I would setup a separate routing table and a policy to route marked packets using that table and have iptables/netfilter mark certain packets.
Create a table:
echo 1 known >> /etc/iproute2/rt_tables
Create a routing rule (the ip
command is from iproute2):
ip rule add from all fwmark 1 table known
We created a table called "known" and created a routing rule that says any packet with a mark equal to 1 gets routed according to the "known" table. I only called it known because it's for the list of known protocols - you can name it whatever you want. Now we setup the known table to route the proper way.
ip route add default dev eth0 table known
Create iptables rules:
iptables -t mangle -I PREROUTING -p tcp --dport 111 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -p tcp --dport 2049 -j MARK --set-mark 1
The example marks packets on the NFS ports (111, 2049) with a 1. We are adding this rule to the 'mangle' iptable. This is different from the routing tables and is not changeable; the mangle table is specifically for altering packets in any way other than NAT.
Now, to route everything else through the other interface, we add a route to the standard routing table.
ip route add default dev eth1
To really understand this, read sections 4 and 11 of the LARTC howto.
When dealing with applications that are using up network bandwidth the best tool I've come across for tying back utilization to specific apps has got to be nethogs
.
You can use ip link show
or netstat -i
to find out your network interface names.
$ netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
em1 1500 0 0 0 0 0 0 0 0 BMU
lo 65536 81375 0 0 0 81375 0 0 0 LRU
virbr0 1500 0 0 0 0 0 0 0 0 BMU
wlp3s0 1500 2264942 0 0 0 2376236 0 0 0 BMRU
My wireless on my Fedora 19 laptop is wlp3s0
, so we tell nethogs
to watch that:
$ sudo nethogs wlp3s0
As you let nethogs
run it will start to show you the applications that are consuming your network bandwidth.
Best Answer
The Linux kernel version 2.6.35 introduces a new configuration option
CONFIG_NETFILTER_XT_TARGET_TEE
:Iptables supports the
-j TEE
target since 1.4.8.Earlier support was through the xtables addons, which include both kernel modules and userland tools. You may still prefer this option if you prefer to stick with your distribution's kernel and it's too old to have
TEE
.There's a tutorial by bjou (written before the feature was included in the official kernel and iptables).