cbq a ip aliasy

Petr Bartel cyber na irix-servis.cz
Pátek Leden 13 13:16:51 CET 2006


Dobry den preju,
nejdriv nastinim situaci a pak problem. Mam router s tremi rozhranimi,
jedno ven, jedno do DMZ a jedno do lokalni site, na tom lokalnim mam
vice ip adres a potrebuji jim omezit datovy tok. Coz mi z nejakeho
zahadneho duvodu nefunguje.

public_ip a dmz_ip jsou nahrazenim skutecnych adres

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 1000
    link/ether 00:50:04:32:22:57 brd ff:ff:ff:ff:ff:ff
    inet public_ip/30 brd public_ip_broadcast scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 1000
    link/ether 00:50:8b:51:54:67 brd ff:ff:ff:ff:ff:ff
    inet dmz_ip/28 brd dmz_ip_broadcast scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 1000
    link/ether 00:0e:2e:72:52:9a brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.254/24 brd 10.0.0.255 scope global eth2
    inet 192.168.1.254/28 brd 192.168.1.255 scope global eth2
    inet 192.168.2.254/28 brd 192.168.2.255 scope global eth2
    inet 192.168.3.254/28 brd 192.168.3.255 scope global eth2

site 192.168.[1-3].240/28 potrebuji ruzne omezit.

pouzivam cbq.init v0.7.3 na Debianu 3.1 Sarge

v /etc/cbq mam

cbq-1002.internet_eth0.all
--------------------------
DEVICE=eth0,100Mbit,10Mbit
RATE=2Mbit
WEIGHT=200kbit
PRIO=8
LEAF=none

cbq-1003.internet_eth2.all
--------------------------
DEVICE=eth2,100Mbit,10Mbit
RATE=2Mbit
WEIGHT=200Kbit
PRIO=8
LEAF=none

cbq-4025.internet_eth2.allcomputers
--------------------------
DEVICE=eth2,100Mbit,10Mbit
RATE=128Kbit
WEIGHT=12Kbit
PRIO=6
PARENT=1003
LEAF=sfq
QUANTUM=1514
PERTURB=15
BOUNDED=yes
RULE=192.168.1.240/255.255.255.240

cbq-5025.internet_eth0.allcomputers
DEVICE=eth0,100Mbit,10Mbit
MARK=5024
RATE=128Kbit
WEIGHT=12Kbit
PRIO=6
PARENT=1002
LEAF=sfq
QUANTUM=1514
PERTURB=15
BOUNDED=yes
RULE=192.168.1.240/255.255.255.240

v iptables
iptables -t mangle -A PREROUTING -s 192.168.3.240/28 -j MARK --set-mark=5024

cbq.init stats vypada takto
### eth0: queueing disciplines

qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit
 Sent 13681057 bytes 86821 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 79 undertime 0
qdisc sfq 5024: parent 1:5024 limit 128p quantum 1514b perturb 15sec
 Sent 13537 bytes 225 pkts (dropped 0, overlimits 0)
qdisc sfq 5025: parent 1:5025 limit 128p quantum 1514b perturb 15sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

### eth0: traffic classes

class cbq 1: root rate 100000Kbit (bounded,isolated) prio no-transmit
 Sent 13682045 bytes 86827 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 79 undertime 0
class cbq 1:5025 parent 1:1002 leaf 5025: rate 128000bit (bounded) prio 6
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 1.8142e+06 undertime 0
class cbq 1:5024 parent 1:1002 leaf 5024: rate 128000bit (bounded) prio 6
 Sent 13537 bytes 225 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 1.8142e+06 undertime 0
class cbq 1:1002 parent 1: rate 2000Kbit (bounded) prio no-transmit
 Sent 13537 bytes 225 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 113931 undertime 0

### eth0: filtering rules

filter parent 1: protocol ip pref 200 fw
filter parent 1: protocol ip pref 200 fw handle 0x13a0 classid 1:5024

### eth2: queueing disciplines

qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit
 Sent 61531689 bytes 92902 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 77 undertime 0
qdisc sfq 4024: parent 1:4024 limit 128p quantum 1514b perturb 15sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 4025: parent 1:4025 limit 128p quantum 1514b perturb 15sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

### eth2: traffic classes

class cbq 1: root rate 100000Kbit (bounded,isolated) prio no-transmit
 Sent 61531689 bytes 92902 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 77 undertime 0
class cbq 1:4024 parent 1:1003 leaf 4024: rate 128000bit (bounded) prio 6
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 1.8142e+06 undertime 0
class cbq 1:1003 parent 1: rate 2000Kbit (bounded) prio no-transmit
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 113931 undertime 0
class cbq 1:4025 parent 1:1003 leaf 4025: rate 128000bit (bounded) prio 6
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 1.8142e+06 undertime 0

eth1 jsem umyslne vynechal.

A na tech stanicich je mozno fungovat na internetu do max. kapacity
inetu. A jeste jeden dotaz jestli na to nema vliv transparentni proxy
squid ktera bezi take na tom routeru a je do ni veskery provoz na 80
presmerovan. Zbytek provozu jde ven pres NAT.

Dekuju moc za rady nebo objeveni chyb

   Petr Bartel


Další informace o konferenci Linux