The setup :
T1 eth0 |---------| eth1 /---
--------------| LINUX |-----<HUB>---- company offices (private
addresses)
1536kbps |---------| \---
192KBps | eth2
| DMZ (mail, web, ...)
| 1.2.3.0/24
The DMZ-zone needs to have at least 256kbps (32KBps)
Let's asume you have 3 company offices :
- 10.10.10.0/24
- 10.10.20.0/24
- 10 10.30.0/24
Each office has a maximum of 128kbps (16KBps)
Let's do it for the downstream direction of your T1 line :
<cut>
#!/bin/sh
OPTION="allot 1514 maxburst 20 avpkt 1000 prio 4"
DEV="dev eth0"
# First we have to throttle the total bandwidth of eth0 (10mbps) to
192KBps (I don't know it's the correct speed of a T1 line)
tc qdisc del $DEV root handle 10:
tc qdisc add $DEV root handle 10: cbq bandwidth 10mbit avpkt 1000
tc class add $DEV parent 10:0 classid 10:2 cbq bandwidth 10mbit rate
192kbps $OPTION isolated bounded
tc qdisc add $DEV parent 10:2 handle 20: cbq bandwidth 192kbps allot
1514 avpkt 1000
# DMZ needs at least 16kbps so the rest is 192kbps for the offices (160
+ 32 = 192 ! ! !) :
tc class add $DEV parent 20: classid 20:10 cbq bandwidth 192kbps rate
32kbps $OPTION
tc qdisc add $DEV parent 20:10 handle 210: cbq bandwidth 32kbps allot
1514 avpkt 1000
tc class add $DEV parent 20: classid 20:20 cbq bandwidth 192kbps rate
160kbps $OPTION
tc qdisc add $DEV parent 20:20 handle 220: cbq bandwidth 160kbps allot
1514 avpkt 1000
# qdisc 220 contains the office. For each office we need a new class
and I attache a tbf qdisc to limit the bandwidth :
tc class add $DEV parent 220: classid 220:10 cbq bandwidth 160kbps rate
16kbps $OPTION
tc qdisc add $DEV parent 220:10 handle 2210: cbq bandwidth 16kbps
allot 1514 avpkt 1000
tc qdisc add $DEV parent 2210: tbf rate 16kbps buffer 20Kb/8 limit
15Kb
tc class add $DEV parent 220: classid 220:20 cbq bandwidth 160kbps rate
16kbps $OPTION
tc qdisc add $DEV parent 220:20 handle 2220: cbq bandwidth 16kbps
allot 1514 avpkt 1000
tc qdisc add $DEV parent 2220: tbf rate 16kbps buffer 20Kb/8 limit
15Kb
tc class add $DEV parent 220: classid 220:30 cbq bandwidth 160kbps rate
16kbps $OPTION
tc qdisc add $DEV parent 220:30 handle 2230: cbq bandwidth 16kbps
allot 1514 avpkt 1000
tc qdisc add $DEV parent 2230: tbf rate 16kbps buffer 20Kb/8 limit
15Kb
# Now we have to say wich traffic belongs to wich class. We use
ipchains (or netfilter for kernel 2.4) to mark the packets. Each class
has his mark : (Notic I mark the office packets on the input of eth1.
When you use NAT, you can't say at the ouput of eth2 what's coming from
where.)
ipchains -A input -i eth1 -p tcp -d 10.10.10.0/24 -m 1 # Office 1
ipchains -A input -i eth1 -p tcp -d 10.10.20.0/24 -m 2 # Office 2
ipchains -A input -i eth1 -p tcp -d 10.10.30.0/24 -m 3 # Office 3
ipchains -A input -i eth2 -p tcp -d 1.2.3.0/24 -m 4 # DMZ
# Putting the packets in the rigth classes :
tc filter add $DEV parent 10: protocol ip prio 3 handle 1 fw classid
10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 2 fw classid
10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 3 fw classid
10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 4 fw classid
10:2
tc filter add $DEV parent 20: protocol ip prio 3 handle 1 fw classid
20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 2 fw classid
20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 3 fw classid
20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 4 fw classid
20:10
tc filter add $DEV parent 220: protocol ip prio 3 handle 1 fw classid
220:10
tc filter add $DEV parent 220: protocol ip prio 3 handle 2 fw classid
220:20
tc filter add $DEV parent 220: protocol ip prio 3 handle 3 fw classid
220:30
</cut>
That's all. I copy/pasted it to a file and I had no errors, so I
suppose I made no error. You can adapt these lines to your needs. You
can play with the different rates as long as ( sum (sub_class_rates) <=
parent_class_rate ).
For the upstream direction, you can of course using the same setup to
throttle the output bandwidth of eth1 and eth2. But you can't use them
together : you can't say that eth2 needs allways 75% of upstream of the
T1.
Staf
