[NBLUG/talk] Linux as router

Osiris Pedroso opedroso at swoptimizer.com
Wed Nov 3 13:02:15 PST 2004 

That sounds great!

Question on this line:
> Here is a rule from one of my firewalls that uses TOS shaping.
> iptables -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos 8

Aren't port 20 and 21 ports for FTP traffic? Or does you VoIP also go
through them?

Osiris Pedroso
--
Ph: (707) 658-3500
http://www.SWoptimizer.com
 
 -----Original Message-----
From: talk-bounces at nblug.org [mailto:talk-bounces at nblug.org] On Behalf Of
Mark Street
Sent: Wednesday, November 03, 2004 11:07 AM
To: General NBLUG chatter about anything Linux, answers to questions,etc.
Subject: Re: [NBLUG/talk] Linux as router

On Wednesday 03 November 2004 09:58, Osiris Pedroso wrote:
> I am using Vonage as VoIP and been pretty happy with it, although the
> occasional ftp disrupts my calls.
>
> The Vonage documentation says that using the Motorola phone adapter in
> front of everything else enables it to use QoS features that prevent this
> kind of problem, but it is not what I am seeing.
>
> That is my main thrust to get a Linux router/firewall and then do some
> traffic shapping to make sure that does not happen anymore.
>
> Interesting article you sent, but Vonage seems to have worked around the
> problem described in it.

I have worked with and deployed asterisk, an open source VOIP server and
PBX, 
asterisk.org

If you put the VOIP equipment phone behind a Linux Firewall you may have to 
look into NAT and forwarding....  remember echo 1 
> /proc/sys/net/ipv4/ip_forward ?

You have to tell the kernel to forward traffic from the inside to the
outside 
using NAT most likely.  Remember, most of this filtering takes place in the 
Linux kernel being the monolithic design that it is.

Here is a rule from one of my firewalls that uses TOS shaping.

iptables -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos 8

You can tweak it to your liking for any service, port, etc.  Especially for 
your VOIP equipment - Minimize-Delay would be important.

To see the different parameters you can set for TOS

iptables -m tos -h

TOS match v1.2.8 options:
[!] --tos value                 Match Type of Service field from one of the
                                following numeric or descriptive values:
                                     Minimize-Delay 16 (0x10)
                                     Maximize-Throughput 8 (0x08)
                                     Maximize-Reliability 4 (0x04)
                                     Minimize-Cost 2 (0x02)
                                     Normal-Service 0 (0x00)


http://www.faqs.org/docs/linux_network/x-087-2-firewall.tos.manipulation.htm
l

TOS Bit Manipulation - The Type Of Service (TOS) bits are a set of four-bit 
flags in the IP header. When any one of these bit flags is set, routers may 
handle the datagram differently than datagrams with no TOS bits set. Each of

the four bits has a different purpose and only one of the TOS bits may be
set 
at any time, so combinations are not allowed. The bit flags are called Type 
of Service bits because they enable the application transmitting the data to

tell the network the type of network service it requires.

The classes of network service available are:

Minimum delay - Used when the time it takes for a datagram to travel from
the 
source host to destination host (latency) is most important. A network 
provider might, for example, use both optical fiber and satellite network 
connections. Data carried across satellite connections has farther to travel

and their latency is generally therefore higher than for terrestrial-based 
network connections between the same endpoints. A network provider might 
choose to ensure that datagrams with this type of service set are not
carried 
by satellite.

Maximum throughput - Used when the volume of data transmitted in any period
of 
time is important. There are many types of network applications for which 
latency is not particularly important but the network throughput is; for 
example, bulk-file transfers. A network provider might choose to route 
datagrams with this type of service set via high-latency, high-bandwidth 
routes, such as satellite connections.

Maximum reliability - Used when it is important that you have some certainty

that the data will arrive at the destination without retransmission being 
required. The IP protocol may be carried over any number of underlying 
transmission mediums. While SLIP and PPP are adequate datalink protocols, 
they are not as reliable as carrying IP over some other network, such as an 
X.25 network. A network provider might make an alternate network available, 
offering high reliability, to carry IP that would be used if this type of 
service is selected.

Minimum cost - Used when it is important to minimize the cost of data 
transmission. Leasing bandwidth on a satellite for a transpacific crossing
is 
generally less costly than leasing space on a fiber-optical cable over the 
same distance, so network providers may choose to provide both and charge 
differently depending on which you use. In this scenario, your "minimum
cost" 
type of service bit may cause your datagrams to be routed via the lower-cost

satellite route.

On Wednesday 03 November 2004 09:58, Osiris Pedroso wrote:
> I am using Vonage as VoIP and been pretty happy with it, although the
> occasional ftp disrupts my calls.
>
> The Vonage documentation says that using the Motorola phone adapter in
> front of everything else enables it to use QoS features that prevent this
> kind of problem, but it is not what I am seeing.
>
> That is my main thrust to get a Linux router/firewall and then do some
> traffic shapping to make sure that does not happen anymore.
>
> Interesting article you sent, but Vonage seems to have worked around the
> problem described in it.

>  -----Original Message-----
> From: talk-bounces at nblug.org [mailto:talk-bounces at nblug.org] On Behalf Of
> Mark Street
> Sent: Tuesday, November 02, 2004 10:11 PM
> To: General NBLUG chatter about anything Linux, answers to questions,etc.
> Subject: Re: [NBLUG/talk] Linux as router
>
> I saw this one on my Asterisk mailing list.  I thought it might help you
in
> the long run.
>
>  http://www.voip-info.org/wiki-NAT+and+VOIP
>
> What type of VOIP phone/service are you using?
>
> On Monday 01 November 2004 13:57, Osiris Pedroso wrote:
> > This is more a trip for enlightenment than actually just to get a
>
> firewall.
>
> > I have a Netgear hardware firewall already in place, behind this machine
>
> at
>
> > the moment.
> >
> > The real big plan is to later on do some traffic shapping with my VoIP
> > phone on the inside of the net, making my phone calls immune to my ftp
> > transfers. Today it is outside due to my inability to forward packages
>
> from
>
> > one NIC to the other.
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk

-- 
Mark Street, RHCE
http://www.oswizards.com
--
Key fingerprint = 3949 39E4 6317 7C3C 023E  2B1F 6FB3 06E7 D109 56C0
GPG key http://www.oswizards.com/pubkey.asc

_______________________________________________
talk mailing list
talk at nblug.org
http://nblug.org/cgi-bin/mailman/listinfo/talk

More information about the talk mailing list