.org/stef.coene/qos/kptd/ it seems that I
> should put -j IMQ in the INPUT (-i eth0) and FORWARD (-i eth0 -o eth1)
> chains of the mangle table, or INPUT (-i eth0) and POSTROUTING (-o eth1)
> chains.
>
> The problem is that -j IMQ in the INPUT chain of mangle doesn't work.
> 'iptables -t mangle -Lvn' shows that packets do go through that rule (-j
> LOG works too), but the packets don't actually enter the imq0 device. (in
> the FORWARD chain it works perfectly)
>
> How can I correct this?

Did you try imq-nat kernel patch?
http://mailman.ds9a.nl/pipermail/lar...q3/004725.html

--
Greets
adeon

Adam Dyga wrote:

>
> Did you try imq-nat kernel patch?
> http://mailman.ds9a.nl/pipermail/lar...q3/004725.html
>

Thanks, it worked perfectly