Hi,
I'm trying to make a shaper / firewall to improve sharing of bandwidth on a
ADSL (3mbit down / ½ mbit up)
Since the ADSL is very asymmetric, down is unimportant, I make a ingress rate
limit shaper to ensure, all shaping is at the Shaper, and not on the Router
or the ISP.
The Idea is then to make one HTB hierarchy and have each client (IP) filtererd
and put in a child-HTB queue. This is the main idea, I have added prio to
each HTB-child to keep priorities for each client.
I currently use a reduced setup with total-uplink limited to 160kbit, and i
run first the firewall script (first) and then the Shaper script, below.
The problem is know that if a take Azureus, bittorrent client, and let it go
(no uplink limitation), it now kills its own downlink speed. If I limit the
uplink speed in Azureus the downlink will grow again, it is quiet obvious.
I've tried adding some trick from the net, to especially improve ACK
performance, but it hasn't helped.
Setup:
Clients (1-32)---Switch---Linux(shaper+firewall)---Cisco Soho 78---ISP
BR
Rasmus Melgaard
------------------------------------
FIREWALL: Firewall script:
#First we flush our current rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#Copy and paste these examples ...
export LAN=eth0
export WAN=eth1
export LAN_SCOPE="10.0.0.0/24"
#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
#(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d ${LAN_SCOPE} -j DROP
iptables -A FORWARD -i ${LAN} -s ${LAN_SCOPE} -j ACCEPT
iptables -A FORWARD -i ${WAN} -d ${LAN_SCOPE} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
#MTU Clamp
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
---------------------------------------------
SHAPER: Shaping script:
#Copy and paste these examples ...
export LAN=eth0
export WAN=eth1
#delete previous
tc qdisc del dev ${WAN} root
tc qdisc del dev ${LAN} root
function command() {
echo "Command -> $*"
if ! $($*)
then
exit 0
fi
}
CEILDOWNRATE="3000mbit"
CEILRATE="160kbit"
CLIENTRATE="20kbit"
LAN_SCOPE="10.0.0.0/24"
LAN_SCOPE_PRE="10.0.0."
LAN_SCOPE_POST="/32"
LEAF_QDISC="prio"
HTB_MAIN_OPT="quantum 36000 burst 32000 cburst 16000"
HTB_LEAF_OPT="quantum 5000 burst 2000 cburst 1000"
MAX_IP_LIMIT=33
#General egress Wan port
command "tc qdisc add dev ${WAN} root handle 1: htb default 10"
command "tc class add dev ${WAN} parent 1: classid 1:1 htb rate ${CEILRATE}
ceil ${CEILRATE} ${HTB_MAIN_OPT}"
#Fix general tos - new chain tosfix
command "iptables -t mangle -N tosfix"
command "iptables -t mangle -A tosfix -p tcp -m length --length 0:512 -j
RETURN"
command "iptables -t mangle -A tosfix -m limit --limit 2/s --limit-burst 10 -j
RETURN"
command "iptables -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput"
command "iptables -t mangle -A tosfix -j RETURN"
#Fix Ack being - new chain ack
command "iptables -t mangle -N ack"
command "iptables -t mangle -A ack -m tos ! --tos Normal-Service -j RETURN"
command "iptables -t mangle -A ack -p tcp -m length --length 0:128 -j TOS
--set-tos Minimize-Delay"
command "iptables -t mangle -A ack -p tcp -m length --length 128: -j TOS
--set-tos Maximize-Throughput"
command "iptables -t mangle -A ack -j RETURN"
#Add rules
command "iptables -t mangle -A POSTROUTING -p tcp -m tos --tos Minimize-Delay
-j tosfix"
command "ptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags"
SYN,RST,ACK ACK -j ack
#Every ip egress
IP=1
while [ "$IP" -lt $MAX_IP_LIMIT ]
do
CLASSID=${IP}0
IPADDR=${LAN_SCOPE_PRE}${IP}${LAN_SCOPE_POST}
echo "Class ID: ${CLASSID}"
echo "IP Addrs: ${IPADDR}"
echo "Adding Class"
command "tc class add dev ${WAN} parent 1:1 classid 1:${CLASSID} htb rate
${CLIENTRATE} ceil ${CEILRATE} ${HTB_LEAF_OPT}"
echo "Adding qdisc"
command "tc qdisc add dev ${WAN} parent 1:${CLASSID} handle ${CLASSID}:
${LEAF_QDISC}"
echo "Adding PREROUTING filtering"
command "iptables -I POSTROUTING -t mangle -s ${IPADDR} -j CLASSIFY
--set-class 1:${CLASSID}"
IP=$(($IP+1))
done
#ingress
command "tc qdisc add dev ${WAN} handle ffff: ingress"
command "tc filter add dev ${WAN} parent ffff: protocol ip prio 50 u32 match
ip src 0.0.0.0/0 police rate ${CEILDOWNRATE} burst 30k drop flowid :1"
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
