-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello mailing list. I am sitting here at the office and after reading the Advanced routing howto, some iptables documents and Howto, I am not quite sure how to do this. I have the following setup and while I explain it, I would like to ask everyone that reads this to tell me if they would go about it in a similar fashion or not. We own a symmetric 2 Mbit uplink via ATM and I am trying to limit the services a bit. We would like to sort out the followinf services into their own classes, so that they may be bandwidth shaped. HTTP+HTTPs+SQUID connections which are outgoing to fetch data FTP+FTP-DATA SSH ICMP MAIL I was thinking about the following bandwidth assignements: HTTP... gets 15% (of the 2 Mbit) FTP gets 15% SSH gets 5% but the badnwidth is isolated and borrows from other classes ICMP gets 1% but is bounded MAIL gets 10% (we do send an aweful lot of mail) I am marking the traffic with IPtables in the PREROUTING chain and I thought it would be the correct way to later use the fwmark target in the tc filter add directive, however, if you think it is smarter to use a u32 classifier, so please do tell me. Right now my setup would look somewhat like this: 1:0 is a 10Mbit parent class which is the NIC to the Router. 1:1 is a subclass, which has 2Mbit and all other classes should derrive from it. I then wanted to create 1:3 to 1:7 for the services. where the class for SSH would be isolated, borrow The ICMP class would be bounded. The output I currently have looks somewhat like this: [root@gw root]# tc qdisc show dev eth0 qdisc sfq 70: quantum 1514b qdisc sfq 60: quantum 1514b qdisc sfq 50: quantum 1514b qdisc sfq 40: quantum 1514b qdisc sfq 30: quantum 1514b qdisc cbq 1: rate 10Mbit (bounded,isolated) prio no-transmit (since I am using sfq as the queue algorithm) The classes: [root@gw root]# tc class show dev eth0 class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit class cbq 1:1 parent 1: rate 2Mbit (bounded) prio no-transmit class cbq 1:3 parent 1:1 leaf 30: rate 153Kbit prio no-transmit class cbq 1:4 parent 1:1 leaf 40: rate 153Kbit prio no-transmit class cbq 1:5 parent 1:1 leaf 50: rate 20Kbit (bounded) prio no-transmit class cbq 1:6 parent 1:1 leaf 60: rate 102Kbit (isolated) prio no-transmit class cbq 1:7 parent 1:1 leaf 70: rate 204Kbit prio no-transmit 1:3 is Ftp+ftp-data 1:4 is https+http plus everything from sport 3128 1:5 is icmp 1:6 is ssh 1:7 is smtp The filters look as follows: [root@gw root]# tc filter show dev eth0 filter parent 1: protocol ip pref 100 fw filter parent 1: protocol ip pref 100 fw handle 0x1 classid 1:5 filter parent 1: protocol ip pref 100 fw handle 0x2 classid 1:6 filter parent 1: protocol ip pref 100 fw handle 0x3 classid 1:3 filter parent 1: protocol ip pref 100 fw handle 0x4 classid 1:4 filter parent 1: protocol ip pref 100 fw handle 0x6 classid 1:7 and my iptables marking rules read as follows: [root@gw root]# iptables -t mangle -L PREROUTING Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK icmp -- anywhere anywhere MARK set 0x1 MARK tcp -- anywhere anywhere tcp dpt:http MARK set 0x4 MARK tcp -- anywhere anywhere tcp dpt:https MARK set 0x4 MARK tcp -- anywhere anywhere tcp dpt:ftp MARK set 0x3 MARK tcp -- anywhere anywhere tcp spt:ftp-data MARK set 0x3 MARK tcp -- anywhere anywhere tcp dpt:ssh MARK set 0x2 MARK tcp -- anywhere anywhere tcp dpt:smtp MARK set 0x6 MARK tcp -- anywhere anywhere tcp spt:squid MARK set 0x4 Would you go about this the same way? Or do you recommend doing it in a different way? I am very grateful for any hints, because I am very new to this on Linux, i usually use cisco IOS for it, but this time, linux is my choice and I really wish to learn it. Any other hints, such as documenation is greatly appreciated as well. -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAjytjtMACgkQSv4PndfE29DlCACeKbTI8foLoe6ERc2cztjBOE/G OW0AoKlKMQJRa3Nny8yRenI/AqlgWu/g =IeHQ -----END PGP SIGNATURE-----
