[SOLVED] RE: using iptables/tc to traffic shape
Flaherty, Patrick
pflaherty at wsi.com
Tue Aug 11 16:50:02 EDT 2009
> if you don't mind a couple guesses:
>
> On 08/10/2009 07:10 PM, Flaherty, Patrick wrote:
> > I can't seem to get this to work though. The dnat rule gets
> a single
> > hit but the packet doesn't show up at the throttler:eth1.
>
> Do you have?:
> net.ipv4.ip_forward = 1
Yes, this was already set in sysctl
>
> > #accept all traffic on eth0, send it thru eth1, seems like *some*
> > packets should show up on eth1 eh?
> > iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> Does the packet exist in both -i eth0 and -o eth1 states if
> it's being forwarded or just one at a time? That is, perhaps
> -i eth0 would be enough. Obviously I don't understand the
> theory well enough.
Jumping jeebus on a pogo stick...Bill is a iptables expert,..I don't
totally understand why it works, but after removing the -0 eth1 from the
FORWARD chain it works right. I really should have put the destination
in a different subnet when I was substituting ips, so here's an update
working version.
#client:192.168.100.10
#throttler:192.168.100.50
#throttler:192.168.100.51
#destination:192.168.150.100
#turn on natting
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#accept established connections from eth1 to eth0
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED
-j ACCEPT
#accept all traffic on eth0
iptables -A FORWARD -i eth0 -j ACCEPT
#traffic on eth0
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT
--to-destination 192.168.150.100:443
#Now route traffic for 192.168.150.100 thru the interface we are going
to use tc on
route add -host 192.168.150.100 gw 192.168.100.1 dev eth1
#lets add some latency to eth1 so the connection feels crappier.
tc qdisc add dev eth1 root netem delay 1000ms
#from client
#telnet 192.168.150.100 443
# Connected to SomeHost (192.168.150.100)
#Escape character is '^]'.
#
#Do a funny dance due to success
Thank you Bill!
Patrick
Patrick
More information about the gnhlug-discuss
mailing list