Forums

Skip to content

Advanced search
  • Quick links
    • Unanswered topics
    • Active topics
    • Search
  • FAQ
  • Login
  • Register
  • Board index Assistance Networking & Security
  • Search

comprehension about tc

Having problems getting connected to the internet or running a server? Wondering about securing your box? Ask here.
Post Reply
Advanced search
16 posts • Page 1 of 1
Author
Message
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

comprehension about tc

  • Quote

Post by maxwellnina » Fri Mar 27, 2009 1:58 pm

Hi every body
As I'm running as a small isp with around 200 clients with (7MB Download/2MB upload) and Megabyte Ethernet Network cards
some clients are abusing others with dangerous usage of p2p programs ,then as I would like not to stop them downloading but prioritize so that
my gentoo gateway/firewall can limit them with shaping ,i made some search and among solution i got this http://www.securityfocus.com/infocus/1285
So after reading this page
talking about usage of tc for trafic shaping i tried to implement it in my gentoo case,but unfortunately i think i'm not
wise enough to get it work ,so please i would like you people to give me some help to understand what this exactly means

Code: Select all

The script should be started right after the firewall policy script during the initialization fase of the firewall. Depending on the distribution, put the two in /etc/rc.d/init.d and link to them from the runlevel directory of simply call the scripts from the /etc/rc.d/rc.local script.

The script will first create a root class and a class that defines a 64kbit link in the 10Mbit Ethernet link. Our four traffic classes are derived from that class by calling the script's add_class function. Note the last argument of the function. It can make the class 'bounded', which means that the class will not be able to borrow bandwidth from other classes.
How probably how one can apply this example on gentoo
and why not suggest me a more cool thing i can apply :idea:

thanks in advance
Top
ecroy
n00b
n00b
Posts: 59
Joined: Fri Nov 08, 2002 1:50 pm

  • Quote

Post by ecroy » Sat Mar 28, 2009 4:59 pm

Whow! I'd suggest to stay away from that article as it seems a _bit_ outdated (ipchains was linux kernel 2.2). As you seem to be doing that stuff not only for your own private use I think it would be good to understand a bit of linux traffic control first - it's not that hard. Try reading chapter 9 of Linux Advanced Routing & Traffic Control for some basics. Admittedly it is rather old as well but the important concepts are well described therein. I further strongly suggest to use HTB as queuing discipline and do the filtering via the iptables CLASSIFY target. If you need further help I could give you a small example.

After you have some working script doing what you want it is trivial to get it started from the gentoo init system - you could either just put in the /etc/conf.d/local.start or (the more proper solution) write your own little init script, looking something like:

Code: Select all

#!/sbin/runscript

depend() {
        need net
}

start() {
        ebegin "Starting traffic control"
        /path/to/your/tc/script
        eend $?
}
putting it for example into /etc/init.d/tc make it executable by

Code: Select all

chmod u+x /etc/init.d/tc
and adding it to your default runlevel via

Code: Select all

rc-update add tc default
Top
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

tc and htb shaping

  • Quote

Post by maxwellnina » Sat Mar 28, 2009 11:29 pm

thank you very much ecroy to give me some help
I really appreciate and I will also very interested if you can provide me with some HTB examples

talking about this particular example i already have a firewall script already running "/etc/init.d/firewall" so i made the shaping one
"/etc/init.d/tc" so according to this manual
The tc script should started right after the firewall policy script during the initialization fase of the firewall. so I was looking the way to make tc start
after the firewall or it doesn't matter.

thanks in advance for your futher help
Top
alex.blackbit
Advocate
Advocate
Posts: 2397
Joined: Tue Jul 26, 2005 8:04 pm

  • Quote

Post by alex.blackbit » Sun Mar 29, 2009 12:26 am

of course ecroy is right, understanding the basics is a good idea.
if you want some quick results, try e.g. shorewall, it's a quite nice frontend for iptables and tc, lately even with proper ipv6 support.
Top
ecroy
n00b
n00b
Posts: 59
Joined: Fri Nov 08, 2002 1:50 pm

  • Quote

Post by ecroy » Sun Mar 29, 2009 9:43 am

You should check the fine gentoo initscript documentation

As for the HTB-example, here you go (assuming you have 200 clients, eth0 is your the interface to your upstream provider and eth1 the one to your clients):

Code: Select all

# add qdiscs to both interfaces
tc qdisc add dev eth0 root handle 1: htb default 1000
tc qdisc add dev eth1 root handle 1: htb default 1000

# add root class
tc class add dev eth0 parent 1: classid 1:100 htb rate ${MAX_SPEED_UP}kbit ceil ${MAX_SPEED_UP}kbit
tc class add dev eth1 parent 1: classid 1:100 htb rate ${MAX_SPEED_DOWN}kbit ceil ${MAX_SPEED_DOWN}kbit

# add default class (should not get much traffic)
/sbin/tc class add dev eth0 parent 1:100 classid 1:1000 htb rate 128kbit ceil ${MAX_SPEED_UP}kbit prio 3 quantum 1500
/sbin/tc class add dev eth1 parent 1:100 classid 1:1000 htb rate 128kbit ceil ${MAX_SPEED_DOWN}kbit prio 3 quantum 1500

# add iptables chains for upstream and downstream traffic
iptables -t mangle -N classifyup
iptables -t mangle -N classifydown
iptables -t mangle -A POSTROUTING -o eth0 -j classifyup
iptables -t mangle -A POSTROUTING -o eth1 -j classifydown

# for each client add a class and an iptables filter
for ((i=0;i<200;i++)); do
	tc class add dev eth0 parent 1:100 classid 1:$((1001+i)) htb rate ${CLIENT_RATE_UP[i]}kbit ceil ${CLIENT_CEIL_UP[i]}kbit prio 3 quantum 1500
	tc class add dev eth1 parent 1:100 classid 1:$((1001+i)) htb rate ${CLIENT_RATE_DOWN[i]}kbit ceil ${CLIENT_CEIL_DOWN[i]}kbit prio 3 quantum 1500

	iptables -t mangle -A classifyup -s ${CLIENT_IP[i]} -j CLASSIFY --set-class 1:$((1001+i))
	iptables -t mangle -A classifyup -s ${CLIENT_IP[i]} -j RETURN

	iptables -t mangle -A classifydown -d ${CLIENT_IP[i]} -j CLASSIFY --set-class 1:$((1001+i))
	iptables -t mangle -A classifydown -d ${CLIENT_IP[i]} -j RETURN
done
The code above should get you going pretty well, of course you need the values for the variables from somewhere.

For MAX_SPEED_UP and MAX_SPEED_DOWN you should try about 95% of your rated bandwidth in kbit/s.

The client-specific arrays CLIENT_RATE_UP, CLIENT_RATE_DOWN should be some value which add up to not more than MAX_SPEED_UP respectively MAX_SPEED_DOWN but are not to low either - you could for example use just $((MAX_SPEED_UP/200)) and $((MAX_SPEED_DOWN/200)).

As for the CLIENT_CEIL_UP and CLIENT_CEIL_DOWN: those are the maximum speeds you want to assign to each customer.

Well and you can probably figure out what CLIENT_IP should be :wink:
Top
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

  • Quote

Post by maxwellnina » Mon Mar 30, 2009 1:21 pm

Hi ecroy
Seems to me "concerning to your script" that every client have the same bandwith (or maybe i'm wrong) but in my case i have for example 5 types of services (upload/download in kb/s:64/64; 64/128; 64/256; 128/384 & 256/512)
so while reading lartc document http://www.linux-france.org/prj/inetdoc/ (french is my first language :roll: )
to understand more about shaping can you please give help me with more explanation and more examples taking in account my specific case

ha by the way concerning gentoo initscript documentation after reading i came up with this :

in my /etc/init.d/tc script seams ok for you if to start the script after the first firewall script (/etc/init.d/firewall)

i add this inside at top ?

Code: Select all

#
!/sbin/runscript
depend() {
        use net
        after firewall
} 
start() {
        ebegin "Starting shaping"
or use the full path (stupid question but need to know)

Code: Select all

!/sbin/runscript
depend() {
        use net
        after /etc/init.d/firewall
} 
start() {
        ebegin "Starting shaping"
thank you
Top
ecroy
n00b
n00b
Posts: 59
Joined: Fri Nov 08, 2002 1:50 pm

  • Quote

Post by ecroy » Mon Mar 30, 2009 2:06 pm

If you have a look at the script again you will notice that the rates and ceils for the clients are actually arrays, so for your case you would need something like

Code: Select all

CLIENT_CEIL_UP[0]=64
CLIENT_CEIL_UP[1]=128
...
CLIENT_CEIL_DOWN[0]=64
CLIENT_CEIL_DOWN[1]=384
...
For every client the according speed values. As indicated in my last post you're probably ok setting the CLIENT_RATE values equal for all customers. You can further differentiate the service classes via the prio and quantum parameters (see lartc.org for documentation).

Of course - this is just a basic example to get you started - in reality you would probably make the whole thing database-driven so to fetch the speeds and IPs via some SQL-commands. Then again maybe bash is to cumbersome for that - just use whatever scripting language is most familiar to you.

As for the initscript dependencies I would say that "need net" would be better than "use net" because traffic control is not of much use without networking :) The "after firewall" is probably ok and no, you don't have to specify full paths within the depend section of your initscript.
Top
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

  • Quote

Post by maxwellnina » Mon Mar 30, 2009 2:23 pm

thanks ecroy
I will read more to master the thing in case of problem will come back with questions
dont hesitate if you have more stuff wchich can give me some help
Top
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

  • Quote

Post by maxwellnina » Thu Apr 02, 2009 11:12 pm

Hi all
after some read I came up with this script please I need your help to correct or improve it
hey ecroy please tell me something
Here I assume that "eth1" is my interface to Internet & "eth0" interface to my clients
and with a total Bandwidth of 3Mbits/s Download and 1Mbits/s Upload
Let go inside the script "/etc/init.d/shaping"

Code: Select all

 
#!/sbin/runscript
# Copyright 1999-2009 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
        need net
        after firewall
}

start() {
         ebegin "Starting shaping"
#!/bin/bash
# Author  Maxwell
##HTB Tree
#                       +-----------+
#                       | root   1: |
#                       +-----------+
#                             |
#               +---------------------------------------+
#               |          class 1:1                    |
#               +---------------------------------------+                                                       
#                |       |      |      |      |          
#               +----+ +----+ +----+ +----+ +----+
#               |1:10| |1:11| |1:12| |1:13| |1:14|
#               +----+ +----+ +----+ +----+ +----+

# Location of the commands
TC=/sbin/tc

# interfaces
IFCUSTOMER=eth0
IFINTERNET=eth1

#Maximum Speed UP & Down 
# Upload Ceil "MAX_SPEED_UP" 95% of Upload (1024kbits/s * 95% =973)

MAX_SPEED_UP=973

#Download Ceil  "MAX_SPEED_DOWN" 95% of Download (3072kbits/s * 95% =2920)

MAX_SPEED_DOWN=2920

#Flush existing rules
echo "flush existing rules";

$TC qdisc del dev $IFINTERNET root >/dev/null 2>&1
$TC qdisc del dev $IFINTERNET ingress >/dev/null 2>&1
$TC qdisc del dev $IFCUSTOMER root >/dev/null 2>&1
$TC qdisc del dev $IFCUSTOMER ingress >/dev/null 2>&1

echo "start classify";
#add qdisc to both interfaces
# On creer une qdisc racine sur les peripheriques eth0 & eth1 avec identifiant (handle) 1: qui utilise htb
#ainsi tout traffic non classe ira vers la classe ayant le numero mineur 14 (1:14) 
#Any classless traffic will automaticly bind  with the minor number 14 (1:14)
$TC qdisc add dev $IFCUSTOMER root handle 1: htb default 14
$TC qdisc add dev $IFINTERNET root handle 1: htb default 14
#Parent class wich contains others Classes
$TC qdisc add dev $IFCUSTOMER parent 1: classid 1:1 htb rate ${MAX_SPEED_DOWN}kbit ceil ${MAX_SPEED_DOWN}kbit
$TC qdisc add dev $IFINTERNET parent 1: classid 1:1 htb rate ${MAX_SPEED_UP}kbit ceil ${MAX_SPEED_UP}kbit
#class 1:10 with max prio 40% of bandwith [ssh,dns,http,https,Packets with bit SYN enable...]
$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:10 htb rate 384kbit ceil 640kbit prio 0
$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:10 htb rate 1168kbit ceil 1536kbit prio 0
#class 1:11 with 25% of bandwith [Sip,IAX & NAT Services ]
$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:11 htb rate 244kbit ceil ${MAX_SPEED_UP}kbit prio 1
$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:11 htb rate 730kbit ceil ${MAX_SPEED_DOWN}kbit prio 1
#class 1:12 with 20% of bandwith [pop3,smtp & TOS Minimize-cost] 
$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:12 htb rate 192kbit ceil ${MAX_SPEED_UP}kbit prio 2
$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:12 htb rate 584kbit ceil ${MAX_SPEED_DOWN}kbit prio 2
#class 1:13 with 10% of bandwith [TOS Maximize-Throughput & Internal Local Process...]
$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:13 htb rate 97kbit ceil ${MAX_SPEED_UP}kbit prio 3
$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:13 htb rate 292kbit ceil ${MAX_SPEED_DOWN}kbit prio 3
#class 1:14 with 5% of bandwith [P2P] 
$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:14 htb rate 48kbit ceil ${MAX_SPEED_UP}kbit prio 4
$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:14 htb rate 146kbit ceil ${MAX_SPEED_DOWN}kbit prio 4

##Some of these classes will have a sfq queue discipline attached to them to dispatch their packets
#IFINTERNET
$TC qdisc add dev $IFINTERNET parent 1:12 handle 120: sfq perturb 10
$TC qdisc add dev $IFINTERNET parent 1:13 handle 130: sfq perturb 10

$TC qdisc add dev $IFINTERNET parent 1:14 handle 140: sfq perturb 10
#IFCUSTOMER
$TC qdisc add dev $IFCUSTOMER parent 1:12 handle 120: sfq perturb 10
$TC qdisc add dev $IFCUSTOMER parent 1:13 handle 130: sfq perturb 10
$TC qdisc add dev $IFCUSTOMER parent 1:14 handle 140: sfq perturb 10

#Let classify packets
$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10
$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12
$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13
$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14
eend $?
}

stop() {
        ebegin "Stopping shaping"
        eend $?
}
and this is the part I pretend to add to my firewall script "/etc/init.d/firewall" on Mangle section

Code: Select all

#!/sbin/runscript
# Copyright 1999-2009 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

depend() {
        need net
}

start() {
        ebegin "Starting firewall"

#!/bin/bash
# Author Maxwell

##Mangle Section
##We use RETURN to avoid packets to cross the entire rules

##PREROUTING
$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -p icmp -j RETURN
#TOS Marks
$IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-delay -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-delay -j RETURN
$IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-cost -j MARK --set-mark 0x2
$IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-cost -j RETURN
$IPTABLES -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 0x3
$IPTABLES -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN
#ssh,dns,http,https
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 22,53,80,443 -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 22,53,80,443 -j RETURN
#dns udp
$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 53 -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -p tcp -m udp --sport 53 -j RETURN
#Prioritize packets with SYN bit enable
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
#Sip,IAX,H323
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 389,1503,1718,1719,1720,1721,4569,5004,5060,5061,7060,10000 -j MARK --set-mark 0x2
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 389,1503,1718,1719,1720,1721,4569,5004,5060,5061,7060,10000 -j RETURN
#POP3,SMTP,IMAP."ssl"...
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 25,110,143,993,995 -j MARK --set-mark 0x3
$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 25,110,143,993,995 -j RETURN
#P2P
$IPTABLES -t mangle -A PREROUTING -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j MARK --set-mark 0x5
$IPTABLES -t mangle -A PREROUTING -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j RETURN
$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark 0x5

##OUTPUT
$IPTABLES -t mangle -A OUTPUT -p icmp -j MARK --set-mark 0x1
$IPTABLES -t mangle -A OUTPUT -p icmp -j RETURN
#TOS Marks
$IPTABLES -t mangle -A OUTPUT -m tos --tos Minimize-delay -j MARK --set-mark 0x1
$IPTABLES -t mangle -A OUTPUT -m tos --tos Minimize-delay -j RETURN
$IPTABLES -t mangle -A OUTPUT -m tos --tos Minimize-cost -j MARK --set-mark 0x2
$IPTABLES -t mangle -A OUTPUT -m tos --tos Minimize-cost -j RETURN
$IPTABLES -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK --set-mark 0x3
$IPTABLES -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j RETURN
#ssh,dns,http,https
$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 22,53,80,443 -j MARK --set-mark 0x1
$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 22,53,80,443 -j RETURN
#dns udp
$IPTABLES -t mangle -A OUTPUT -p udp -m udp --dport 53 -j MARK --set-mark 0x1
$IPTABLES -t mangle -A OUTPUT -p tcp -m udp --dport 53 -j RETURN
#Prioritize packets with SYN bit enable
$IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1
$IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
#Sip,IAX,H323
$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 389,1503,1718,1719,1720,1721,4569,5004,5060,5061,7060,10000 -j MARK --set-mark 0x2
$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 389,1503,1718,1719,1720,1721,4569,5004,5060,5061,7060,10000 -j RETURN
#POP3,SMTP,IMAP."ssl"...
$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 25,110,143,993,995 -j MARK --set-mark 0x3
$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 25,110,143,993,995 -j RETURN
#"P2P" As I were using ipp2p before will use it to mark p2p traffic
$IPTABLES -t mangle -A OUTPUT -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j MARK --set-mark 0x5
$IPTABLES -t mangle -A OUTPUT -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j RETURN
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark 0x5
.........
> very strange but is it normal to have default class on local interface (eth0) ? and what about Output stuff?
anyway let me know your comment ,analyse and add about this shaping script :oops:
Top
ecroy
n00b
n00b
Posts: 59
Joined: Fri Nov 08, 2002 1:50 pm

  • Quote

Post by ecroy » Sat Apr 04, 2009 8:06 am

I'd suggest using the iptables CLASSIFY target instead of MARK as it would simplify your setup a bit. With it you would not need the tc filters at all (which always were a bit cumbersome imho) and it's also more efficient. Of course you would need your iptables rules for both interfaces in that case, distinguishing between upstream and downstream traffic. If you want to keep using the fw MARK, I think you missed the tc filter commands for your $IFINTERNET.

I'm not sure I understood your question about the default class: qdiscs are interface specific and HTB uses a default class for all otherwise unclassified traffic - therefore you have one default class for every interface you are shaping on.

Oh, I just realized that you are using your iptables rules for the PREROUTING _and_ the OUTPUT chains. You should drop the stuff for the OUTPUT chain because this one is only for traffic originating from local processes and you surely won't be running kazaa on that machine :wink:. In other words: the traffic being forwarded through this machine passes the PREROUTING chain - and that's the only place you probably want your shaping to be in effect.
Top
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

  • Quote

Post by maxwellnina » Sat Apr 04, 2009 9:44 am

Hi ecroy you said :"If you want to keep using the fw MARK, I think you missed the tc filter commands for your $IFINTERNET."
can you please explain what is exactly wrong so i can avoid it in the future
Ok maybe was this : :roll:

Code: Select all

#Let classify packets
$TC filter add dev $IFINTERNET parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10
$TC filter add dev $IFNTERNET parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
$TC filter add dev $IFINTERNET parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12
$TC filter add dev $IFINTERNET parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13
$TC filter add dev $IFINTERNET parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14
in the other hand I will follow you advice using CLASSIFY instead of MARK
so fixme if I'm wrong ,i should remove all $TC filter add dev......
and just in any iptables rules have for example this one:

Code: Select all

$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 53 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A PREROUTING -p tcp -m udp --sport 53 -j RETURN
And finaly fixme again please :So in Simple word is not neccesary to use the OUTPUT
and what about POSTROUTING ? because i was planing to add for example stuff like this :

Code: Select all

##POSTROUTING exiting from IFCUSTOMER
$IPTABLES -t mangle -A POSTROUTING -p tcp -m multiport --dports 22,53,80,443 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A POSTROUTING -p tcp -m multiport --dports 22,53,80,443 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -p tcp -m multiport --sports 22,53,80,443 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A POSTROUTING -p tcp -m multiport --sports 22,53,80,443 -j RETURN
##P2P with Layer7
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j CLASSIFY --set-class 1:15
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j RETURN
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j CLASSIFY --set-class 1:15
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j RETURN
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j CLASSIFY --set-class 1:15
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j RETURN
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto audiogalaxy -j CLASSIFY --set-class 1:15
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j RETURN
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j CLASSIFY --set-class 1:15
$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j RETURN
$IPTABLES -t mangle -A POSTROUTING -J MARK --set-class 1:15
Another thing tho test the whole thing I'am a bit perturb don't know exactly what to do I read about "tc-graph.pl and showl.pl" perl script
to visualize the shape have you ever use this kind of script? what do you suggest me and how to adapt any on my case?
Thanks for your help
Top
ecroy
n00b
n00b
Posts: 59
Joined: Fri Nov 08, 2002 1:50 pm

  • Quote

Post by ecroy » Sat Apr 04, 2009 12:41 pm

Ok maybe was this :
Yes, in your previous script you had the tc filter commands only for one of the interfaces.
so fixme if I'm wrong ,i should remove all $TC filter add dev......
and just in any iptables rules have for example this one:
Perfect!
because i was planing to add for example stuff like this :
Looks good - assuming you actually add a class 1:15 (which was not there in your previous version). The last line (the one with -J MARK) is wrong/not needed. You normally won't need a 'catch-all' rule like this anyway because that's what the default parameter is for in the qdisc creation (all traffic not otherwise classified goes there).
Apart from that it should do what you want. If you are still uncertain about the difference between OUTPUT and POSTROUTING chan have a look at this picture to see how traffic traverses the different tables/chains.

As I don't use any of the visualization scripts you mentioned I cannot tell you much about them - but it is not difficult to set up some general purpose data logging/graphing package like rrdtool - in fact that's what I'm using. Although if you don't have more elaborate needs you could probably use one of the scripts you mentioned as well.
Top
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

  • Quote

Post by maxwellnina » Sat Apr 04, 2009 9:38 pm

hmm hmm

hi guys
very very strange i thought every thing was ok until when trying to implement the shaping script
I came out with this error

Code: Select all

Unknown qdisc "classid", hence option "1:1" is unparsable
I'm sure that I forgot some thing during the kernel compile process but what ? I don't know so if you have an idea please just help me

Thanks[/quote]
Top
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

  • Quote

Post by maxwellnina » Sat Apr 04, 2009 10:14 pm

he he he I think I got the trick
I read the script once more and did a compare with example ecroy gave to me and then discover a fundamental difference

before

Code: Select all

$TC qdisc add dev $IFCUSTOMER parent 1: classid 1:1 htb rate ${MAX_SPEED_DOWN}kbit ceil ${MAX_SPEED_DOWN}kbit
ecroy example

Code: Select all

tc class add dev eth0 parent 1: classid 1:100 htb rate ${MAX_SPEED_UP}kbit ceil ${MAX_SPEED_UP}kbit
change I made

Code: Select all

$TC class add dev $IFCUSTOMER parent 1: classid 1:1 htb rate ${MAX_SPEED_DOWN}kbit ceil ${MAX_SPEED_DOWN}kbit
I now seems ok

8O strange strange
every thing very nice but iptables came out with pain some all with PREROUTING
have for example this rule

Code: Select all

#$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 22,53,80,443 -j CLASSIFY --set-class 1:10
iptables: Invalid argument

while the same rule just work nice with POSTROUTING


Any idea ? :roll:
Top
ecroy
n00b
n00b
Posts: 59
Joined: Fri Nov 08, 2002 1:50 pm

  • Quote

Post by ecroy » Sun Apr 05, 2009 11:01 am

CLASSIFY only works in the mangle table and the POSTROUTING chain - if you think you really need it in the PREROUTING chain I'd say you misunderstood something and should think again (I didn't realize the mistake in your script the first time)
Top
maxwellnina
n00b
n00b
Posts: 9
Joined: Mon Sep 24, 2007 1:11 am

  • Quote

Post by maxwellnina » Sun Apr 05, 2009 6:11 pm

You know what ecroy since your ideas allway get me out of problem
I will try another thing base on your suggestion have a look and tell me somthing

Code: Select all

# add iptables chains for upstream and downstream traffic
$IPTABLES -t mangle -N classifyup
$IPTABLES -t mangle -N classifydown
$IPTABLES -t mangle -A POSTROUTING -o eth1 -j classifyup
$IPTABLES -t mangle -A POSTROUTING -o eth0 -j classifydown 

#class and an iptables filter for each service

$IPTABLES -t mangle -A classifyup -p icmp -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifyup -p icmp -j RETURN

#TOS Marks
$IPTABLES -t mangle -A classifyup -m tos --tos Minimize-delay -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifyup -m tos --tos Minimize-delay -j RETURN
$IPTABLES -t mangle -A classifyup -m tos --tos Minimize-cost -j CLASSIFY --set-class 1:12
$IPTABLES -t mangle -A classifyup -m tos --tos Minimize-cost -j RETURN
$IPTABLES -t mangle -A classifyup -m tos --tos Maximize-Throughput -j CLASSIFY --set-class 1:13
$IPTABLES -t mangle -A classifyup -m tos --tos Maximize-Throughput -j RETURN

#ssh,dns,http,https
$IPTABLES -t mangle -A classifyup -p tcp -m multiport --sports 22,53,80,443 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifyup -p tcp -m multiport --sports 22,53,80,443 -j RETURN
$IPTABLES -t mangle -A classifyup -p tcp -m multiport --dports 22,53,80,443 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifyup -p tcp -m multiport --dports 22,53,80,443 -j RETURN
#dns udp
$IPTABLES -t mangle -A classifyup -p udp -m udp --sport 53 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifyup -p udp -m udp --sport 53 -j RETURN
$IPTABLES -t mangle -A classifyup -p udp -m udp --dport 53 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifyup -p tcp -m udp --dport 53 -j RETURN
#Prioritize packets with SYN bit enable
$IPTABLES -t mangle -A classifyup -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifyup -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
#P2P
$IPTABLES -t mangle -A classifyup -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j CLASSIFY --set-class 1:15
$IPTABLES -t mangle -A classifyup -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j RETURN
........untill all i need......

#classyfydown this time
#ssh,dns,http,https
$IPTABLES -t mangle -A classifydown -p tcp -m multiport --sports 22,53,80,443 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifydown -p tcp -m multiport --sports 22,53,80,443 -j RETURN
$IPTABLES -t mangle -A classifydown -p tcp -m multiport --dports 22,53,80,443 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifydown -p tcp -m multiport --dports 22,53,80,443 -j RETURN
#dns udp
$IPTABLES -t mangle -A classifydown -p udp -m udp --sport 53 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifydown -p udp -m udp --sport 53 -j RETURN
$IPTABLES -t mangle -A classifydown -p udp -m udp --dport 53 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifydown -p tcp -m udp --dport 53 -j RETURN
#Prioritize packets with SYN bit enable
$IPTABLES -t mangle -A classifydown -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A classifydown -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
#P2P
$IPTABLES -t mangle -A classifydown -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j CLASSIFY --set-class 1:15
$IPTABLES -t mangle -A classifydown -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j RETURN
:oops: :oops:
it's probably a mistake but dont have any others Ideas any help will be appreciate
Top
Post Reply
16 posts • Page 1 of 1

Return to “Networking & Security”

Jump to
  • Assistance
  • ↳   News & Announcements
  • ↳   Frequently Asked Questions
  • ↳   Installing Gentoo
  • ↳   Multimedia
  • ↳   Desktop Environments
  • ↳   Networking & Security
  • ↳   Kernel & Hardware
  • ↳   Portage & Programming
  • ↳   Gamers & Players
  • ↳   Other Things Gentoo
  • ↳   Unsupported Software
  • Discussion & Documentation
  • ↳   Documentation, Tips & Tricks
  • ↳   Gentoo Chat
  • ↳   Gentoo Forums Feedback
  • ↳   Duplicate Threads
  • International Gentoo Users
  • ↳   中文 (Chinese)
  • ↳   Dutch
  • ↳   Finnish
  • ↳   French
  • ↳   Deutsches Forum (German)
  • ↳   Diskussionsforum
  • ↳   Deutsche Dokumentation
  • ↳   Greek
  • ↳   Forum italiano (Italian)
  • ↳   Forum di discussione italiano
  • ↳   Risorse italiane (documentazione e tools)
  • ↳   Polskie forum (Polish)
  • ↳   Instalacja i sprzęt
  • ↳   Polish OTW
  • ↳   Portuguese
  • ↳   Documentação, Ferramentas e Dicas
  • ↳   Russian
  • ↳   Scandinavian
  • ↳   Spanish
  • ↳   Other Languages
  • Architectures & Platforms
  • ↳   Gentoo on ARM
  • ↳   Gentoo on PPC
  • ↳   Gentoo on Sparc
  • ↳   Gentoo on Alternative Architectures
  • ↳   Gentoo on AMD64
  • ↳   Gentoo for Mac OS X (Portage for Mac OS X)
  • Board index
  • All times are UTC
  • Delete cookies

© 2001–2026 Gentoo Foundation, Inc.

Powered by phpBB® Forum Software © phpBB Limited

Privacy Policy

 

 

magic