traffic shaping documentation

traffic shaping documentation

[Mihamina Rakotomandimby (R12y)]

Hi all,
I have a gateway on which I would like to implement traffic shapping based 
only on ports.
The simple schema:

     15-PCs-LAN <-> (eth0)[Gateway](eth1) <-> Internet

The gateway is also my workstation and it holds many services accessibles 
from the LAN and from Internet.

The problem is HTTP traffic is so much that SSH connection to the remote 
servers I manage are slow.

Therefore, I would like to give:
- highest priority to SSH (INPUT/OUTPUT/FORWARD dport 22)
- normal priority to others (INPUT/OUTPUT/FORWARD dport:FTP, SVN,...)
- lowest priority to HTTP
   (dport 80 REDIRECTed INPUT on squid's 3128, OUTPUT dport 80)

The perfect would be to shape it on the OUTPUT chain, because I would like 
also the shape affects my (Gateway) behaviour.

I am not asking for the direct solution, I am first asking if what I want:
  - is a good idea
  - implementable
  - is documented in another place than lartc.org
    (which is good but too much big for my simple needs)

Thank you for any tips.

-- 
                              Chef de projet chez Vectoris
                                  Phone: +261 33 11 207 36
System: xUbuntu 8.10 with almost all from package install
    http://www.google.com/search?q=mihamina+rakotomandimby

Re: traffic shaping documentation

[Julien Vehent]

Hello,

By your signature, I suppose you read french. Then, maybe you will find
some useful information in the doc I wrote a few months ago :
http://wiki.linuxwall.info/doku.php?id=ressources:dossiers:advanced_networking:2_qos_traffic_control

Hope it helps...

Julien

On Tue, 21 Apr 2009 11:50:05 +0300, "Mihamina Rakotomandimby (R12y)"
<mihamina@lab.vectoris.fr> wrote:
> Hi all,
> I have a gateway on which I would like to implement traffic shapping
based 
> only on ports.
> The simple schema:
> 
>      15-PCs-LAN <-> (eth0)[Gateway](eth1) <-> Internet
> 
> The gateway is also my workstation and it holds many services accessibles

> from the LAN and from Internet.
> 
> The problem is HTTP traffic is so much that SSH connection to the remote 
> servers I manage are slow.
> 
> Therefore, I would like to give:
> - highest priority to SSH (INPUT/OUTPUT/FORWARD dport 22)
> - normal priority to others (INPUT/OUTPUT/FORWARD dport:FTP, SVN,...)
> - lowest priority to HTTP
>    (dport 80 REDIRECTed INPUT on squid's 3128, OUTPUT dport 80)
> 
> The perfect would be to shape it on the OUTPUT chain, because I would
like 
> also the shape affects my (Gateway) behaviour.
> 
> I am not asking for the direct solution, I am first asking if what I
want:
>   - is a good idea
>   - implementable
>   - is documented in another place than lartc.org
>     (which is good but too much big for my simple needs)
> 
> Thank you for any tips.

-- 
julien
http://jve.linuxwall.info/blog

Re: traffic shaping documentation

[SISINT BA]

I was seeing your doc in French , do you have an englsih version ???

Thanks a lot
Marcos

----- Original Message -----
From: "Julien Vehent" <julien@linuxwall.info>
To: "Mihamina Rakotomandimby (R12y)" <mihamina@lab.vectoris.fr>
Cc: <netfilter@vger.kernel.org>
Sent: Tuesday, April 21, 2009 8:18 AM
Subject: Re: traffic shaping documentation


> Hello,
>
> By your signature, I suppose you read french. Then, maybe you will find
> some useful information in the doc I wrote a few months ago :
>
http://wiki.linuxwall.info/doku.php?id=ressources:dossiers:advanced_networki
ng:2_qos_traffic_control
>
> Hope it helps...
>
> Julien
>
> On Tue, 21 Apr 2009 11:50:05 +0300, "Mihamina Rakotomandimby (R12y)"
> <mihamina@lab.vectoris.fr> wrote:
> > Hi all,
> > I have a gateway on which I would like to implement traffic shapping
> based
> > only on ports.
> > The simple schema:
> >
> >      15-PCs-LAN <-> (eth0)[Gateway](eth1) <-> Internet
> >
> > The gateway is also my workstation and it holds many services
accessibles
>
> > from the LAN and from Internet.
> >
> > The problem is HTTP traffic is so much that SSH connection to the remote
> > servers I manage are slow.
> >
> > Therefore, I would like to give:
> > - highest priority to SSH (INPUT/OUTPUT/FORWARD dport 22)
> > - normal priority to others (INPUT/OUTPUT/FORWARD dport:FTP, SVN,...)
> > - lowest priority to HTTP
> >    (dport 80 REDIRECTed INPUT on squid's 3128, OUTPUT dport 80)
> >
> > The perfect would be to shape it on the OUTPUT chain, because I would
> like
> > also the shape affects my (Gateway) behaviour.
> >
> > I am not asking for the direct solution, I am first asking if what I
> want:
> >   - is a good idea
> >   - implementable
> >   - is documented in another place than lartc.org
> >     (which is good but too much big for my simple needs)
> >
> > Thank you for any tips.
>
> --
> julien
> http://jve.linuxwall.info/blog
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: traffic shaping documentation

[Julien Vehent]

I fear not... which's lame, I admit, but I never found the time and
motivation to write in english...

A quick try on google trad gives good results though.... :)


On Tue, 21 Apr 2009 10:26:00 -0300, "SISINT BA" <INFO@SISINT.COM.AR> wrote:
> I was seeing your doc in French , do you have an englsih version ???
> 
> Thanks a lot
> Marcos
> 
> ----- Original Message -----
> From: "Julien Vehent" <julien@linuxwall.info>
> To: "Mihamina Rakotomandimby (R12y)" <mihamina@lab.vectoris.fr>
> Cc: <netfilter@vger.kernel.org>
> Sent: Tuesday, April 21, 2009 8:18 AM
> Subject: Re: traffic shaping documentation
> 
> 
>> Hello,
>>
>> By your signature, I suppose you read french. Then, maybe you will find
>> some useful information in the doc I wrote a few months ago :
>>
>
http://wiki.linuxwall.info/doku.php?id=ressources:dossiers:advanced_networki
> ng:2_qos_traffic_control
>>
>> Hope it helps...
>>
>> Julien
>>
>> On Tue, 21 Apr 2009 11:50:05 +0300, "Mihamina Rakotomandimby (R12y)"
>> <mihamina@lab.vectoris.fr> wrote:
>> > Hi all,
>> > I have a gateway on which I would like to implement traffic shapping
>> based
>> > only on ports.
>> > The simple schema:
>> >
>> >      15-PCs-LAN <-> (eth0)[Gateway](eth1) <-> Internet
>> >
>> > The gateway is also my workstation and it holds many services
> accessibles
>>
>> > from the LAN and from Internet.
>> >
>> > The problem is HTTP traffic is so much that SSH connection to the
>> > remote
>> > servers I manage are slow.
>> >
>> > Therefore, I would like to give:
>> > - highest priority to SSH (INPUT/OUTPUT/FORWARD dport 22)
>> > - normal priority to others (INPUT/OUTPUT/FORWARD dport:FTP, SVN,...)
>> > - lowest priority to HTTP
>> >    (dport 80 REDIRECTed INPUT on squid's 3128, OUTPUT dport 80)
>> >
>> > The perfect would be to shape it on the OUTPUT chain, because I would
>> like
>> > also the shape affects my (Gateway) behaviour.
>> >
>> > I am not asking for the direct solution, I am first asking if what I
>> want:
>> >   - is a good idea
>> >   - implementable
>> >   - is documented in another place than lartc.org
>> >     (which is good but too much big for my simple needs)
>> >
>> > Thank you for any tips.
>>
>> --
>> julien
>> http://jve.linuxwall.info/blog
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>

-- 
julien
http://jve.linuxwall.info/blog

Re: traffic shaping documentation

[SISINT BA]

Julien:

Former Thanks  for answer so fast,

what a pity htat you don't have these time to write!!!!
 seems that you  will not trasnlate it , but domains the subject , if you
colud sure  will be so helpfull. ,

Thanks lot for have take your time to write , because the doc  "talks by
itself" trough the commands in the examples . but on  my mind always is
better get the info right from the source  :-)

and unlucky for me i don't speck French,    just speak spanish and got the
wrost english in the world.
Thanks aagain.


Marcos





----- Original Message -----
From: "Julien Vehent" <julien@linuxwall.info>
To: "SISINT BA" <INFO@sisint.com.ar>
Cc: "netfilter" <netfilter@vger.kernel.org>
Sent: Tuesday, April 21, 2009 11:09 AM
Subject: Re: traffic shaping documentation


> I fear not... which's lame, I admit, but I never found the time and
> motivation to write in english...
>
> A quick try on google trad gives good results though.... :)
>
>
> On Tue, 21 Apr 2009 10:26:00 -0300, "SISINT BA" <INFO@SISINT.COM.AR>
wrote:
> > I was seeing your doc in French , do you have an englsih version ???
> >
> > Thanks a lot
> > Marcos
> >
> > ----- Original Message -----
> > From: "Julien Vehent" <julien@linuxwall.info>
> > To: "Mihamina Rakotomandimby (R12y)" <mihamina@lab.vectoris.fr>
> > Cc: <netfilter@vger.kernel.org>
> > Sent: Tuesday, April 21, 2009 8:18 AM
> > Subject: Re: traffic shaping documentation
> >
> >
> >> Hello,
> >>
> >> By your signature, I suppose you read french. Then, maybe you will find
> >> some useful information in the doc I wrote a few months ago :
> >>
> >
>
http://wiki.linuxwall.info/doku.php?id=ressources:dossiers:advanced_networki
> > ng:2_qos_traffic_control
> >>
> >> Hope it helps...
> >>
> >> Julien
> >>
> >> On Tue, 21 Apr 2009 11:50:05 +0300, "Mihamina Rakotomandimby (R12y)"
> >> <mihamina@lab.vectoris.fr> wrote:
> >> > Hi all,
> >> > I have a gateway on which I would like to implement traffic shapping
> >> based
> >> > only on ports.
> >> > The simple schema:
> >> >
> >> >      15-PCs-LAN <-> (eth0)[Gateway](eth1) <-> Internet
> >> >
> >> > The gateway is also my workstation and it holds many services
> > accessibles
> >>
> >> > from the LAN and from Internet.
> >> >
> >> > The problem is HTTP traffic is so much that SSH connection to the
> >> > remote
> >> > servers I manage are slow.
> >> >
> >> > Therefore, I would like to give:
> >> > - highest priority to SSH (INPUT/OUTPUT/FORWARD dport 22)
> >> > - normal priority to others (INPUT/OUTPUT/FORWARD dport:FTP, SVN,...)
> >> > - lowest priority to HTTP
> >> >    (dport 80 REDIRECTed INPUT on squid's 3128, OUTPUT dport 80)
> >> >
> >> > The perfect would be to shape it on the OUTPUT chain, because I would
> >> like
> >> > also the shape affects my (Gateway) behaviour.
> >> >
> >> > I am not asking for the direct solution, I am first asking if what I
> >> want:
> >> >   - is a good idea
> >> >   - implementable
> >> >   - is documented in another place than lartc.org
> >> >     (which is good but too much big for my simple needs)
> >> >
> >> > Thank you for any tips.
> >>
> >> --
> >> julien
> >> http://jve.linuxwall.info/blog
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>
>
> --
> julien
> http://jve.linuxwall.info/blog
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: traffic shaping documentation

[Julien Vehent]

Pfff.... I'm way too influenceable. Here's your translation. :)

http://wiki.linuxwall.info/doku.php?id=ressources:dossiers:advanced_networking:2_qos_traffic_control_english

I realize I'm posting this to a list full of QOS, firewall and network
experts, so I need to warn you that there may be mistakes and
misunderstanding in this document. If you find any, please let me know ;)

Julien

On Tue, 21 Apr 2009 11:23:53 -0300, "SISINT BA" <INFO@SISINT.COM.AR> wrote:
> Julien:
> 
> Former Thanks  for answer so fast,
> 
> what a pity htat you don't have these time to write!!!!
>  seems that you  will not trasnlate it , but domains the subject , if you
> colud sure  will be so helpfull. ,
> 
> Thanks lot for have take your time to write , because the doc  "talks by
> itself" trough the commands in the examples . but on  my mind always is
> better get the info right from the source  :-)
> 
> and unlucky for me i don't speck French,    just speak spanish and got
the
> wrost english in the world.
> Thanks aagain.
> 
> 
> Marcos
> 
> 
> 
> 
> 
> ----- Original Message -----
> From: "Julien Vehent" <julien@linuxwall.info>
> To: "SISINT BA" <INFO@sisint.com.ar>
> Cc: "netfilter" <netfilter@vger.kernel.org>
> Sent: Tuesday, April 21, 2009 11:09 AM
> Subject: Re: traffic shaping documentation
> 
> 
>> I fear not... which's lame, I admit, but I never found the time and
>> motivation to write in english...
>>
>> A quick try on google trad gives good results though.... :)
>>
>>
>> On Tue, 21 Apr 2009 10:26:00 -0300, "SISINT BA" <INFO@SISINT.COM.AR>
> wrote:
>> > I was seeing your doc in French , do you have an englsih version ???
>> >
>> > Thanks a lot
>> > Marcos
>> >
>> > ----- Original Message -----
>> > From: "Julien Vehent" <julien@linuxwall.info>
>> > To: "Mihamina Rakotomandimby (R12y)" <mihamina@lab.vectoris.fr>
>> > Cc: <netfilter@vger.kernel.org>
>> > Sent: Tuesday, April 21, 2009 8:18 AM
>> > Subject: Re: traffic shaping documentation
>> >
>> >
>> >> Hello,
>> >>
>> >> By your signature, I suppose you read french. Then, maybe you will
>> >> find
>> >> some useful information in the doc I wrote a few months ago :
>> >>
>> >
>>
>
http://wiki.linuxwall.info/doku.php?id=ressources:dossiers:advanced_networki
>> > ng:2_qos_traffic_control
>> >>
>> >> Hope it helps...
>> >>
>> >> Julien
>> >>
>> >> On Tue, 21 Apr 2009 11:50:05 +0300, "Mihamina Rakotomandimby (R12y)"
>> >> <mihamina@lab.vectoris.fr> wrote:
>> >> > Hi all,
>> >> > I have a gateway on which I would like to implement traffic
shapping
>> >> based
>> >> > only on ports.
>> >> > The simple schema:
>> >> >
>> >> >      15-PCs-LAN <-> (eth0)[Gateway](eth1) <-> Internet
>> >> >
>> >> > The gateway is also my workstation and it holds many services
>> > accessibles
>> >>
>> >> > from the LAN and from Internet.
>> >> >
>> >> > The problem is HTTP traffic is so much that SSH connection to the
>> >> > remote
>> >> > servers I manage are slow.
>> >> >
>> >> > Therefore, I would like to give:
>> >> > - highest priority to SSH (INPUT/OUTPUT/FORWARD dport 22)
>> >> > - normal priority to others (INPUT/OUTPUT/FORWARD dport:FTP,
>> >> > SVN,...)
>> >> > - lowest priority to HTTP
>> >> >    (dport 80 REDIRECTed INPUT on squid's 3128, OUTPUT dport 80)
>> >> >
>> >> > The perfect would be to shape it on the OUTPUT chain, because I
>> >> > would
>> >> like
>> >> > also the shape affects my (Gateway) behaviour.
>> >> >
>> >> > I am not asking for the direct solution, I am first asking if what
I
>> >> want:
>> >> >   - is a good idea
>> >> >   - implementable
>> >> >   - is documented in another place than lartc.org
>> >> >     (which is good but too much big for my simple needs)
>> >> >
>> >> > Thank you for any tips.
>> >>
>> >> --
>> >> julien
>> >> http://jve.linuxwall.info/blog
>> >> --
>> >> To unsubscribe from this list: send the line "unsubscribe netfilter"
>> >> in
>> >> the body of a message to majordomo@vger.kernel.org
>> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> >>
>>
>> --
>> julien
>> http://jve.linuxwall.info/blog
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>

-- 
julien
http://jve.linuxwall.info/blog

Re: traffic shaping documentation

[Michele Petrazzo - Unipex]

Mihamina Rakotomandimby (R12y) wrote:
> Hi all,

Hi !

> I have a gateway on which I would like to implement traffic shapping 
> based only on ports.

> The problem is HTTP traffic is so much that SSH connection to the 
> remote servers I manage are slow.
> 
> Therefore, I would like to give: - highest priority to SSH 
> (INPUT/OUTPUT/FORWARD dport 22) - normal priority to others 
> (INPUT/OUTPUT/FORWARD dport:FTP, SVN,...) - lowest priority to HTTP 
> (dport 80 REDIRECTed INPUT on squid's 3128, OUTPUT dport 80)
> 

Until here no problem.

> The perfect would be to shape it on the OUTPUT chain, because I would
>  like also the shape affects my (Gateway) behaviour.
> 

That is the normal behavior and the right place where do the
classification. There are also an implementation that works for incoming
and it's called imq, but I never use it.

> I am not asking for the direct solution, I am first asking if what I 
> want: - is a good idea

Why not?

> - implementable

Yes, of course.

> - is documented in another place than lartc.org (which is good but 
> too much big for my simple needs)
> 

Yes. There is a lot of documentation and not a single place for "a copy
and paste for start to play"

For make your setup, I give you some tips for start to work:
for make the classification, you can use:
- iptables by port (simplest)
- iptables by l7 (l7-filter.sf.net)
after match the packets, use the CLASSIFY target (simplest from my point
of view), or the MARK one

OR

- tc filter for the same (classify by port/ip)

Now that you have look at the classification, it's time to prioritize,
so tc it's your friend.
A lot of shape queues can help you and, by me, htb it's one of the more
understandable that exists (http://luxik.cdi.cz/~devik/qos/htb/)

For a simple "copy and work" example with iptables, classify and tc I
post a message on the samba ml where I show I do to it, so take a look
here: http://tinyurl.com/dmdtuz

For all the other, I'm sorry, but lartc howto it's the unique source!

Michele