[ale] I need some help with iptables and cbq

JK jknapka at kneuro.net
Sun Sep 10 17:48:37 EDT 2006 

James Sumners wrote:

> As I wrote last month
> (http://article.gmane.org/gmane.org.user-groups.ale/46036), I've
> switched from DSL to cable so that I can drop Bellsouth in favor of
> Vonage. Yesterday, I finally got my cable connection hooked up and
> spent the day writing a new firewall for it. My goal is to use class
> based queueing to give the VoIP connection all the bandwidth it needs
> for a G.711 encoded phone conversation. So far I have been
> unsuccessful in this endeavor. I've managed to write the iptables
> rules to mark all the packets (minus a couple) and masquerade all my
> LAN connections. I'll be DNATing a couple of ports later.
> 
> I have a couple questions for those of you on the list who are more
> knowledgeable about this stuff.
> 
> 1) Why don't the rules in firewall.sh on lines 73 and 75 mark packets?
> 2) The machine running this firewall has a wireless card that acts as
> the WAP for my apartment. Do I need to classify the packets on that
> interface as well? If I've been trying to test my bandwidth over
> wireless, would that be why it isn't working as it should be?
> 3) Do you have any suggestions for improving my rules?

Use HTB instead of CBQ.  HTB is considerably easier to configure
and almost as capable IIRC (though it's been a while since I've
messed with my lartc rules).

I started rolling my own tc script, but ended up just using
Wondershaper http://lartc.org/wondershaper/ and hacking it for my
configuration, which is this:

eth0: broadband internet link
eth1: wired LAN
eth2: wifi net

Basically, Wondershaper lets you simply specify the max upstream
and downstream bandwidth for each link, and takes care of
prioritizing interactive traffic and putting bulk data in
lower-priority queues.  I also hacked mine to allow higher
bandwidth to specific machines on the wifi segment, so that
the kids' downloading pr0n doesn't make it impossible for
me to get work done.

My iptables script is the one from Devil Linux
http://www.devil-linux.org, hacked up to let SSH through
to specific machines on the wired LAN. The wifi segment
is treated as a DMZ. Plus there's the whole World Beard
and Mustache Championships experience for unrecognized
MACs on the wifi segment, but that's just a side issue.

-- JK

More information about the Ale mailing list