[CentOS] Allocating 64 kbits/s out of 256 kbits/s for one LAN behind firewall

Wed Aug 8 07:23:34 UTC 2007
Indunil Jayasooriya <indunil75 at gmail.com>

Hi,

I have a CENTOS BOX as a firewall . both iptabes and iproute 2 are running
on it.

pls see bleow for installed RPMs.
[root at firebox ~]# rpm -qa |grep iptables
iptables-1.2.11-3.1.RHEL4

[root at firebox ~]# rpm -qa |grep iproute
iproute-2.6.9-3.EL4.7


It has 3 ethernet cards.

pls see below.

eth0 - internet ip (pls asume. 1.2.3.4/29 ). it connects to ISP router.
eth1 -  192.168.100.254
eth2 -   192.168.101.254

There are 2 LANs behind this firewall. both LANs have access to internet due
to SNAT rules in the firewall. I have given many SNAT rules per ip basic.
some users have full access, some have only web and smtp. I have added many
forward rules to suit those SNAT rules.

All work fine.

one LAN is 192.168.100.0/24, while the other LAN is 192.168.101.0/24

Now, I want LAN with 192.168.101.0/24 to allocate 64 kbit out of 256 kbit.
the rest for others.

I added rules to the firewall. But I still can not allocate 64 kbit for LAN
with 192.168.101.0/24

I think I need a PREROUTING chain  for LAN with 192.168.101.0/24


Script is given below.

INTERFAZ_INT=eth0

FULLBANDWIDTH=256

BANDWIDTH4LAN=64

iptables -t mangle -A PREROUTING -s
192.168.101.0/24<http://192.168.102.0/24>-j MARK --set-mark 0x5

tc qdisc add dev $INTERFAZ_INT root handle 1 htb r2q 4
tc class add dev $INTERFAZ_INT parent 1: classid 1:2 htb rate
"$FULLBANDWIDTH"Kbit
tc class add dev $INTERFAZ_INT parent 1: classid 1:5 htb rate
"$BANDWIDTH4LAN"Kbit
tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb 10
tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 5 fw
classid 1:5

Still no luck. after applying the obove rules, I downloaded an centos ISO
image. But , I still can download @ the usual rate. ( i.e 30-33 kbytes per
seconds).

If these rules work, I will be able to download @ about 8 kbyes per second.
(i.e - 8*8 kbit= 64 kbit)

That is what I expect ?

Where have I gone wrong?







-- 
Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070808/5547403d/attachment-0003.html>