All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Shaping p2p programs
@ 2003-11-05 21:49 GoMi
  0 siblings, 0 replies; only message in thread
From: GoMi @ 2003-11-05 21:49 UTC (permalink / raw)
  To: lartc

Hi there, i am going to explain you my setup and post you my scripts in
case they are of any help to anybody :)
This mail is a little long, but i think the only way you can undestandme
is writing you my whole code..

1.- I have to ADSL connections connected through ehternet cards eth0 and
eth1 to the routers
	-Both ADSL are 2Mbit downsteam / 300kbit upstream
    	-eth2 goes to my 200 users LAN.

2.- I am doing load balancing (that works great)

3.- I have a mail and web server redirected to eth0's ADSL.

4.- My QoS setup attached to eth0 and eth1
	1 Qdisc for high-priority traffic 	(mark 1)
	1 Qdisc for low-priority traffic 	(mark 2)
	1 Qdisc for SYN,ACK traffic	 	(mark 3)
	1 Qdisc for ICMP traffic		(mark 4)
	1 Qdisc for Web-server traffic	(mark 5)
		->Scripts below

5.- Since i am doing load balancing i have a stateful firewall as
explained in Nano HOWTO
		->Firewall scripts below

6.- Use the mangle table to mark packets and redirect them to the Qdisc
	Let me explain my reasoning: 
	  	I want to mark interactive traffic like HTTP,SMTP,etc to
mark 1
		Mark DNS traffic and MSN Messenger(dport 1863) to
interactive High priority mark 1
		
		Mark p2p programs with the ipp2p module to mark p2p
programs to mark 2
			(dport 1214 is Imesh)
		In order to make sure ACKS and SYN traffic is going out
propperly i have an special qdisc
		If any traffic is unmarked, mark it as low-priority
		->Mangle setup below


---->PROBLEM:
  The problem comes after having this setup running for an hour or so,
when interactive traffic has VERY HIGH latency, or nearly dIES.
  Anybody having mor or less a similar setup, because i am driving mad
here! 
  Any suggestions are welcome :) Thank you very much!!!!!

  My BOX is an athlon 900MHz with 1GB ram:
	cat /proc/sys/net/ipv4/ip_conntrack_max
	57336

	txqueuelen on all eth cards is 100.

	
----> SCRIPTS
 
IPTABLES MANGLE Table

  iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
     iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT

     iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 4
     iptables -t mangle -A POSTROUTING -p udp --dport 53 -j MARK
--set-mark 1
     iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 2

     iptables -t mangle -A POSTROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 2
     iptables -t mangle -A POSTROUTING -m string --string 'KazaaClient'
-j MARK --set-mark 2
     iptables -t mangle -A POSTROUTING -p tcp --dport 0:1024 -j MARK
--set-mark 1
     iptables -t mangle -A POSTROUTING -p tcp --dport 1214 -j MARK
--set-mark 2
     iptables -t mangle -A POSTROUTING -p tcp --dport 1863 -j MARK
--set-mark 1
  iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

  iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,ACK,RST SYN
-j MARK --set-mark 3
  iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags
SYN,RST,ACK ACK -j chkack
  iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j MARK
--set-mark 2


Script for QoS attached to eth0
	#!/bin/bash
	DEV=eth0

	tc qdisc add dev ${DEV} handle 1: root htb default 10
	tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit
	
	######################################
	## Interactive traffic
	tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
	tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw
flowid 1:10	

	#######################################
	# Non Interactive Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 50kbit
ceil 200kbit  quantum 1500
	tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw
flowid 1:20

	########################################
	## SYN,ACK Traffic
	tc clas add dev ${DEV} parent 1:1 classid 1:30 htb rate 45kbit
ceil 250kbit quantum 1500
	tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30

	########################################
	## ICMP Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
	tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40

	########################################
	## Web-Server Traffic 
	tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit
ceil 200kbit quantum 1500
	tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst
perturb 10 depth 15
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw
flowid 1:50

Script for 	QoS attached to eth1
	#!/bin/bash
	DEV=eth1

	tc qdisc add dev ${DEV} handle 1: root htb default 10
	tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit

	########################################
	## Interactive Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
	tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
	tc filter add dev ${DEV} protocol ip  parent 1:0 handle 1 fw
flowid 1:10

	#######################################
	# Non Interactive Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit
ceil 200kbit quantum 1500
	tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
	tc filter add dev ${DEV} protocol ip  parent 1:0 handle 2 fw
flowid 1:20

	########################################
	## SYN,ACK Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:30 htb rate 50kbit
ceil 250kbit quantum 1500
	tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30
	#tc filter add dev ${DEV} parent 1:0 protocol ip u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u8 0x34 0xff at 3 match u8
0x10 0xff at 33 flowid 1:30

	########################################
	## ICMP Traffic 
	tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
	tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40


Firewall setup

####################################################
##  Stateful Firewall
##
##
##

        iptables -t filter -N keep_state
        iptables -t filter -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
        iptables -t filter -A keep_state -j RETURN

        iptables -t nat -N keep_state
        iptables -t nat -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
        iptables -t nat -A keep_state -j RETURN

        iptables -t nat -A PREROUTING -j keep_state
        iptables -t nat -A POSTROUTING -j keep_state
        iptables -t nat -A OUTPUT -j keep_state

        iptables -t filter -A INPUT -j keep_state
        iptables -t filter -A OUTPUT -j keep_state
        iptables -t filter -A FORWARD -j keep_state

        iptables -t filter -A FORWARD -p tcp --dport 4661:4662 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 4661:4662 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 1663 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 4665 -j DROP
        iptables -t filter -A FORWARD -p tcp --dport 4665 -j DROP


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2003-11-05 21:49 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-05 21:49 [LARTC] Shaping p2p programs GoMi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.