iptables+CBQ pomoooc s MARK

Zdenek Havrlik havrlz1 na feld.cvut.cz
Neděle Listopad 17 14:54:33 CET 2002 

Ponizene zdravim.....
 
Potrebuju trosku (trosku vic) pomoct, mam nasledujici problem - nefunguje mi oznacovani paketu nebo CBQ a nevim cim to je... :(
 
Distribuce RH 7.2, jádro 2.4.7-10, iptables 1.2.5, cbq asi v 0.3alpha2, vsechno jak bylo v distribuci a obcerstvovano up2datem .
 
Takže mam server - ma 3 sitovky, eth0 jde do internetu, eth1 ma ip 172.21.0.1, eth2 ma ip 172.20.0.1 ty jdou do localu. Na localu mam několik adres... . Samozrejme na serveru bezi maskarada... .
O co se snažim: Aby ip  v localu mohly uploadovat do internetu nějankou max. rychlostí řekněmě 10kb/s a samotny server aby mohl tez pouze 10kb/s (kilo bitu / sekundu). Pokud se mi povede rozchodit toto, pak bych chtel, aby si mohli volnou kapacitu pucovat... .
 
Pokud se snazim v CBQ "configuracich" omezit vystupni eth0 podle jeji adresy, tak to funguje.Adresu to omezi spolehlive a presne.
 
Avsak pokud se to snazim omezovat podle MARK dodaných v iptables tak mi to pakety ze serveru neomezuje a z lokálnich ip adres misto 10k  tak 32k  a jeste to netridi jak ma.
 
Strasne moc moc dekuji za jakoukoli inteligentni napovedu......
 
prehled konfiguraku:
 
[root na skoda /]# vi /etc/sysconfig/iptables 
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [:0]

#server -> internet
[0:0] -A OUTPUT -j MARK --set-mark 101

#[0:0] -A OUTPUT -o eth0 -s 62.24.88.77 -p tcp -m tcp --dport 80 -j MARK --set-mark 102
#[0:0] -A OUTPUT -o eth0 -s 62.24.88.77 -p udp -m udp --dport 80 -j MARK --set-mark 102
#[0:0] -A OUTPUT -o eth0 -s 62.24.88.77 -p tcp -m tcp --dport ! 80 -j MARK --set-mark 101
#[0:0] -A OUTPUT -o eth0 -s 62.24.88.77 -p udp -m udp --dport ! 80 -j MARK --set-mark 101

#doma -> internet
[0:0] -A PREROUTING -s zdenek -j MARK --set-mark 1
[0:0] -A PREROUTING -s michal -j MARK --set-mark 2
[0:0] -A PREROUTING -s tomas -j MARK --set-mark 3
[0:0] -A PREROUTING -s martin -j MARK --set-mark 4
[0:0] -A PREROUTING -s thomas -j MARK --set-mark 5
[0:0] -A PREROUTING -s radekd -j MARK --set-mark 6
[0:0] -A PREROUTING -s radekw -j MARK --set-mark 7
[0:0] -A PREROUTING -s test -j MARK --set-mark 10

#kvs -> internet
[0:0] -A PREROUTING -s dalibor -j MARK --set-mark 901
[0:0] -A PREROUTING -s peta -j MARK --set-mark 902
[0:0] -A PREROUTING -s petr -j MARK --set-mark 902
[0:0] -A PREROUTING -s majka -j MARK --set-mark 902
[0:0] -A PREROUTING -s jara -j MARK --set-mark 902
[0:0] -A PREROUTING -s kaja -j MARK --set-mark 902
[0:0] -A PREROUTING -s jarda -j MARK --set-mark 902
[0:0] -A PREROUTING -s lubos -j MARK --set-mark 902

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#Maskovani
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
#[0:0] -A PREROUTING -p tcp -m tcp --dport 6660 -j DNAT --to-destination 62.24.64.21:119
#[0:0] -A PREROUTING -s prochy -p tcp  -j DNAT --to-destination 172.21.0.10
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

#input

#zakazane vstupy
#[0:0] -A INPUT -s 195.113.79.130 -p tcp -m tcp --dport 6666 -j DROP

#povolene vstupni/vystupni porty
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 6666 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --sport 53 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --sport 123 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

#povolene DNS servery
[0:0] -A INPUT -s 62.24.64.2 -p udp -j ACCEPT
[0:0] -A INPUT -s 62.24.64.3 -p udp -j ACCEPT

#povoleny dhcp
[0:0] -A INPUT -s 62.24.64.9 -p udp -j ACCEPT

#povoleny udp z vnitrku
[0:0] -A INPUT -i ! eth0 -p udp -j ACCEPT

#icmp protokol povolen/log
[0:0] -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

#povoleno navazujici spojeni
[0:0] -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

#povoleno lo
[0:0] -A INPUT -i lo -j ACCEPT

#plny pristup
[0:0] -A INPUT -s zdenek -j ACCEPT
[0:0] -A INPUT -s test -j ACCEPT
[0:0] -A INPUT -s michal -j ACCEPT
[0:0] -A INPUT -s tomas -j ACCEPT
[0:0] -A INPUT -s martin -j ACCEPT
[0:0] -A INPUT -s thomas -j ACCEPT
[0:0] -A INPUT -s radekd -j ACCEPT
[0:0] -A INPUT -s radekw -j ACCEPT
[0:0] -A INPUT -s dalibor -j ACCEPT
[0:0] -A INPUT -s kaja -j ACCEPT
[0:0] -A INPUT -s jarda -j ACCEPT
[0:0] -A INPUT -s jara -j ACCEPT
[0:0] -A INPUT -s petr -j ACCEPT
[0:0] -A INPUT -s majka -j ACCEPT
[0:0] -A INPUT -s peta -j ACCEPT
[0:0] -A INPUT -s lubos -j DROP

#vychytavky
[0:0] -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
[0:0] -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
[0:0] -A INPUT -s 192.168.100.1 -j DROP
[0:0] -A INPUT -j LOG --log-prefix "input_drop:"

#forward

#kvs -> internet
[0:0] -A FORWARD -s dalibor -o eth0 -j ACCEPT
[0:0] -A FORWARD -s peta -o eth0 -j ACCEPT
[0:0] -A FORWARD -s petr -o eth0 -j ACCEPT
[0:0] -A FORWARD -p udp -s majka -o eth0 -j ACCEPT
[0:0] -A FORWARD -s jara -o eth0 -j ACCEPT
[0:0] -A FORWARD -s kaja -o eth0 -j ACCEPT
[0:0] -A FORWARD -s jarda -o eth0 -j DROP
[0:0] -A FORWARD -s lubos -o eth0 -j DROP

#doma -> internet
[0:0] -A FORWARD -s michal -o eth0 -j ACCEPT
[0:0] -A FORWARD -s zdenek -o eth0 -j ACCEPT
[0:0] -A FORWARD -s test -o eth0 -j ACCEPT
[0:0] -A FORWARD -s tomas -o eth0 -j ACCEPT
[0:0] -A FORWARD -s thomas -o eth0 -j ACCEPT
[0:0] -A FORWARD -s martin -o eth0 -j ACCEPT
[0:0] -A FORWARD -s radekd -o eth0 -j ACCEPT
[0:0] -A FORWARD -s radekw -o eth0 -j ACCEPT

#internet -> vnitrek navazujici
[0:0] -A FORWARD -i eth0 -o ! eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

#vnirni routovani

#pristup na zdenek
[0:0] -A FORWARD -s michal -d zdenek -j ACCEPT
[0:0] -A FORWARD -s tomas -d zdenek -j ACCEPT
[0:0] -A FORWARD -s thomas -d zdenek -j ACCEPT
[0:0] -A FORWARD -s martin -d zdenek -j ACCEPT
[0:0] -A FORWARD -s dalibor -d zdenek -j ACCEPT
[0:0] -A FORWARD -s kaja -d zdenek -j ACCEPT
[0:0] -A FORWARD -s jara -d zdenek -j ACCEPT
[0:0] -A FORWARD -s jarda -d zdenek -j ACCEPT
[0:0] -A FORWARD -s petr -d zdenek -j ACCEPT
[0:0] -A FORWARD -s majka -d zdenek -j ACCEPT
[0:0] -A FORWARD -s peta -d zdenek -j ACCEPT
[0:0] -A FORWARD -s lubos -d zdenek -j ACCEPT

#vychytavky
[0:0] -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN /
-m state --state NEW -j LOG --log-prefix "forward_new_nema_syn:"
[0:0] -A FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
[0:0] -A FORWARD -j LOG --log-prefix "forward_drop:"

COMMIT
 






 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0010.serv-out 
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=101

 
 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0011.serv-u80                                                      
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=102

 
 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0110.zdenek 
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=1
 
 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0210.michal 
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=2

 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0310.tomas  
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=3
 
 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0410.martin                                                        
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=4

 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0510.thomas 
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=5
 
 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0610.radekd 
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=6

 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-0710.radekw 
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=7

 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-9010.dalibor 
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=901
 
 
[root na skoda /]# vi /etc/sysconfig/cbq/cbq-9110.kvs 
DEVICE=eth0,10Mbit,1Mbit
RATE=10Kbit
WEIGHT=1Kbit
PRIO=5
#LEAF=none
BOUNTED=yes
#ISOLATE=yes
MARK=902

 
 
[root na skoda /]# vi /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost

194.50.100.15           roman
203.206.26.70           prochy

#domaci sit
 
# sit net_hav
172.20.0.0              net_intra
172.20.0.1              serv_intra
172.20.1.1              zdenek
172.20.1.2              michal
172.20.1.3              tomas
172.20.1.4              martin
172.20.1.5              thomas
172.20.1.6              radekd
172.20.1.7              radekw
172.20.1.10            test

# sit net_dada
172.21.0.0              net_dad
172.21.0.1              serv_d
172.21.0.10             dalibor
172.21.0.11             kaja
172.21.0.12             jarda
172.21.0.13             jara
172.21.0.14             petr
172.21.0.15             majka
172.21.0.16             peta
172.21.0.17             lubos

Další informace o konferenci Linux