* Re: [LARTC] Too slow computer?
2005-08-09 16:53 [LARTC] Too slow computer? panca sorin
@ 2005-08-09 17:12 ` Andreas Klauer
2005-08-09 17:46 ` Andy Furniss
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Andreas Klauer @ 2005-08-09 17:12 UTC (permalink / raw)
To: lartc
On Tuesday 09 August 2005 18:53, panca sorin wrote:
> I have about 1650 preffered destination networks listed in some file. The
> script read this file and marks every package for those networks with
> the mark value of 1.
If you have a lot of IPs in this list, a hashed approach might work faster.
See LARTC Howto, 12.4 Hashing filters. Although it describes tc filters,
approach should be similar for iptables. Furthermore, using CONNMARK might
speed things up. With it, you can skip testing packets of connections that
already matched (and, if used right, you can also skip packets of
connections that don't match as well). There are also patches that allow
bitwise modification of mark values.
You can get this stuff from www.netfilter.org, the patches are in pom-ng.
HTH
Andreas
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [LARTC] Too slow computer?
2005-08-09 16:53 [LARTC] Too slow computer? panca sorin
2005-08-09 17:12 ` Andreas Klauer
@ 2005-08-09 17:46 ` Andy Furniss
2005-08-09 21:31 ` panca sorin
2005-08-11 16:10 ` Andy Furniss
3 siblings, 0 replies; 5+ messages in thread
From: Andy Furniss @ 2005-08-09 17:46 UTC (permalink / raw)
To: lartc
Andreas Klauer wrote:
> On Tuesday 09 August 2005 18:53, panca sorin wrote:
>
>>I have about 1650 preffered destination networks listed in some file. The
>>script read this file and marks every package for those networks with
>>the mark value of 1.
>
>
> If you have a lot of IPs in this list, a hashed approach might work faster.
> See LARTC Howto, 12.4 Hashing filters. Although it describes tc filters,
> approach should be similar for iptables. Furthermore, using CONNMARK might
> speed things up. With it, you can skip testing packets of connections that
> already matched (and, if used right, you can also skip packets of
> connections that don't match as well). There are also patches that allow
> bitwise modification of mark values.
>
> You can get this stuff from www.netfilter.org, the patches are in pom-ng.
Look for ipset if the list is random.
http://people.netfilter.org/kadlec/ipset/
--and-mark and --or-mark are part of main iptables now
Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] Too slow computer?
2005-08-09 16:53 [LARTC] Too slow computer? panca sorin
2005-08-09 17:12 ` Andreas Klauer
2005-08-09 17:46 ` Andy Furniss
@ 2005-08-09 21:31 ` panca sorin
2005-08-11 16:10 ` Andy Furniss
3 siblings, 0 replies; 5+ messages in thread
From: panca sorin @ 2005-08-09 21:31 UTC (permalink / raw)
To: lartc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1252", Size: 39816 bytes --]
Thanck you for your help!
I noticed the ipset tools and I tried to use the
CONNMARK but I don't know how to verify if bitwise
manipulation works. The IP list is random and the
router is an Athlon at 1200 MHz with 64 MB of SDRAM
and a PIO mode 4 harddisk.
After marking for destination, the packets are marked
for priorization. I tried to use the dsmark and some
ingress policing but I've faild to understand how they
work. Also I'm in a hurry and I try to use what I know
for now. Since I have to shape for two speeds, now
I've discovered the --limit filter in iptables and I
try to match packets based on their speeds.
Each connected client has its own class on dev eth1.
There are 38 clients now. On eth2 I shape based on
connection ports. Audio/video, chat and interactive
traffic (and connection control packets) have higher
priority. Here are my script and configuration files
(is best viewd unwraped with kwrite):
#!/bin/bash
### firewall.sh ###
# firewall
# TODO: make a README for admin-users, how to add
# clients with public and privat IPs from dhcpd
and metropolitan addresses
# use ipset for address and port grouping
# boost speeds, ports forward, etc.
# http://gentoo-wiki.com/HOWTO_Packet_Shaping
# http://lartc.org/howto
# http://linuxgazette.net/103/odonovan.html
# http://www.netfilter.org/documentation/
# http://www.knowplace.org/shaper/
# http://linux-ip.net/articles/Traffic-Control-HOWTO/
#
http://howtos.linux.com/howtos/Traffic-Control-HOWTO/intro.shtml
# http://andthatsjazz.org:8/lartc/
# programs
ip=/usr/sbin/ip
ipt=/usr/sbin/iptables
ipt_s=/usr/sbin/iptables-save
ipt_r=/usr/sbin/iptables-restore
ips=/usr/sbin/ipset
tc=/usr/sbin/tc
# interfaces
EXT1=eth0
EXT1IP=first external IP
GW1=our gateway's IP
NetP1=our ISP's local network
# 64 public space addresses
PUB1Min=first usable public IP
PUB1Max=last usable public IP
#EXT2#EXT1IP#GW2#NetP2
INT1=eth1
INT1IP\x192.168.101.1
INT1Mask%5.255.255.0
INT1Bcast=public space broadcast address (not in ISP's
LAN)
INT1Net\x192.168.101.255
INT2=eth2
INT2IP\x10.0.0.1
INT2Mask%5.255.255.0
INT2Bcast\x10.0.0.255
INT2Net\x10.0.0.0
# markers
MARK_NET=0x0 # packets for Internet
MARK_MAN=0x1 # packets for Metropolitan
# interfaces' aliasses
NETWORK.196.157;DEV=eth0
ip address add 172.22.3.112 dev eth0
for IP in $( cat
~adminus/etc/ip_internet/ext1_aliases.conf | grep -v
\# ); do
$ip addr del $NETWORK.$IP/32 dev $DEV
2>/dev/null >/dev/null
done
for IP in $( cat
~adminus/etc/ip_internet/ext1_aliases.conf | grep -v
\# ); do
$ip addr add $NETWORK.$IP/26 brd $NETWORK.255
dev $DEV
done
echo " 2. Proxy ARP"
# proxy ARP
echo 1 >/proc/sys/net/ipv4/conf/$EXT1/proxy_arp
#echo 1 >/proc/sys/net/ipv4/conf/$EXT2/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/$INT1/proxy_arp
#echo 1 >/proc/sys/net/ipv4/conf/$INT1/proxy_arp
for IP in $( cat
~adminus/etc/ip_local/pub_ips_on_int1.conf | grep -v
\# ); do
$ip route del $IP dev $INT1 2>/dev/null >/dev/null
$ip route add $IP dev $INT1
done
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
$ip route del $IP dev $INT2 2>/dev/null >/dev/null
$ip route add $IP dev $INT2
done
$ipt -t raw -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -t filter -F
### ### ###
### raw ###
### ### ###
### ### ###
### nat ###
### ### ###
### PREROUTING ###
#$ipt -t nat -A PREROUTING -i $INT1 -p tcp --dport 80
-j REDIRECT --to-port 3128
echo " forward ports (5 ports/IP)"
NETWORK\x192.168.101;NETID1!;NETID2";NETID3#;NETID4$;NETID5%;
# 20 <= NETID <= 65
for IP in $( cat ~adminus/etc/portfwd.conf | grep -v
\# ); do
$ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID1$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID1$IP
$ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID2$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID2$IP
$ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID3$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID3$IP
$ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID4$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID4$IP
$ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID5$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID5$IP
done
### POSTROUTING ###
echo " nat POSTROUTING"
#$ipt -t nat -A POSTROUTING -s $INT2Net/$INT2Mask -j
MASQUERADE --to-ports 20000:30000
$ipt -t nat -A POSTROUTING -s $INT1Net/$INT1Mask -o
$EXT1 -j SNAT --to-source $PUB1Min-$PUB1Max
$ipt -t nat -A POSTROUTING -s $INT2Net/$INT2Mask -o
$EXT1 -j SNAT --to-source $PUB1Min-$PUB1Max
$ipt -t nat -A POSTROUTING -s 10.0.0.100 -j SNAT
--to-source 81.196.157.200
$ipt -t nat -A POSTROUTING -s 10.0.0.99 -j SNAT
--to-source 81.196.157.200
### ### ### ###
### mangle ###
### ### ### ###
echo " mangle"
### PREROUTING ###
# mark for QOS
cat ~adminus/bin/marks | $ipt_r
~adminus/bin/mac.sh
### ### ### ###
### qdiscs ###
### ### ### ###
# building traffic classes and ingress filters
# speeds
ROOT_NET_RATEP0kbit
ROOT_NET_CEIL=$ROOT_NET_RATE
BULK_NET_RATE=1kbit
BULK_NET_CEIL\x128kbit
ROOT_MAN_RATE•Mbit
ROOT_MAN_CEIL=$BULK_NET_RATE
BULK_MAN_RATEQ2kbit
BULK_MAN_CEILMbit
# markers
MARK_NET=0x0 # Internet packet
MARK_MAN=0x1 # Metropolitan packet
echo " qdisc del"
$tc qdisc del dev $EXT1 ingress 2>/dev/null
>/dev/null
#$tc qdisc del dev $EXT2 ingress 2>/dev/null
>/dev/null
$tc qdisc del dev $INT1 ingress 2>/dev/null
>/dev/null
$tc qdisc del dev $INT2 ingress 2>/dev/null
>/dev/null
$tc qdisc del dev $EXT1 root 2>/dev/null
>/dev/null
#$tc qdisc del dev $EXT2 root 2>/dev/null
>/dev/null
$tc qdisc del dev $INT1 root 2>/dev/null
>/dev/null
$tc qdisc del dev $INT2 root 2>/dev/null
>/dev/null
echo " qdisc add EXT1 egress "
$tc qdisc add dev $EXT1 root handle 1: htb default
FF01
echo " Internet-caffe"
$tc class add dev $EXT1 parent 1: classid 1:1 htb
rate 500kbit ceil 500kbit # Internet
$tc class add dev $EXT1 parent 1: classid 1:2 htb
rate 95Mbit ceil 95Mbit # Metropolitan
$tc class add dev $EXT1 parent 1:1 classid 1:7 htb
rate 140kbit ceil 500kbit prio 2 # a/v net trafic
$tc class add dev $EXT1 parent 1:1 classid 1:5 htb
rate 50kbit ceil 500kbit prio 2 # chat net trafic
$tc class add dev $EXT1 parent 1:1 classid 1:3 htb
rate 100kbit ceil 500kbit prio 2 # www net trafic
$tc class add dev $EXT1 parent 1:2 classid 1:8 htb
rate 35Mbit ceil 90Mbit prio 2 # a/v man trafic
$tc class add dev $EXT1 parent 1:2 classid 1:6 htb
rate 5Mbit ceil 90Mbit prio 2 # chat man trafic
$tc class add dev $EXT1 parent 1:2 classid 1:4 htb
rate 20Mbit ceil 90Mbit prio 2 # www man trafic
$tc class add dev $EXT1 parent 1:1 classid 1:FF01 htb
rate 10kbit ceil 500kbit prio 3 # bulk net trafic
$tc class add dev $EXT1 parent 1:2 classid 1:FF00 htb
rate 30Mbit ceil 90Mbit prio 3 # bulk man trafic
$tc qdisc add dev $EXT1 parent 1:FF01 handle 2: sfq
perturb 10
$tc qdisc add dev $EXT1 parent 1:FF00 handle 3: sfq
perturb 10
echo "qdisc add $EXT1 ingress"
$tc qdisc add dev $EXT1 ingress
# Metropolitan ingress
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 0 handle 7 fw police rate 10Mbps burst 16k
continue flowid :1 # A/V in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 1 handle 5 fw police rate 10Mbps burst 16k
continue flowid :1 # chat in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 2 handle 3 fw police rate 10Mbps burst 16k
continue flowid :1 # www in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 4 handle 1 fw police rate 90Mbps burst 16k
continue flowid :1 # bulk in MAN
echo "CLIENTS";date >~adminus/log/clase_eth0.log;echo
"CLIENTS" >>~adminus/log/clase_eth0.log
$tc class add dev $EXT1 parent 1:1 classid 1:9 htb
rate 140kbit ceil 500kbit prio 2 # bulk clients' net
$tc class add dev $EXT1 parent 1:1 classid 1:10 htb
rate 20Mbit ceil 90Mbit prio 2 # bulk clients'
M.A.N.
$tc class add dev $EXT1 parent 1:1 classid 1:11 htb
rate 140kbit ceil 500kbit prio 1 # special clients'
net
$tc class add dev $EXT1 parent 1:1 classid 1:12 htb
rate 20Mbit ceil 90Mbit prio 1 # special clients'
M.A.N.
echo " bulk clients' classes";echo " bulk clients'
classes" >>~adminus/log/clase_eth0.log
NETWORK\x192.168;NET\x101;NETID\x16 # edit this after
copy-paste
ID_NET=0;ID_MAN\x128;ID_PRIV=0;ID_PUBd # don't edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
$tc class add dev $EXT1 parent 1:9 classid
1:$hIDnet_PRIV$hIP htb rate $BULK_NET_RATE ceil
$BULK_NET_CEIL prio 3
$tc class add dev $EXT1 parent 1:10 classid
1:$hIDman_PRIV$hIP htb rate $BULK_MAN_RATE ceil
$BULK_MAN_CEIL prio 3
echo "$EXT1: $NETWORK.$NET.$IP net
(1:9): 1:$hIDnet_PRIV$hIP min: $BULK_NET_RATE max:
$BULK_NET_CEIL man (1:10): 1:$hIDman_PRIV$hIP
min: $BULK_MAN_RATE max: $BULK_MAN_CEIL"
>>~adminus/log/clase_eth0.log
done
echo " special clients' classes";echo " special
clients' classes" >>~sorin/log/clase_eth0.log
echo " ip-uri private";echo " private IPs"
>>~adminus/log/clase_eth0.log
NETWORK\x192.168;NET\x101;NETID\x16 # edit this after
copy-paste; 16 < NETID < 192; NETID = network's
criterium number;
# Set different NETIDs for all private or public
networks; you can set the same NETID for one private
network and one public network
ID_NET=0;ID_MAN\x128;ID_PRIV=0;ID_PUBd # don't edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
IP=2 # 192.168.101.002 FOCUS DESIGN
echo "$EXT1: $NETWORK.$NET.$IP net (1:11):
1:$hIDnet_PRIV$hIP min: 64kbit max: 256kbit man
(1:12): 1:$hIDman_PRIV$hIP min: 768kbit max:
90Mbit" >>~adminus/log/clase_eth0.log
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
$tc class replace dev $EXT1 parent 1:11 classid
1:$hIDnet_PRIV$hIP htb rate 64kbit ceil 256kbit prio
2 # replace because the class' ID (handle) exists from
the previous network
$tc class replace dev $EXT1 parent 1:12 classid
1:$hIDman_PRIV$hIP htb rate 768kbit ceil 90Mbit prio
2 # replace because the class' ID (handle) exists from
the previous network
echo " ip-uri publice";echo " public IPs"
>>~adminus/log/clase_eth0.log
NETWORK.196;NET\x157;NETIDc # edit this after
copy-paste
ID_NET=0;ID_MAN\x128;ID_PRIV=0;ID_PUBd # astea nu le
edita
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
IP%3 # 81.196.157.253 VIDEO CHAT
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
echo "$EXT1: $NETWORK.$NET.$IP net
(1:11): 1:$hIDnet_PUB$hIP min: 64kbit max: 256kbit
man (1:12) 1:$hIDman_PUB$hIP min: 768kbit max:
90Mbit" >>~adminus/log/clase_eth0.log
$tc class add dev $EXT1 parent 1:11 classid
1:$hIDnet_PUB$hIP htb rate 64kbit ceil 256kbit prio 1
$tc class add dev $EXT1 parent 1:12 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil 90Mbit prio 1
IP%4 # 81.196.157.254 VIDEO CHAT
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
echo "$EXT1: $NETWORK.$NET.$IP net
(1:11): 1:$hIDnet_PUB$hIP min: 64kbit max: 256kbit
man (1:12) 1:$hIDman_PUB$hIP min: 768kbit max:
90Mbit" >>~adminus/log/clase_eth0.log
$tc class add dev $EXT1 parent 1:11 classid
1:$hIDnet_PUB$hIP htb rate 64kbit ceil 256kbit prio 1
$tc class add dev $EXT1 parent 1:12 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil 90Mbit prio 1
# Internet ingress
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 0 handle 6 fw police rate 190kbps burst 16k drop
flowid :1 # A/V in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 1 handle 4 fw police rate 62kbps burst 32k drop
flowid :1 # chat in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 2 handle 2 fw police rate 126kbps burst 64k drop
flowid :1 # www in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet
echo " qdisc add INT1 ingress"
#$tc qdisc add dev $INT1 ingress
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 0 handle 0x7 fw flowid :1 police rate 10Mbps
burst 16k continue # A/V in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 1 handle 0x5 fw flowid :1 police rate 10Mbps
burst 16k continue # chat in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 2 handle 0x3 fw flowid :1 police rate 10Mbps
burst 16k continue # www in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 4 handle 0x1 fw flowid :1 police rate 95Mbps
burst 16k continue # bulk in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 0 handle 0x6 fw flowid :1 police rate 190kbps
burst 16k continue # A/V in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 1 handle 0x4 fw flowid :1 police rate 62kbps
burst 32k continue # chat in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 2 handle 0x2 fw flowid :1 police rate 126kbps
burst 64k continue # www in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet
echo " qdisc add INT1 egress"
$tc qdisc add dev $INT1 root handle 1: htb default
FF01
$tc class add dev $INT1 parent 1: classid 1:1 htb
rate 250kbit ceil 500kbit # class Internet
$tc class add dev $INT1 parent 1: classid 1:2 htb
rate 45Mbit ceil 90Mbit # class Metropolitan
$tc class add dev $INT1 parent 1:1 classid 1:3 htb
rate 125kbit ceil 500kbit # class bulk-clients
Internet
$tc class add dev $INT1 parent 1:2 classid 1:4 htb
rate 22Mbit ceil 90Mbit # class bulk-clients
Metropolitan
$tc class add dev $INT1 parent 1:1 classid 1:5 htb
rate 125kbit ceil 500kbit # class special-clients
Internet
$tc class add dev $INT1 parent 1:2 classid 1:6 htb
rate 22Mbit ceil 90Mbit # class special-clients
Metropolitan
$tc class add dev $INT1 parent 1: classid 1:FF01 htb
rate 1kbit ceil 500kbit # class bulk-traffic
Internet
$tc class add dev $INT1 parent 1: classid 1:FF00 htb
rate 1kbit ceil 90Mbit # class bulk-traffic
Metropolitan
$tc qdisc add dev $INT1 parent 1:FF01 handle 2: sfq
perturb 10 # Stochastic Fairness for bulk traffic in
Internet
$tc qdisc add dev $INT1 parent 1:FF00 handle 3: sfq
perturb 10 # Stochastic Fairness for bulk traffic in
Metropolitan
echo "CLIENTS";date >~adminus/log/clase_eth1.log;echo
"CLIENTI" >>~adminus/log/clase_eth1.log
echo " bulk clients";echo " bulk clients"
>>~adminus/log/clase_eth1.log
NETWORK\x192.168;NET\x101;NETID\x16 # edit this after
copy-paste
ID_NET=0;ID_MAN\x128;ID_PRIV=0;ID_PUBd # don't edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
$tc class add dev $INT1 parent 1:3 classid
1:$hIDnet_PRIV$hIP htb rate $BULK_NET_RATE ceil
$BULK_NET_CEIL prio 3 # bulk clients' speed in
Internet
$tc class add dev $INT1 parent 1:4 classid
1:$hIDman_PRIV$hIP htb rate $BULK_MAN_RATE ceil
$BULK_MAN_CEIL prio 3 # bulk clients' speed in
Metropolitan
echo "$INT1: $NETWORK.$NET.$IP net
(1:3): 1:$hIDnet_PRIV$hIP min: $BULK_NET_RATE
max: $BULK_NET_CEIL man (1:4):
1:$hIDman_PRIV$hIP min: $BULK_MAN_RATE max:
$BULK_MAN_CEIL" >>~sorin/log/clase_eth1.log
done
echo " special clients" >>~adminus/log/clase_eth1.log
echo " privat IPs" >>~adminus/log/clase_eth1.log
NETWORK\x192.168;NET\x101;NETID\x16 # edit this after
copy-paste
ID_NET=0;ID_MAN\x128;ID_PRIV=0;ID_PUBd # astea nu le
edita
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
IP=2 # 192.168.101.002 FOCUS DESIGN
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
$tc class replace dev $INT1 parent 1:5 classid
1:$hIDnet_PRIV$hIP htb rate 64kbit ceil 256kbit prio
2 # speed for client FOCUS DESIGN in Internet
$tc class replace dev $INT1 parent 1:6 classid
1:$hIDman_PRIV$hIP htb rate 768kbit ceil 90Mbit prio
2 # speed for client FOCUS DESIGN in Metropolitan
echo "$INT1: $NETWORK.$NET.$IP net
(1:5): 1:$hIDnet_PRIV$hIP min: 64kbit max:
256kbit man (1:6): 1:$hIDman_PRIV$hIP
min: 768kbit max: 90Mbit"
>>~adminus/log/clase_eth1.log
echo " public IPs" >>~adminus/log/clase_eth1.log
NETWORK.196;NET\x157;NETIDc # edit this after
copy-paste (this and the next 3 rows are must be
copied for each used ip in the above network)
ID_NET=0;ID_MAN\x128;ID_PRIV=0;ID_PUBd # don't edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
IP%3 # 81.196.157.253 VIDEO CHAT 1 (this and the
next 3 rows are must be copied for each used ip in the
above network)
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
$tc class add dev $INT1 parent 1:5 classid
1:$hIDnet_PUB$hIP htb rate 64kbit ceil 256kbit prio 1
# speed for client VIDEO CHAT 1 in Internet
$tc class add dev $INT1 parent 1:6 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil 90Mbit prio 1
# speed for client VIDEO CHAT 1 in Metropolitan
echo "$INT1: $NETWORK.$NET.$IP net
(1:5): 1:$hIDnet_PUB$hIP min: 64kbit max: 256kbit
man (1:6) 1:$hIDman_PUB$hIP min: 768kbit
max: 90Mbit" >>~adminus/log/clase_eth1.log
IP%4 # 81.196.157.254 VIDEO CHAT 2 (this and the
next 3 rows are must be copied for each used ip in the
above network)
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
$tc class add dev $INT1 parent 1:5 classid
1:$hIDnet_PUB$hIP htb rate 64kbit ceil 256kbit prio 1
# speed for client VIDEO CHAT 2 in Internet
$tc class add dev $INT1 parent 1:6 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil 90Mbit prio 1
# speed for client VIDEO CHAT 2 in Metropolitan
echo "$INT1: $NETWORK.$NET.$IP net
(1:5): 1:$hIDnet_PUB$hIP min: 64kbit max: 256kbit
man (1:6) 1:$hIDman_PUB$hIP min: 768kbit
max: 90Mbit" >>~adminus/log/clase_eth1.log
echo "CLIENTS done."
echo " qdisc add INT2 root "
$tc qdisc add dev $INT2 root handle 1: htb default
FF01
$tc class add dev $INT2 parent 1: classid 1:1 htb
rate 500kbit ceil 500kbit
$tc class add dev $INT2 parent 1: classid 1:2 htb
rate 95Mbit ceil 95Mbit
$tc class add dev $INT2 parent 1:1 classid 1:7 htb
rate 140kbit ceil 500kbit prio 0 # a/v net trafic
$tc class add dev $INT2 parent 1:1 classid 1:5 htb
rate 50kbit ceil 500kbit prio 0 # chat net trafic
$tc class add dev $INT2 parent 1:1 classid 1:3 htb
rate 100kbit ceil 500kbit prio 0 # www net trafic
$tc class add dev $INT2 parent 1:2 classid 1:8 htb
rate 35Mbit ceil 90Mbit prio 0 # a/v man trafic
$tc class add dev $INT2 parent 1:2 classid 1:6 htb
rate 5Mbit ceil 90Mbit prio 0 # chat man trafic
$tc class add dev $INT2 parent 1:2 classid 1:4 htb
rate 20Mbit ceil 90Mbit prio 0 # www man trafic
$tc class add dev $INT2 parent 1:1 classid 1:FF01 htb
rate 10kbit ceil 500kbit prio 3 # bulk net trafic
$tc class add dev $INT2 parent 1:2 classid 1:FF00 htb
rate 30Mbit ceil 90Mbit prio 3 # bulk man trafic
$tc qdisc add dev $INT2 parent 1:FF01 handle 2: sfq
perturb 10
$tc qdisc add dev $INT2 parent 1:FF00 handle 3: sfq
perturb 10
echo " qdisc add INT2 ingress"
$tc qdisc add dev $INT2 ingress
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 0 handle 0x7 fw flowid :1 police rate 10Mbps
burst 16k drop # A/V in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 1 handle 0x5 fw flowid :1 police rate 10Mbps
burst 16k drop # chat in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 2 handle 0x3 fw flowid :1 police rate 10Mbps
burst 16k drop # www in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 4 handle 0x1 fw flowid :1 police rate 95Mbps
burst 16k drop # bulk in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 0 handle 0x6 fw flowid :1 police rate 190kbps
burst 16k drop # A/V in Internet
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 1 handle 0x4 fw flowid :1 police rate 62kbps
burst 32k drop # chat in Internet
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 2 handle 0x2 fw flowid :1 police rate 126kbps
burst 64k drop # www in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet
### POSTROUTING ###
echo "POSTROUTING"
echo "filters - CLASSIFY $EXT1 egress"
$ipt -t mangle -F POSTROUTING
$ipt -t mangle -A POSTROUTING -m mark --mark 0x7 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:7 # A/V
in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x5 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:5 #
chat in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x3 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:3 # www
in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x6 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:8 # A/V
in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x4 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:6 #
chat in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x2 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:4 # www
in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x0 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:FF01 #
bulk in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x1 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:FF00 #
bulk in MAN
echo "filters - CLASSIFY $INT1 egress";date
>~adminus/log/filtre.log;echo "filters - CLASSIFY
$INT1 egress" >>~adminus/log/filtre.log
echo " bulk clients";echo " bulk clients"
>>~adminus/log/filtre.log
NETWORK\x192.168;NET\x101;NETID\x16 # edit this after
copy-paste (this row downto done must be copied for
each served network)
ID_NET=0;ID_MAN\x128;ID_PRIV=0;ID_PUBd # don't edit
# The first bit in class' MINOR is: 1 = metropolitan;
0 = Internet
# The second bit in class' MINOR is: 1 = IP public; 0
= IP privat
# Urmatorii 6 biti reprezinta NETID (class number)
Atention: classes with MINOR from 1 to 6 are used by
parents on $INT1, so NETID >= 7 !!!
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #don't
edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
# if IP = { 0 1 2 3 4 5 6 7 8 9 a b c d e f A B C D
E F }; then IP=0$IP; fi
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $EXT1
Internet
$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $EXT1
Metropolitan
#$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $EXT2
Internet
#$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $EXT2
Metropolitan
$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $INT1
Internet
$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $INT1
Metropolitan
echo "$NETWORK.$NET.$IP $EXT1: net:
1:$hIDnet_PRIV$hIP man: 1:$hIDman_PRIV$hIP
$INT1: net: 1:$hIDnet_PRIV$hIP man:
1:$hIDman_PRIV$hIP" >>~sorin/log/filtre.log
done
echo " special clients";echo " special clients"
>>~sorin/log/filtre.log
NETWORK.196;NET\x157;NETIDc # edit this after
copy-paste (downto done is for every served network)
ID_NET=0;ID_MAN\x128;ID_PRIV=0;ID_PUBd # do not edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# do not edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # do
not edit
for IP in $( cat
~adminus/etc/ip_local/pub_ips_on_int1.conf | grep -v
\# ); do
# if IP = { 0 1 2 3 4 5 6 7 8 9 a b c d e f A B C D
E F }; then IP=0$IP; fi
hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP # IP public in $EXT1
Internet
$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PUB$hIP # IP public in $EXT1
Metropolitan
#$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP
#$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hID_man_PUB$hIP
$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP # IP public in $INT1
Internet
$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PUB$hIP # IP public in $INT1
Metropolitan
echo "$NETWORK.$NET.$IP $EXT1: net:
1:$hIDnet_PUB$hIP man: 1:$hIDman_PUB$hIP
$INT1: net: 1:$hIDnet_PUB$hIP man:
1:$hIDman_PUB$hIP" >>~sorin/log/filtre.log
done
echo "filters - CLASSIFY $INT2 egress"
$ipt -t mangle -A POSTROUTING -m mark --mark 0x7 -o
$INT2 -j CLASSIFY --set-class 1:7
$ipt -t mangle -A POSTROUTING -m mark --mark 0x5 -o
$INT2 -j CLASSIFY --set-class 1:5
$ipt -t mangle -A POSTROUTING -m mark --mark 0x3 -o
$INT2 -j CLASSIFY --set-class 1:3
$ipt -t mangle -A POSTROUTING -m mark --mark 0x6 -o
$INT2 -j CLASSIFY --set-class 1:8
$ipt -t mangle -A POSTROUTING -m mark --mark 0x4 -o
$INT2 -j CLASSIFY --set-class 1:6
$ipt -t mangle -A POSTROUTING -m mark --mark 0x2 -o
$INT2 -j CLASSIFY --set-class 1:4
$ipt -t mangle -A POSTROUTING -m mark --mark 0x0 -o
$INT2 -j CLASSIFY --set-class 1:FF01
$ipt -t mangle -A POSTROUTING -m mark --mark 0x1 -o
$INT2 -j CLASSIFY --set-class 1:FF00
### ### ### ###
### mangle ###
### ### ### ###
### PREROUTING ###
$ipt -t mangle -F PREROUTING
echo " creem MAN, QOS si CLIENT"
$ipt -t mangle -X MAN
$ipt -t mangle -X QOS
$ipt -t mangle -N MAN
$ipt -t mangle -N QOS
$ipt -t mangle -Z MAN
$ipt -t mangle -Z QOS
$ipt -t mangle -A PREROUTING -j MAN
$ipt -t mangle -A PREROUTING -j QOS
### QOS ###
echo " TOS chat-ports"
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/chat_ports.conf | grep -v
\# ); do
$ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Reliability
$ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Minimize-Delay
$ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x4
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN
$ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Reliability
$ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Minimize-Delay
$ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x4
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN
$ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Reliability
$ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Minimize-Delay
$ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x4
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN
$ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Reliability
$ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Minimize-Delay
$ipt -t mangle -A QOS -p udp --sport $PORT -j MARK
--set-mark 0x4
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN
done
echo " TOS audio-video ports"
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/av_ports.conf | grep -v \#
); do
$ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Minimize-Delay
$ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x6
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN
$ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Minimize-Delay
$ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x6
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN
$ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Minimize-Delay
$ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x6
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN
$ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Minimize-Delay
$ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p udp --sport $PORT -j MARK
--set-mark 0x6
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN
done
echo " TOS www ports"
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/www_ports.conf | grep -v
\# ); do
$ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x2
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN
$ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x2
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN
$ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x2
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN
$ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x2
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN
done
echo " TOS tcp flags"
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
MARK --set-mark 0x6
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Minimize-Delay
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Maximize-Throughput
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Maximize-Reliability
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
RETURN
$ipt -t mangle -A QOS -j CONNMARK --save-mark
$ipt -t mangle -A QOS -p ALL -j RETURN
### MAN ###
echo " MAN mark man (order a pizza and eat till I
finish this)"
for PEER_IP in $( cat
~sorin/etc/ip_internet/peer_ips.conf | grep -v \# );
do
$ipt -t mangle -A MAN -d $PEER_IP -j MARK
--set-mark $MARK_MAN
$ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe
$ipt -t mangle -A MAN -d $PEER_IP -j RETURN
$ipt -t mangle -A MAN -s $PEER_IP -j MARK
--set-mark $MARK_MAN
$ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe
$ipt -t mangle -A MAN -s $PEER_IP -j RETURN
done
echo " MAN mark net"
$ipt -t mangle -A MAN -d 0.0.0.0/0 -j MARK --set-mark
$MARK_NET
$ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe
$ipt -t mangle -A MAN -d 0.0.0.0/0 -j RETURN
$ipt_s >~adminus/bin/marks
### POSTROUTING ###
if [ -x /mnt/usb/tc-restore ]; then
/mnt/usb/tc-restore
cp /mnt/usb/tc-restore ~sorin/bin/
else ~sorin/bin/tc-restore
fi
# each IP has its own class
### ### ### ###
### filter ###
### ### ### ###
### INPUT ###
echo "INPUT"
# TODO: Use ~adminus/etc/ports_input_allowed, use -m
mport --port for both direction ports if they *ARE*
equal
$ipt -t filter -P INPUT DROP
$ipt -t filter -A INPUT -i lo -j ACCEPT
$ipt -t filter -A INPUT -p tcp --sport 0:1023 -m state
--state ESTABLISHED,RELATED -j ACCEPT
$ipt -t filter -A INPUT -i lo -j ACCEPT
$ipt -t filter -A INPUT -p tcp --tcp-flags ACK ACK -j
ACCEPT
$ipt -t filter -A INPUT -m state --state ESTABLISHED
-j ACCEPT
$ipt -t filter -A INPUT -m state --state RELATED -j
ACCEPT
$ipt -t filter -A INPUT -p udp --dport 1024:65535
--sport 53 -j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type echo-reply
-j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type
destination-unreachable -j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type
source-quench -j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type
time-exceeded -j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type
parameter-problem -j ACCEPT
$ipt -t filter -A INPUT -p tcp -m state ! --state NEW
--sport 0:1023 -j ACCEPT
$ipt -t filter -A INPUT -p udp --sport 0:1023 -j
ACCEPT
$ipt -t filter -A INPUT -p tcp --dport ssh -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport auth -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport ftp -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport rmt -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport rmt -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport ftp-data -j
ACCEPT
$ipt -t filter -A INPUT -p udp --dport time -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport http -j ACCEPT
$ipt -t filter -A INPUT -p icmp -m limit --icmp-type
echo-request --limit 3/second --limit-burst 1000 -j
ACCEPT
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
2049:2050 -j DROP
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
2049:2050 -j DROP
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
6000:6063 -j DROP
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
6000:6063 -j DROP
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
7000:7010 -j DROP
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
7000:7010 -j DROP
$ipt -t filter -A INPUT -p tcp --sport 1024:65535 -j
ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 1024:65535 -j
ACCEPT
$ipt -t filter -A INPUT -p udp --sport 1024:65535 -j
ACCEPT
$ipt -t filter -A INPUT -p udp --dport 1024:65535 -j
ACCEPT
### FORWARD ###
echo "FORWARD"
$ipt -t filter -P FORWARD DROP
$ipt -t filter -A FORWARD -i lo -j ACCEPT
$ipt -t filter -A FORWARD -o lo -j ACCEPT
echo " ip/mac ACCEPT"
~sorin/bin/mac.sh
$ipt -t filter -A FORWARD -o $INT1 -d
$INT1Net/$INT1Mask -j ACCEPT
$ipt -t filter -A FORWARD -i $INT2 -s
$INT2Net/$INT2Mask -j ACCEPT
$ipt -t filter -A FORWARD -o $INT2 -d
$INT2Net/$INT2Mask -j ACCEPT
$ipt -t filter -A FORWARD -i $EXT1 -o $INT1 -j ACCEPT
$ipt -t filter -A FORWARD -i $EXT1 -o $INT2 -m state
--state ESTABLISHED,RELATED -j ACCEPT
$ipt -t filter -A FORWARD -i $INT1 -o $INT2 -j ACCEPT
$ipt -t filter -A FORWARD -i $INT2 -o $INT1 -j ACCEPT
#$ipt -t filter -A FORWARD -i $INT1 -o $EXT1 -j ACCEPT
# Se face pe mac address
$ipt -t filter -A FORWARD -i $INT2 -o $EXT1 -j ACCEPT
echo " connection/port ACCEPT/DROP"
#$ipt -t filter -A FORWARD -f -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST
SYN -j TCPMSS --clamp-mss-to-pmtu
#$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST
SYN -j TCPMSS --set-mss 128
$ipt -t filter -A FORWARD -i ! $INT1 -s
$INT1Net/$INT1Mask -j DROP
$ipt -t filter -A FORWARD -i ! $INT2 -s
$INT2Net/$INT2Mask -j DROP
$ipt -t filter -A FORWARD -p icmp -d $INT1Bcast -j
DROP
$ipt -t filter -A FORWARD -p icmp -d $INT2Bcast -j
DROP
$ipt -t filter -A FORWARD -p tcp --syn -m limit
--limit 10/s -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --tcp-flags
SYN,ACK,FIN,RST RST -m limit --limit 10/s -j ACCEPT
$ipt -t filter -A FORWARD -p icmp --icmp-type
echo-request -m limit --limit 3/s -j ACCEPT
$ipt -t filter -A FORWARD -p icmp --icmp-type
echo-reply -m limit --limit 3/s -j ACCEPT
$ipt -t filter -A FORWARD -p udp --sport 53 -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 53 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 139 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 445 -j DROP
### OUTPUT ###
echo "OUTPUT"
$ipt -t filter -P OUTPUT ACCEPT
echo "Preparing for reboot... (iptables-save)"
/usr/sbin/iptables-save >/home/adminus/iptables
A/V ports:531 554 583 7070 1754:1755 1397:1398 1516
1518 2232 4444 5555 5713:5714 6000 6010
CHAT ports: 53 5050 1863 113 529 994 6660:6667 7000 63
5190:5193 22 23 992 37 123 21 990 1517 1519 2103:2105
5222 5269 5715:5717
WWW ports (and games): 80 443 280 488 25 109:110 995
143 220 993 516 532 563 631 901 666 4557 4559 27005 27015
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [LARTC] Too slow computer?
2005-08-09 16:53 [LARTC] Too slow computer? panca sorin
` (2 preceding siblings ...)
2005-08-09 21:31 ` panca sorin
@ 2005-08-11 16:10 ` Andy Furniss
3 siblings, 0 replies; 5+ messages in thread
From: Andy Furniss @ 2005-08-11 16:10 UTC (permalink / raw)
To: lartc
panca sorin wrote:
> Thanck you for your help!
> I noticed the ipset tools and I tried to use the
> CONNMARK but I don't know how to verify if bitwise
> manipulation works. The IP list is random and the
> router is an Athlon at 1200 MHz with 64 MB of SDRAM
> and a PIO mode 4 harddisk.
> After marking for destination, the packets are marked
> for priorization. I tried to use the dsmark and some
> ingress policing but I've faild to understand how they
> work. Also I'm in a hurry and I try to use what I know
> for now. Since I have to shape for two speeds, now
> I've discovered the --limit filter in iptables and I
> try to match packets based on their speeds.
> Each connected client has its own class on dev eth1.
> There are 38 clients now. On eth2 I shape based on
> connection ports. Audio/video, chat and interactive
> traffic (and connection control packets) have higher
> priority. Here are my script and configuration files
> (is best viewd unwraped with kwrite):
That's a big script - I haven't had time to read it properly and I'd
still be likely to miss things :-)
Ingress policers won't work with fw if your kernel config has packet
actions selected. If you don't it will work but only with marks set in
prerouting.
Bitwise manipulation of normal marks should work for recent iptables
just remember to use 0x as it uses decimal otherwise. If you want to
test just make an empty match and look at the counters. So to set bit 2
of the mark use --or-mark 0x2 instead of --set-mark.
I've never used ipset but it seems suited to what you need.
If you choose to use mark/connmark then you can get htb to treat marks
like classify - you just put an empty fw on the root and have to make
sure the marks have the major id in the top 16bits and you have a class
for the minor.
Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread