Transparent Traffic Shaping

Hi all!

Could someone please advice me in following topic.
I want to set up a linux box for transparent (bridging)
* traffic shaping (shaper, QoS)
* small IDS (snort?) and
* virus detection (F-Secure?)

So where to start best? My biggest concern is, that is traffic shaping
compatible with bridging? AFAIK there is no IP on the shaping
interfaces. Which mechanism should I use for shaping? Shaper device or
QoS device? If QoS, which one? Shaping should be done on IP and Port
base for IP based protocols.
Anyone done this or parts before?

Thanx for any help
cheers
e.

On 1 Nov 2004 14:54:38 -0800, (E-Mail Removed) wrote:

>Hi all!
>
>Could someone please advice me in following topic.
>I want to set up a linux box for transparent (bridging)

Please describe what you intend for this "transparent (bridging)" to
accomplish.

I think you mean that you want machines on an internal network to be
able to gain access to the internet via a Linux box. If that is the
case, you create 2 connections - usually 2 network cards - on the
Linux box and use iptables's SNAT to send and receive packets between
your internal LAN and the internet. Use an "example.com" IP for the
internal interface (10.0.0.0/8 or 172.16.0.0/16 or 192.168.0.0/24).
The external interface gets the IP(s) assigned by your provider.

It can be done other ways, but the above is probably the easiest to
comprehend.

>* traffic shaping (shaper, QoS)

Start with wonder shaper, which you can download from
http://lartc.org/wondershaper

>* small IDS (snort?) and

Sorry, I'm no help here.

>* virus detection (F-Secure?)

Or here either...

>So where to start best?

LARTC mailing list, HOWTOs in /usr/doc, google...

> My biggest concern is, that is traffic shaping
>compatible with bridging? AFAIK there is no IP on the shaping
>interfaces. Which mechanism should I use for shaping? Shaper device or
>QoS device? If QoS, which one? Shaping should be done on IP and Port
>base for IP based protocols.

This is your call. I like shaping but your situation and opinion may
differ. After you've looked at the LARTC HOWTO you'll have your
answer as to bridging, but I'll give you a hint: shaping works on the
interface, not the IP. I dislike ebtables, promiscuous NIC and the
overhead that software devices add. Wonder shaper uses both port and
IP matching for shaping.

>Anyone done this or parts before?

Many have.

>Thanx for any help
>cheers
>e.

If you want to look at what I've done, reply and I'll post URLs from
which you can download my custom shaping scripts, firewalls, proxyARP
setup script, Etc. But don't expect this to be easy. It tales a lot
of learning to make it work.

buck

buck <(E-Mail Removed)> wrote in news:ji2eo05dqadmj8rgm400pf7m44j58qjji4@
4ax.com:

> On 1 Nov 2004 14:54:38 -0800, (E-Mail Removed) wrote:
>
>>Hi all!
>>
>>Could someone please advice me in following topic.
>>I want to set up a linux box for transparent (bridging)
>
> Please describe what you intend for this "transparent (bridging)" to
> accomplish.

All I want to do is a filtering (firewalling) and trafficshaping in a
way, that I do not interfere with my local network provider. I read, that
bridges are the choice for doing really transparent (at least to an IP
level) tasks.

> I think you mean that you want machines on an internal network to be
> able to gain access to the internet via a Linux box. If that is the

Nope. I already have internet access set up working neatly. I definitley
do not want to have a conventional router in place.

> case, you create 2 connections - usually 2 network cards - on the
> Linux box and use iptables's SNAT to send and receive packets between
> your internal LAN and the internet. Use an "example.com" IP for the
> internal interface (10.0.0.0/8 or 172.16.0.0/16 or 192.168.0.0/24).
> The external interface gets the IP(s) assigned by your provider.

As said above, this already works fine for me on a plain MS base.
External IF is my network providers IP, internally I head for
192.168.0.0/24. And in between there's something w/o an IP :-]

> It can be done other ways, but the above is probably the easiest to
> comprehend.

True. It was even easier to set up what I have right now ;-)

>>* traffic shaping (shaper, QoS)
>
> Start with wonder shaper, which you can download from
> http://lartc.org/wondershaper

good starting point. got it, read it, still got to understand it in
depth. Working on this one.

>>* small IDS (snort?) and
>
> Sorry, I'm no help here.
>
>>* virus detection (F-Secure?)
>
> Or here either...

Well, worth a try anyway :-))

>>So where to start best?
>
> LARTC mailing list, HOWTOs in /usr/doc, google...

Working through LART right now, heavy stuff for a "newbie" (well not
really but at least for tc, tcng, netfilter, and sort of things)

>> My biggest concern is, that is traffic shaping
>>compatible with bridging? AFAIK there is no IP on the shaping
>>interfaces. Which mechanism should I use for shaping? Shaper device or
>>QoS device? If QoS, which one? Shaping should be done on IP and Port
>>base for IP based protocols.
>
> This is your call. I like shaping but your situation and opinion may
> differ. After you've looked at the LARTC HOWTO you'll have your
> answer as to bridging, but I'll give you a hint: shaping works on the
> interface, not the IP. I dislike ebtables, promiscuous NIC and the

This point encouraged me to continue actually. Just was not sure on where
shaping is implemented.
Well lets see how far I get.

> overhead that software devices add. Wonder shaper uses both port and

OK. I also figured out till now, that the shaper device is obsolete by
now and should be replaced by HTB or similar.

> IP matching for shaping.
>
>>Anyone done this or parts before?
>
> Many have.

I assumed. That's why I asked for some starting help to get off the feet.

>>Thanx for any help
>>cheers
>>e.
>
> If you want to look at what I've done, reply and I'll post URLs from
> which you can download my custom shaping scripts, firewalls, proxyARP

If your're really willing to, that would be great indeed.

> setup script, Etc. But don't expect this to be easy. It tales a lot

After starting reading LARTC How To, I definitly do not expect this to be
straight foreward.

> of learning to make it work.

Well, that should not be the problem.

> buck

cheers
EDW

P.S: Sorry for late answering, but was a bit more involved in regular
work for the last few days. Anyway, thanx a lot for the starting points.

On 10 Nov 2004 23:41:15 GMT, (E-Mail Removed) wrote:

>buck <(E-Mail Removed)> wrote in news:ji2eo05dqadmj8rgm400pf7m44j58qjji4@
>4ax.com:

>> If you want to look at what I've done, reply and I'll post URLs from
>> which you can download my custom shaping scripts, firewalls, proxyARP
>
>If your're really willing to, that would be great indeed.

ftp://68.233.152.143/pub/lartc

in particular, grab ProxyARP.tar.gz

perhaps firewall.sh

my version of wondershaper ultimatePM.sh

and whatever else you find useful.

NOTE: People, please don't hammer.

buck

Have you checked out http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/index.html?

I'm picking up the tail end of this thread and don't know if you've
discussed this article or not. You'll want to take a good look at chapter
9.

The primary idea is to realise this not with a router but a transparent
bridge. what I'm currently doing is reading howtos, descriptions and
scripts with the result of beeing close to be totally confused... ;-)
There is lots of material for shaping in combination with a router, but
only very rare info on shaping on a (transparent) bridge. Even in
LARTC.

thx a lot for providing the info. will have a review the next few days.
cheers
edw.

> The primary idea is to realise this not with a router but a transparent
> bridge. what I'm currently doing is reading howtos, descriptions and
> scripts with the result of beeing close to be totally confused... ;-)
> There is lots of material for shaping in combination with a router, but
> only very rare info on shaping on a (transparent) bridge. Even in
> LARTC.


OK, I've got transparent bridging working myself. What I wanted was on IP
in a network to transparently bridge for some of the other IPs in the
network and allow all of them to think they were all on the same network
segment. eth0 is configured with the IP and the right netmask, eth1 is
configured with the same IP w/ netmask of 255.255.255.255. This way it
doesn't mistakenly try to route out on eth1 stuff that should go to eth0.
Then you need to set up static routes for each of the IPs you are bridging
for. Here's what I did:

# enable proxy arp for each interface (this allows the bridging you are
looking for):
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

# enable ip forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

# set up static routes for those machines that are bridged:
route add <dotted.IP.goes.here> eth1

All bridged systems are setup the same as if they aren't behind the bridging
PC. If they work plugged into the switch, they will work when you move them
to the switch hooked up to the bridged PCs eth1.

You may have to reset your switches so they will dump mac tables.

After you've done this you can look into using traffic shaping using queues
that will assign importance and max-rates of packets that transverse your
bridging PC.

Please note that gateway and bridge are two different things. If this box
is the gateway you won't have to do the arp or the routing steps.

I look forward to your success.

"(E-Mail Removed)" <(E-Mail Removed)> writes:

> The primary idea is to realise this not with a router but a
> transparent bridge. what I'm currently doing is reading howtos,
> descriptions and scripts with the result of beeing close to be
> totally confused... ;-) There is lots of material for shaping in
> combination with a router, but only very rare info on shaping on a
> (transparent) bridge. Even in LARTC.

Have you considered using proxy arp instead? The Linux code for
bridging and ip forwarding are somewhat unconnected, so you will find
in the documentation several things where iptables etc don't work
entirely as desired when run over bridging.

If you use proxy arp, the Linux host is in fact doing regular ip
forwarding, and will therefore always traverse the usual (nonbridging)
code paths. It is nevertheless reasonably transparent to everyone
concerned; only the L2 MAC addresses, hop count, and certain ICMP
responses will from the behavior of a plain wire.

--
Grant Taylor
Embedded Linux Consultant
http://www.picante.com/