Indunil Jayasooriya wrote:
Hi all, I've got a BOX running CentOS 4.5. It acts as a firewall + router. I have installed both iptables and iproute2. I has 3 network cards. eth0 is connected to Internet (is has an internet ip. pls assume its ip is 1.2.3.4/29). it is a 256 Kbit link. eth1 is DMZ. its ip is 192.168.100.254 eth2 is LAN. Its ip is 192.168.101.254 I have alreday shaped traffic to 64 Kbit on eth1 for downloadig (i.e DMZ zone ). This is the sript that does the job. It works ine. #traffic shaping on eth1 (Downloading) INTERFAZ_DMZ=eth1 FULLBANDWIDTH=256 BANDWIDTH4DMZ=64 tc qdisc del root dev $INTERFAZ_DMZ tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4 tc class add dev $INTERFAZ_DMZ parent 1: classid 1:2 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_DMZ parent 1: classid 1:5 htb rate "$BANDWIDTH4DMZ"Kbit tc qdisc add dev $INTERFAZ_DMZ parent 1:5 handle 5: sfq perturb 10 tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip dst 192.168.100.0/24 classid 1:5 It has allocated 64 Kbit for downloading for the ip range of 192.168.100.0/24. (DMZ ZONE) Rememmber, this is a SNATed firewall. Now, What I nedd is to subdivide this 64 kbit bandwidth *32kbit for WWW and 32 Kbit for mail**.
Do you want to share 64kbit so if there is no mail then www can have all 64kbit?
Can I subdivide in that way ? If divided , What will happen to other services such as ICMP, SSH, ACK etc ?
You need to make your rules to allow for these as well - depending on what other traffic hits the server it may be best to give everything other than big tcp www/mail packets priority.
*Then, How can I achieve this task? * I modfied the the above script . This is what it looks like after editing. *#traffic shaping on eth1 (Downloading)
IT can be hard to shape properly from the wrong end of a slow wan - but your rates here are low so it should be OK.
INTERFAZ_DMZ=eth1 FULLBANDWIDTH=256 BANDWIDTH4DMZ=64 tc qdisc del root dev $INTERFAZ_DMZ tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4 tc class add dev $INTERFAZ_DMZ parent 1: classid 1:2 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_DMZ parent 1: classid 1:5 htb rate "$BANDWIDTH4DMZ"Kbit **tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:10 htb rate 32kbit tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:11 htb rate 32Kbit tc qdisc add dev $INTERFAZ_DMZ parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev $INTERFAZ_DMZ parent 1:11 handle 11: sfq perturb 10 #192.168.100.3 is the BOX acts as a mail server and a proxyserver. tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip dst 192.168.100.0/24 classid 1:10 tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip dst 192.168.100.0/24 match ip dport 25 classid 1:11
If these go in in order of entry (they usually do if prio is the same , but not always!) then nothing will reach 1:11.
Pls let me know if it is Okay? or any better way to rewrite it?
It depends what you want and on your setup. Do you have traffic from LAN to the proxy/mail - do you really need to shape that or not?
Do you have traffic from the internet to LAN as well - do you need to shape that - maybe sharing bandwidth with DMZ.
EXPECT YOUR COMMENTS. **** ------------------------------------------------------------------------ _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
