| | |
|---|
I am a newbie to traffic control and i am trying to setup bandwidth restriction
in my local network as well as internet access to users. I got around 60 pcs in my lab and i am planning to divide bandwidth based on classes. I am using iptables to mark packets and then route the traffic to the specified class.
Following is the network setup
Two network cards in the server eth0 and eth1
eth0 - internal network
eth2 - DMZ ( Running Web server,Mail server and FTP )
eth1 - External Network
Following is a sample script i have written in which http, ftp and default
classes are defined.
-------------------------------------------------------------------
## script for traffic control
tc qdisc del dev eth1 root
tc qdisc add dev eth1 root handle 1:0 htb default 5
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -i eth1 --dport 80 -j RETURN
tc class add dev eth1 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit
tc class add dev eth1 parent 1:1 classid 1:2 htb rate 64kbit ceil 64kbit
tc qdisc add dev eth1 parent 1:2 handle 2: sfq perturb 10
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:2
tc class add dev eth1 parent 1:1 classid 1:5 htb rate 32kbit ceil 32kbit
tc qdisc add dev eth1 parent 1:5 handle 5: sfq perturb 10
tc class add dev eth1 parent 1:1 classid 1:3 htb rate 32kbit ceil 32kbit
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 2 fw classid 1:3
iptables -t mangle -A PREROUTING -p tcp --dport 5000:5100 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport 5000:5100 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --dport 20 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --dport 20 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --sport 5000:5100 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --sport 5000:5100 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --sport 20 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp --sport 20 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m state --state related,established --sport 1024: -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m state --state related,established --dport 1024: -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m state --state related,established --dport 1024: -j MARK --set-mark 2
## script ends here
----------------------------------------------------------------------------------------
The network is 100 Mbps LAN, the average throughput is around 10 Mbps normally .
The testing was done between local network and servers configured in DMZ ,which also has 10 Mbps normal throughput.
I thoroughly tested the above script and following are the results obtained.
Total Number of Workstations Tested : 10 (Simultaneous access)
SlNo HTB Ceil root class default Obtained
rate rate rate rate Result
--------------------------------------------------------------------------------
1 2M 2M 10M 2M 800 to 2Mb on all machines(expected was 200k
on each machine,each class getting
the maximum rate)
2 32k 64k 512k 10k 25k to 36kbps varying on different machines
and different protocols(each machine was getting
the maximum rate for a class)
The protocols tested are HTTP and FTP using wget utility. The reading are taken from
the output of wget.
Following are the clarifications required.
1) How to restrict the FTP protocols(passive and active FTP) ?
2) The rate obtained was exceeding the rate specified. how to solve this?
3) Any problem in bandwidth allocation to classes in the above script?
4) Is it possible to use squid for caching so that user can access
internet through proxy?
Thanks for any help
Sridhar Krishanan
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre.
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
