Problem with tc qdisc and Nat in iptables.

[nnes]

Hi all.
I want to test nat & Bandwidth control flowing below outline:

LAN --> Router ---> Net

PC1:.99.88 ---- (eth0).99.77-(Router)-(eth1).88.77 --> PC2:88.77

But I have some issues I haven't resolved yet.

1. NAT
- I configured the iptables, it worked. I can ping from PC1 to PC2 (LAN --> Net ), but i can't ping from PC2 to PC1 (Net --> LAN).
- My configured iptables content:

*nat
:PREROUTING ACCEPT [69:5735]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -d 192.168.88.0/24 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 -j DNAT --to-destination 192.168.99.77
[1431:91349] -A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [1237:130092]
:FORWARD ACCEPT [58:2524]
:OUTPUT ACCEPT [361:55266]
COMMIT

*mangle
:PREROUTING ACCEPT [327954:224121034]
:INPUT ACCEPT [16845:1789980]
:FORWARD ACCEPT [291214:220741036]
:OUTPUT ACCEPT [4503:643704]
:POSTROUTING ACCEPT [295717:221384740]
COMMIT

2. BW control
I want to limit BW on link from PC1 to PC2, create delay and filter source ip. My configured on router:

# tc qdisc add dev eth0 handle 1: root htb
# tc class add dev eth0 root classid 1:1 htb rate 2mbit
# tc qdisc add dev eth0 parent 1:1 handle 11: netem delay 100ms
# tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip src 192.168.88.0/24 flowid 1:1

But, when i ping from PC1 to PC2, delay time < 1ms ???????

I used iperf to test BW, PC1 is client iperf, PC2 is server iperf. My commands:
PC2: iperf -s
PC1: iperf -c 192.168.88.99
--> error:

connect failed: No route to host
write1 failed: Broken pipe
write2 failed: Broken pipe
------------------------------------------------------------
Client connecting to 192.168.88.99, TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[ 3] local 0.0.0.0 port 49123 connected with 192.168.88.99 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0- 0.0 sec 0.00 Bytes 0.00 bits/sec

although I can ping from PC1 to PC2.

Help me to resolve this problem. Thanks all.

[Kloschüssel]

hi

1. you would probably need another part of the configuration that enables the communication from PC2 to PC1, not only from PC1 to PC2

2. nat applies to eth1 and tc commands specify eth0, could that be your problem?

[nnes]

hi

1. you would probably need another part of the configuration that enables the communication from PC2 to PC1, not only from PC1 to PC2

2. nat applies to eth1 and tc commands specify eth0, could that be your problem?

1. I used PREROUTING to create NAT from net to LAN. What more need I do?

2. I've changed tc commands specifing eth1, but it doesn't work right.

Thanks for your help.

[Kloschüssel]

1. I used PREROUTING to create NAT from net to LAN. What more need I do?

This problem was already solved a few times, please use the search engine of this board or your favorite web search engine. For instance, this may be of help: linuxforums.org: iptables kloschüssel - Google Search. Just note that a NAT translation between two private networks must be set up in both directions.

2. I've changed tc commands specifing eth1, but it doesn't work right.

I'm not that familiar with tc, sorry. A good howto may be more helpful than I could ever be.

[Lazydog]

Hi all.
I want to test nat & Bandwidth control flowing below outline:

LAN --> Router ---> Net

Is the router a linux box running IPTABLES?

From what I can tell you are not hitting the internet and all traffic is local is this correct?

[nnes]

thanks all. I resolved this problem.

[Kloschüssel]

Would you share the information how you did it? It may be of help to someone else one day.