To do this we make use of the mangle table - which allows us to modify packets before they leave the system.
sudo iptables -t mangle -A OUTPUT -j DSCP --set-dscp-class AF21 -m comment --comment "set dscp class to AF21 for all outbound traffic"
Or if you use Puppet / hiera to manage your configuration - you'd use something like:
firewall_rules_common:
dscp_markings:
name: "058 Set DSCP AF21 for QoS"
chain: OUTPUT
table: mangle
set_dscp_class: af21
jump: DSCP
We can now use tcpdump to verify the outbound traffic is being marked.
To do this however we need to firstly work out what the (decimal) ToS value of the DSCP class is.
In this case it's AF21 - so in decimal this equates to 72 - so we do:
sudo tcpdump -i eth0 -v ip[1]==72
Example output:
16:23:38.749359 IP (tos 0x48, ttl 64, id 35827, offset 0, flags [DF], proto TCP (6), length 316)
test.server.ssh > 10.11.12.13.42632: Flags [P.], cksum 0x17ef (incorrect -> 0x9d68), seq 8127740:8128016, ack 5509, win 289, length 276
Note that the tos value in the above output is in decimal.
0 comments:
Post a Comment