[SOLVED] RE: using iptables/tc to traffic shape

Flaherty, Patrick pflaherty at wsi.com
Tue Aug 11 16:50:02 EDT 2009


> if you don't mind a couple guesses:
> 
> On 08/10/2009 07:10 PM, Flaherty, Patrick wrote:
> > I can't seem to get this to work though. The dnat rule gets 
> a single 
> > hit but the packet doesn't show up at the throttler:eth1.
> 
> Do you have?:
>   net.ipv4.ip_forward = 1
Yes, this was already set in sysctl 
 
> 
> > #accept all traffic on eth0, send it thru eth1, seems like *some* 
> > packets should show up on eth1 eh?
> > iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
> 
> Does the packet exist in both -i eth0 and -o eth1 states if 
> it's being forwarded or just one at a time?  That is, perhaps 
> -i eth0 would be enough.  Obviously I don't understand the 
> theory well enough.

Jumping jeebus on a pogo stick...Bill is a iptables expert,..I don't
totally understand why it works, but after removing the -0 eth1 from the
FORWARD chain it works right. I really should have put the destination
in a different subnet when I was substituting ips, so here's an update
working version.

#client:192.168.100.10
#throttler:192.168.100.50
#throttler:192.168.100.51
#destination:192.168.150.100

#turn on natting
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#accept established connections from eth1 to eth0
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED
-j ACCEPT

#accept all traffic on eth0
iptables -A FORWARD -i eth0 -j ACCEPT

#traffic on eth0
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT
--to-destination 192.168.150.100:443

#Now route traffic for 192.168.150.100 thru the interface we are going
to use tc on
route add -host 192.168.150.100 gw 192.168.100.1 dev eth1

#lets add some latency to eth1 so the connection feels crappier.
tc qdisc add dev eth1 root netem delay 1000ms

#from client
#telnet 192.168.150.100 443
# Connected to SomeHost (192.168.150.100)
#Escape character is '^]'.
#
#Do a funny dance due to success


Thank you Bill!

Patrick

Patrick



More information about the gnhlug-discuss mailing list