traffic shaping a forwarded host

Hi,

I need to traffic shape a host that is being forwarded through our
server, but it doesn't seem to work using tc.
Our setup is as follows:

internet
|
eth0 (public IP)
SERVER
eth1 (private IP)
|
ethernet0
Cisco1601
serial0
|
serial0
Cisco1601
ethernet0
|
eth0 (public IP)
CLIENT

So the CLIENT is not being nat'ed he's being forwarded. How can I shape
his traffic?
I'm doing some shaping with other clients that are being nat'ed, and
things seem ok there.
When I do a:
#tc -s qdisc
to see some statistics, I can see bytes going into the qdiscs of the
nat'ed clients but not the ones with public ip's.
I don't want to shape it in the router because I want to give the
client whatever bandwidth is not being used at any given moment and/or
share that with other clients etc.

Regards,
Tobias Skytte

On 26 Feb 2005 04:28:10 -0800, (E-Mail Removed) wrote:

>Hi,
>
>I need to traffic shape a host that is being forwarded through our
>server, but it doesn't seem to work using tc.
>Our setup is as follows:
>
>internet
>|
>eth0 (public IP)
>SERVER
>eth1 (private IP)
>|
>ethernet0
>Cisco1601
>serial0
>|
>serial0
>Cisco1601
>ethernet0
>|
>eth0 (public IP)
>CLIENT
>
>So the CLIENT is not being nat'ed he's being forwarded. How can I shape
>his traffic?
>I'm doing some shaping with other clients that are being nat'ed, and
>things seem ok there.
>When I do a:
>#tc -s qdisc
>to see some statistics, I can see bytes going into the qdiscs of the
>nat'ed clients but not the ones with public ip's.
>I don't want to shape it in the router because I want to give the
>client whatever bandwidth is not being used at any given moment and/or
>share that with other clients etc.
>
>Regards,
>Tobias Skytte

Tobias,

Please give us more/better information. If you mangle IPs for
anonymity, PLEASE mangle only one octet and do not use non-routable
networks. We need the part of your shaping script that is applicable
to CLIENT.

You're shaping on SERVER?
Trying to shape the outbound packets from CLIENT to INTERNET?
What OS does CLIENT run?
Do the Ciscos mess with the packets or pass the content unscathed?
--
buck

buck wrote:

> Please give us more/better information. If you mangle IPs for
> anonymity, PLEASE mangle only one octet and do not use non-routable

I'm not sure what you mean by 'mangle ips' ? I have private ip's in
between the SERVER and CLIENT because our public ip's are extremely
limited. Anyway I'm using 192.168.aaa.bbb on those.

> networks. We need the part of your shaping script that is applicable
> to CLIENT.
> You're shaping on SERVER?

yes. running RH9. Currently shaping other similar CLIENT servers that
have private ip's (192.168.aaa.bbb), using iptables and tc. Before I
wrote this post I was shaping with only tc, but have just now changed
to marking the packets with iptables and then using tc, to do proper
QoS (thanks lartc). So now I'm thinking I should be able to do this
with the CLIENTs that have public ip's too (i.e. that are being
forwarded through SERVER instead of NATed), right? So I could mark the
packets in REROUTING like this:
*mangle
-A PREROUTING -p tcp -m tcp -s 196.28.xxx.yyy/30 -j MARK --set-mark 12

and then filter it with tc. Or if I understand it correctly I could
even do this at POSTROUTING (if I wanted to) right?
Or are there better solutions?

> Trying to shape the outbound packets from CLIENT to INTERNET?

Yes exactly.

> What OS does CLIENT run?

I beleive one is running freeBSD and the other windowsXP or 2003, but
I'm looking for a generic solution as the client may change his system
at any time.

> Do the Ciscos mess with the packets or pass the content unscathed?

pass unscathed, they don't do any shaping at all at the moment because
I'd prefer to shape on the SERVER. Mainly I'm interrested in optimising
the bandwidth to the internet usage as it is scarce and expensive.

Regards,
Tobias Skytte

On 1 Mar 2005 13:31:10 -0800, (E-Mail Removed) wrote:

>yes. running RH9. Currently shaping other similar CLIENT servers that
>have private ip's (192.168.aaa.bbb), using iptables and tc. Before I
>wrote this post I was shaping with only tc, but have just now changed
>to marking the packets with iptables and then using tc, to do proper
>QoS (thanks lartc). So now I'm thinking I should be able to do this
>with the CLIENTs that have public ip's too (i.e. that are being
>forwarded through SERVER instead of NATed), right? So I could mark the
>packets in REROUTING like this:
>*mangle
>-A PREROUTING -p tcp -m tcp -s 196.28.xxx.yyy/30 -j MARK --set-mark 12

I think this is what you're looking for.

http://selab.edu.ms/twiki/bin/view/N...inuxNetworking

It is also possible to shape using a u32 match on IP (BEWARE line
wrap):

ISW1="222.111.33.44"
LoPrioCIDR_Src="$ATJ $ISW1 $ISW2 $SKYN $UNS1"

# Install root HTB, point default traffic to 1:40:
tc qdisc add dev $DEV root handle 1: htb default 40

# Shape everything at $UPLINK speed
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit
burst 6k

tc class add dev $DEV parent 1:1 classid 1:30 htb rate
$[12*$UPLINK/100]kbit \
ceil $[12*$UPLINK/100]kbit burst 1k quantum 1514 prio 4

for a in $LoPrioCIDR_Src; do
tc filter add dev $DEV parent 1: protocol ip prio 5 u32 \
match ip src $a flowid 1:30
done
--
buck