From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rasmus Melgaard Date: Mon, 30 Jan 2006 17:45:29 +0000 Subject: [LARTC] Shared ADSL SHAPER Message-Id: <200601301845.29753.rme@image.dk> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hi, I'm trying to make a shaper / firewall to improve sharing of bandwidth on a= =20 ADSL (3mbit down / =BD mbit up) Since the ADSL is very asymmetric, down is unimportant, I make a ingress ra= te=20 limit shaper to ensure, all shaping is at the Shaper, and not on the Router= =20 or the ISP. The Idea is then to make one HTB hierarchy and have each client (IP) filter= erd=20 and put in a child-HTB queue. This is the main idea, I have added prio to=20 each HTB-child to keep priorities for each client. I currently use a reduced setup with total-uplink limited to 160kbit, and i= =20 run first the firewall script (first) and then the Shaper script, below. The problem is know that if a take Azureus, bittorrent client, and let it g= o=20 (no uplink limitation), it now kills its own downlink speed. If I limit the= =20 uplink speed in Azureus the downlink will grow again, it is quiet obvious. = I've tried adding some trick from the net, to especially improve ACK=20 performance, but it hasn't helped. =20 Setup: Clients (1-32)---Switch---Linux(shaper+firewall)---Cisco Soho 78---ISP BR=20 Rasmus Melgaard ------------------------------------ FIREWALL: Firewall script: #First we flush our current rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X #Setup default policies to handle unmatched traffic iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #Copy and paste these examples ... export LAN=3Deth0 export WAN=3Deth1 export LAN_SCOPE=3D"10.0.0.0/24" #Then we lock our services so they only work from the LAN iptables -I INPUT 1 -i ${LAN} -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT #(Optional) Allow access to our ssh server from the WAN # iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT #Drop TCP / UDP packets to privileged ports iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP #Finally we add the rules for NAT iptables -I FORWARD -i ${LAN} -d ${LAN_SCOPE} -j DROP iptables -A FORWARD -i ${LAN} -s ${LAN_SCOPE} -j ACCEPT iptables -A FORWARD -i ${WAN} -d ${LAN_SCOPE} -j ACCEPT iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE #Tell the kernel that ip forwarding is OK echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done #MTU Clamp iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS=20 --clamp-mss-to-pmtu --------------------------------------------- SHAPER: Shaping script: #Copy and paste these examples ... export LAN=3Deth0 export WAN=3Deth1 #delete previous tc qdisc del dev ${WAN} root tc qdisc del dev ${LAN} root function command() { echo "Command -> $*" if ! $($*) then exit 0 fi } CEILDOWNRATE=3D"3000mbit" CEILRATE=3D"160kbit" CLIENTRATE=3D"20kbit" LAN_SCOPE=3D"10.0.0.0/24" LAN_SCOPE_PRE=3D"10.0.0." LAN_SCOPE_POST=3D"/32" LEAF_QDISC=3D"prio" HTB_MAIN_OPT=3D"quantum 36000 burst 32000 cburst 16000" HTB_LEAF_OPT=3D"quantum 5000 burst 2000 cburst 1000" MAX_IP_LIMIT3 #General egress Wan port command "tc qdisc add dev ${WAN} root handle 1: htb default 10" command "tc class add dev ${WAN} parent 1: classid 1:1 htb rate ${CEILRATE}= =20 ceil ${CEILRATE} ${HTB_MAIN_OPT}" #Fix general tos - new chain tosfix command "iptables -t mangle -N tosfix" command "iptables -t mangle -A tosfix -p tcp -m length --length 0:512 -j=20 RETURN" command "iptables -t mangle -A tosfix -m limit --limit 2/s --limit-burst 10= -j=20 RETURN" command "iptables -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput" command "iptables -t mangle -A tosfix -j RETURN" #Fix Ack being - new chain ack=20 command "iptables -t mangle -N ack" command "iptables -t mangle -A ack -m tos ! --tos Normal-Service -j RETURN" command "iptables -t mangle -A ack -p tcp -m length --length 0:128 -j TOS=20 --set-tos Minimize-Delay" command "iptables -t mangle -A ack -p tcp -m length --length 128: -j TOS=20 --set-tos Maximize-Throughput" command "iptables -t mangle -A ack -j RETURN" #Add rules command "iptables -t mangle -A POSTROUTING -p tcp -m tos --tos Minimize-Del= ay=20 -j tosfix" command "ptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags"=20 SYN,RST,ACK ACK -j ack #Every ip egress IP=3D1 while [ "$IP" -lt $MAX_IP_LIMIT ] do CLASSID=3D${IP}0 IPADDR=3D${LAN_SCOPE_PRE}${IP}${LAN_SCOPE_POST} echo "Class ID: ${CLASSID}" echo "IP Addrs: ${IPADDR}" echo "Adding Class" command "tc class add dev ${WAN} parent 1:1 classid 1:${CLASSID} htb rate=20 ${CLIENTRATE} ceil ${CEILRATE} ${HTB_LEAF_OPT}" echo "Adding qdisc" command "tc qdisc add dev ${WAN} parent 1:${CLASSID} handle ${CLASSID}:=20 ${LEAF_QDISC}" echo "Adding PREROUTING filtering" command "iptables -I POSTROUTING -t mangle -s ${IPADDR} -j CLASSIFY=20 --set-class 1:${CLASSID}" IP=3D$(($IP+1)) done #ingress command "tc qdisc add dev ${WAN} handle ffff: ingress" command "tc filter add dev ${WAN} parent ffff: protocol ip prio 50 u32 matc= h=20 ip src 0.0.0.0/0 police rate ${CEILDOWNRATE} burst 30k drop flowid :1" _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc