[Firewall] Multiple Interfaces and networks

Anibal F. Martinez Cortina zeuz_netraptor at hotmail.com
Thu Mar 5 14:59:57 CET 2009


Hey all, I know this is a feature on recent versions, so I was going to ask:
Is it working clearly? Do the rules applied for multiple interfaces and multiple networks (multiple LANs connected to the host that acts as the router) work fine enough like to place it in under a production environment where 500+ terminals are expected to be behind? 
Another thing I've noticed, is that using and htb tocken for traffic shapping, if I set the proxy as transparent (--redirect everything to remote 80 and 443 to local 3128/8080/[INSERT THE PORT HERE] so the proxy handles it), it breaks, it still works, and people go through the proxy, but I loose the ammount of traffic I've shaped for them... [NOTE: I'm using htb-gen as the frontend to keep the rules done]
Here's an example rule of TC and how I'm marking the traffic so if anyone can see where I'm missing the point I would be really happy to know and beers would be on me...
Piece of tc:
tc qdisc del dev eth1 roottc qdisc add dev eth1 root handle 1 htb default 0 r2q 15tc qdisc del dev eth0 roottc qdisc add dev eth0 root handle 1 htb default 0 r2q 15tc class add dev eth1 parent 1: classid 1:7000 htb rate 1524kbit ceil 1524kbit burst 12k quantum 13004tc class add dev eth0 parent 1: classid 1:7001 htb rate 1024kbit ceil 1024kbit burst 12k quantum 8738tc class add dev eth1 parent 1:7000 classid 1:7002 htb rate 4kbit ceil 0kbit burst 24k quantum 1500tc class add dev eth1 parent 1:7002 classid 1:7003 htb rate 3kbit ceil 0kbit burst 24k prio 1 quantum 1500tc qdisc add dev eth1 parent 1:7003 handle 7003 sfq perturb 10tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 7003 fw classid 1:7003tc class add dev eth1 parent 1:7002 classid 1:7004 htb rate 1kbit ceil 0kbit burst 12k prio 3 quantum 1500tc qdisc add dev eth1 parent 1:7004 handle 7004 sfq perturb 10tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 7004 fw classid 1:7004tc class add dev eth0 parent 1:7001 classid 1:7005 htb rate 4kbit ceil 0kbit burst 24k quantum 1500tc class add dev eth0 parent 1:7005 classid 1:7006 htb rate 3kbit ceil 0kbit burst 24k prio 1 quantum 1500tc qdisc add dev eth0 parent 1:7006 handle 7006 sfq perturb 10tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 7006 fw classid 1:7006tc class add dev eth0 parent 1:7005 classid 1:7007 htb rate 1kbit ceil 0kbit burst 12k prio 3 quantum 1500tc qdisc add dev eth0 parent 1:7007 handle 7007 sfq perturb 10tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 7007 fw classid 1:7007tc class add dev eth1 parent 1:7000 classid 1:7008 htb rate 4kbit ceil 0kbit burst 24k quantum 1500tc class add dev eth1 parent 1:7008 classid 1:7009 htb rate 3kbit ceil 0kbit burst 24k prio 1 quantum 1500tc qdisc add dev eth1 parent 1:7009 handle 7009 sfq perturb 10tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 7009 fw classid 1:7009tc class add dev eth1 parent 1:7008 classid 1:7010 htb rate 1kbit ceil 0kbit burst 12k prio 3 quantum 1500Piece of iptables marking rules:
iptables -t mangle -N htb-gen.downiptables -t mangle -A FORWARD -o eth1 -j htb-gen.downiptables -t mangle -N htb-gen.upiptables -t mangle -A FORWARD -o eth0 -j htb-gen.upiptables -t mangle -N htb-gen.down-172.16.0.2iptables -t mangle -A htb-gen.down -d 172.16.0.2 -j htb-gen.down-172.16.0.2iptables -t mangle -A htb-gen.down-172.16.0.2 -m mark --mark 0 -m length --length 0:100 -j MARK --set-mark 7003iptables -t mangle -A htb-gen.down-172.16.0.2 -m mark --mark 0 -p udp -j MARK --set-mark 7003iptables -t mangle -A htb-gen.down-172.16.0.2 -m mark --mark 0 -p icmp -j MARK --set-mark 7003iptables -t mangle -A
htb-gen.down-172.16.0.2 -m mark --mark 0 -p tcp -m multiport --sports
20,21,22,25,80,110,143,443,1863,1864,3389,3128 -j MARK --set-mark 7003iptables -t mangle -A htb-gen.down-172.16.0.2 -m mark --mark 0 -m helper --helper ftp -j MARK --set-mark 7003iptables -t mangle -A htb-gen.down-172.16.0.2 -m mark --mark 0 -j MARK --set-mark 7004iptables -t mangle -A htb-gen.down-172.16.0.2 -j ACCEPTiptables -t mangle -N htb-gen.up-172.16.0.2iptables -t mangle -A htb-gen.up -s 172.16.0.2 -j htb-gen.up-172.16.0.2iptables -t mangle -A htb-gen.up-172.16.0.2 -m mark --mark 0 -m length --length 0:100 -j MARK --set-mark 7006iptables -t mangle -A htb-gen.up-172.16.0.2 -m mark --mark 0 -p udp -j MARK --set-mark 7006iptables -t mangle -A htb-gen.up-172.16.0.2 -m mark --mark 0 -p icmp -j MARK --set-mark 7006iptables -t mangle -A
htb-gen.up-172.16.0.2 -m mark --mark 0 -p tcp -m multiport --dports
20,21,22,25,80,110,143,443,1863,1864,3389,3128 -j MARK --set-mark 7006iptables -t mangle -A htb-gen.up-172.16.0.2 -m mark --mark 0 -m helper --helper ftp -j MARK --set-mark 7006iptables -t mangle -A htb-gen.up-172.16.0.2 -m mark --mark 0 -j MARK --set-mark 7007iptables -t mangle -A htb-gen.up-172.16.0.2 -j ACCEPT
If anyone can give me a heads up, would be great.. The problem is that when the proxy is running transparent, the traffic doesn't get shaped...
I'm currently assigning a maximum of usable bandwidth to them, and also prioritizing the set of ports you can see above...

Regards


Gentooza Style
-.ZeuZ.-
Anibal F. Martinez Cortina





_________________________________________________________________
¿Querés cuidarte y estar bien? Conocé MSN Salud y Bienestar
http://salud.latam.msn.com/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20090305/3d09e30f/attachment.htm>


More information about the Firewall mailing list