[dundee] iptables and fair network usage

Lee Hughes toxicnaan at yahoo.co.uk
Fri Oct 26 13:43:15 BST 2007 

Don't PANIC!

okay, all the scripts and firewalls distro's are just front ends
to either iptables (firewalling script) or tc (traffic control!)

you should read

http://www.netfilter.org/documentation/index.html#documentation-howto

and for traffic control

http://lartc.org/

there's also a great book called

http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695

http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695


lots of reading I'm affraid, but that's what good software is
'documentation'

I'll try and recover my scripts that I had for qos, they were simple.


I had just a couple of rules for transmitting packets.


TCP ACK always get priority.
port 22(ssh),(80),433 priority
packets smaller than 100 bytes get priority.

any other ports  forget about it.

this simple rule set seems to work really well.

you can make you qos scripts as easy or as complex as you like, it's just verifying that they are doing what you actually ask
of them

for multiple people sharing a adsl/cable modem sometimes it
best to share bandwidth 'fairly' between all hosts, so you
would implement bandwidth sharing on source IP address rather than say on port number, packet/tos type?







Nistur <nistur at googlemail.com> wrote: Ok, I gave up with ipcop, and decided against smoothwall for now. I 
installed Ubuntu server 6.06 and got one step further, the speedtouch 
modem now works perfectly, remembering iptables and the hell it caused 
before I went about looking for a web based GUI. I got webmin and it 
seems to do everything we want, several times over by the looks of 
things. I however am having trouble setting up, and I believe it's 
partly my stupdity, but also partly the setup. To begin with I just made 
a shell script to set the same tables as we had last year (is basically 
the NAT code block from 
http://www.gentoo.org/doc/en/home-router-howto.xml with minor 
alterations to interfaces etc) however it let no traffic through.
I attempted to use the "Shoreline firewall" module in webmin and every 
time I tested it, it blocked all traffic, even me, having to run to the 
router with a spare keyboard and reset the iptables from the shell 
script by guesswork.
I then tried "Iptables firewall" Which I thought would be more what I 
was used to and therefore I might understand it a little better. The 
only difference with that one was it didn't lock up the system when I 
tried it. Then I tried the "Linux firewall" and was surprised to find 
that it was more like what I was expecting, basically an iptables 
frontend with nothing automagically setting anything else. However, it 
complained about my original script and tried to convert it. Everything 
looked fine, but still had the same effect, no internets. Even setting 
the "Linux Firewall" to the lowest setting, which set ALLOW to all 
packets on all ports in all directions between all interfaces did nothing.

Now, I know the last thing should have done SOMETHING if not any of the 
others. Someone please tell me where I'm going wrong.

Thanks for your help so far and for any to come.
Nistur

azmodie wrote:
> unfortunately i dismantled my ipcop box 2 years ago. was considering 
> rebuilding with a spare machine i found other day
>
> hope a reinstall will solve your problem. as far as i knew it should 
> load the module. not done much kernel debugging.
>
> have you tried with older firmware. (long shot)
>
> i know the broadcom driver has issues with newer versions of the fw.
> -- 
> Umbrella Corporation :-
> "They are the fear within all of that there is a company. The 
> Corporation controlling everything that is Umbrella.
> A combination of Microsoft and the US Military. At some level there is 
> a board of directors who meet once a
> month and decide all of our fates."
> -- Jeremy Bolt - Producer - Resident Evil : Apocalypse
> ------------------------------------------------------------------------
>
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at lists.lug.org.uk  http://dundee.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on dundee.lug.org.uk


_______________________________________________
dundee GNU/Linux Users Group mailing list
dundee at lists.lug.org.uk  http://dundee.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/dundee
Chat on IRC, #tlug on dundee.lug.org.uk


       
---------------------------------
 Yahoo! Answers - Get better answers from someone who knows. Tryit now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/dundee/attachments/20071026/e61c7b02/attachment.html

More information about the dundee mailing list