Indunil Jayasooriya wrote:
Server only acts as a mail server and a proxy server. in addition to that, I
ssh to that server from LAN. from that server too, I ssh to some servers.
And also, I make ping to that server rom LAN. Again, from that server I make
ping to other servers. That's it.
LAN users actualy browse internet and send and recieve mails via DMZ
proxy server and Mail server. No other traffic.
Thanks for you comments. Hope to hear from you.
I think the easiest way would be to make some netfilter rules to mark
traffic coming in on eth0 and going out on eth1, and then make filters
to match the marks.
You could do it with just tc filters, but it's easier to write using
iptables.
Something like (just an example - you may want to be more specific with
the rules/add more and debug them!)
iptables -t mangle -A FORWARD -i eth0 -o eth1 -p tcp -m length --length
128: -j MARK --set-mark 3
So tcp from internet to dmz bigger than 128 gets mark 3
iptables -t mangle -A FORWARD -i eth0 -o eth1 -p tcp --dport 25 -m mark
--mark 3 -j MARK --set-mark 2
big mail packets remarked to 2 so I am just assuming other big tcp is www
iptables -t mangle -A FORWARD -i eth0 -o eth1 -m mark --mark 0 -j MARK
--set-mark 1
Anything else unmarked form internet to dmz gets mark 1
tc qdisc del dev eth1 root &>/dev/null
tc qdisc add dev eth1 root handle 1:0 htb
tc class add dev eth1 parent 1:0 classid 1:1 htb rate 64kbit quantum 1514
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 44kbit ceil
64kbit quantum 1514 prio 0
tc qdisc add dev eth1 parent 1:10 handle 10: bfifo limit 64k
tc filter add dev eth1 parent 1:0 prio 1 protocol ip handle 1 fw flowid 1:10
tc class add dev eth1 parent 1:1 classid 1:20 htb rate 10kbit ceil
64kbit quantum 1514 prio 1
tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 limit 10
tc filter add dev eth1 parent 1:0 prio 2 protocol ip handle 2 fw flowid 1:20
tc class add dev eth1 parent 1:1 classid 1:30 htb rate 10kbit ceil
64kbit quantum 1514 prio 1
tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 limit 10
tc filter add dev eth1 parent 1:0 prio 3 protocol ip handle 3 fw flowid 1:30
This is just an untested example - I don't even run a mail server/proxy.
You could, I suppose use sfq instead of bfifo for the small/non tcp
class to help if you get flooded with syns or something. I gave it a
higher rate even though it shouldn't have much traffic because htb seems
to give better latency that way.
The 10 packet limit on sfqs will cause drops, but should help keep
latency low, but you may want to test and increase it.
If you don't already shape on egress I would at least do something like
the above so that sending big mail doesn't lag out the connection. Just
making big tcp second class with sfq will stop DNS getting delayed by a
backlogged link.
Andy.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
