[LARTC] HTB traffic shaping + squid cache proxy

[LARTC] HTB traffic shaping + squid cache proxy

[Rokas]

Hello!

My system is:
Internet ADSL(PPPoE) ---> ppp0 [LINUX server(router)] eth0 ---> LAN
Server(router) is running on LINUX Slackware 8.1. I have recompiled a
2.4.22 kernel, enabled all QoS support in the kernel config,
including HTB. My ADSL bandwidth is 256Kbit/s for download and
64Kbit/s for upload.

I use the following HTB+IPTABLES configuration, because I want to
reduce bandwith for all traffic, except HTTP, MAIL, ICQ, IRC, SSH and
etc.
-------------------------------------------------------------------------
#!/bin/bash
TC=/sbin/tc
IPTABLES=/usr/sbin/iptables

$TC qdisc del dev eth0 root 2> /dev/null > /dev/null
$TC qdisc del dev ppp0 root 2> /dev/null > /dev/null
$IPTABLES -F POSTROUTING -t mangle

$TC qdisc add dev eth0 root handle 1: htb default 50 r2q 2

$TC class add dev eth0 parent 1: classid 1:2 htb rate 248Kbit burst 35k

$TC class add dev eth0 parent 1:2 classid 1:10 htb rate 220Kbit ceil 240Kbit burst 25k prio 0

$TC class add dev eth0 parent 1:2 classid 1:30 htb rate 28Kbit ceil 28Kbit burst 10k prio 1

$TC qdisc add dev eth0 parent 1:10 handle 11: sfq perturb 10
$TC qdisc add dev eth0 parent 1:30 handle 33: sfq perturb 10

$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -j MARK --set-mark 3
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 80 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 443 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 22 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 21 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 53 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p udp --sport 53 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 110 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 5190 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 6661:6669 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p icmp -j MARK --set-mark 1

$TC filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:10
$TC filter add dev eth0 parent 1:0 protocol ip handle 3 fw flowid 1:30
##############################

$TC qdisc add dev ppp0 root handle 1: htb default 20

$TC class add dev ppp0 parent 1: classid 1:1 htb rate 62Kbit burst 35k
$TC class add dev ppp0 parent 1:1 classid 1:10 htb rate 40Kbit ceil 60Kbit burst 25k prio 1

$TC class add dev ppp0 parent 1:1 classid 1:20 htb rate 15Kbit ceil 55Kbit burst 10k prio 2

$TC class add dev ppp0 parent 1:1 classid 1:30 htb rate 7Kbit ceil 28Kbit burst 5k prio 3

$TC qdisc add dev ppp0 parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev ppp0 parent 1:20 handle 20: sfq perturb 10
$TC qdisc add dev ppp0 parent 1:30 handle 30: sfq perturb 10

$TC filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 \
  match ip tos 0x10 0xff  flowid 1:10

$TC filter add dev ppp0 parent 1: protocol ip prio 10 u32 \
   match ip protocol 6 0xff \
   match u8 0x05 0x0f at 0 \
   match u16 0x0000 0xffc0 at 2 \
   match u8 0x10 0xff at 33 \
   flowid 1:10

$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -j MARK --set-mark 12

$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p icmp -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --sport 22 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --sport 80 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 80 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 21 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 20 -j MARK --set-mark 11

$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MARK --set-mark 13

$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 80 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 443 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 53 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p udp --dport 53 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 22 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 23 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 21 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 25 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 110 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 5190 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 6661:6669 -j MARK --set-mark 11

$TC filter add dev ppp0 parent 1:0 protocol ip handle 11 fw flowid 1:10
$TC filter add dev ppp0 parent 1:0 protocol ip handle 12 fw flowid 1:20
$TC filter add dev ppp0 parent 1:0 protocol ip handle 13 fw flowid 1:30
--------------------------------------------------------------------------

This configuration works rather well. But I decided to start a SQUID
HTTP caching transparent proxy on the same server box. I have
configured squid on the 8080 port, and I redirect all the HTTP traffic
to the SQUID proxy server:
iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080

The redirection works OK, and transparent proxy does its work. But
what about HTTP downstream traffic shaping ? In my earlier configuration
(without SQUID), I just put HTB classes on my internal eth0 interface,
so I could point HTTP traffic into high rate/priority class. But if I
redirect HTTP traffic through SQUID proxy, this shaping becomes not
effective, because I can shape only outgoing traffic on each
interface. What would be your suggestions about this issue ? Perhaps
it is a bad idea to use SQUID proxy ? The most important thing for me
is to reduce the download of big files via FTP, KaZaA and etc. (all
non-priviledeged ports), and to give the WWW and other important
traffic the highest bandwith rate and priority and to speed the WWW...
I would be very grateful if you could give me suggestions how to speed
up WWW...

     Rokas Zakarevicius


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] HTB traffic shaping + squid cache proxy

[Eddie]

just a thing.As I understand the users go to squid and squid goes to the
web page?Something like this

[network]-----8080----[eth0 linux eth1]----80---web.
So if you limit the port 80 traffic on eth1 it should slow down squid
but you dont want to limit traffic on eth0's 8080 because what's the use
of a proxy then?
This is just how I see it?

On Thu, 2003-11-13 at 11:23, Rokas wrote:
> Hello!
> 
> My system is:
> Internet ADSL(PPPoE) ---> ppp0 [LINUX server(router)] eth0 ---> LAN
> Server(router) is running on LINUX Slackware 8.1. I have recompiled a
> 2.4.22 kernel, enabled all QoS support in the kernel config,
> including HTB. My ADSL bandwidth is 256Kbit/s for download and
> 64Kbit/s for upload.
> 
> I use the following HTB+IPTABLES configuration, because I want to
> reduce bandwith for all traffic, except HTTP, MAIL, ICQ, IRC, SSH and
> etc.
> -------------------------------------------------------------------------
> #!/bin/bash
> TC=/sbin/tc
> IPTABLES=/usr/sbin/iptables
> 
> $TC qdisc del dev eth0 root 2> /dev/null > /dev/null
> $TC qdisc del dev ppp0 root 2> /dev/null > /dev/null
> $IPTABLES -F POSTROUTING -t mangle
> 
> $TC qdisc add dev eth0 root handle 1: htb default 50 r2q 2
> 
> $TC class add dev eth0 parent 1: classid 1:2 htb rate 248Kbit burst 35k
> 
> $TC class add dev eth0 parent 1:2 classid 1:10 htb rate 220Kbit ceil 240Kbit burst 25k prio 0
> 
> $TC class add dev eth0 parent 1:2 classid 1:30 htb rate 28Kbit ceil 28Kbit burst 10k prio 1
> 
> $TC qdisc add dev eth0 parent 1:10 handle 11: sfq perturb 10
> $TC qdisc add dev eth0 parent 1:30 handle 33: sfq perturb 10
> 
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -j MARK --set-mark 3
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 80 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 443 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 22 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 21 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 53 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p udp --sport 53 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 110 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 5190 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 6661:6669 -j MARK --set-mark 1
> $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p icmp -j MARK --set-mark 1
> 
> $TC filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:10
> $TC filter add dev eth0 parent 1:0 protocol ip handle 3 fw flowid 1:30
> ##############################
> 
> $TC qdisc add dev ppp0 root handle 1: htb default 20
> 
> $TC class add dev ppp0 parent 1: classid 1:1 htb rate 62Kbit burst 35k
> $TC class add dev ppp0 parent 1:1 classid 1:10 htb rate 40Kbit ceil 60Kbit burst 25k prio 1
> 
> $TC class add dev ppp0 parent 1:1 classid 1:20 htb rate 15Kbit ceil 55Kbit burst 10k prio 2
> 
> $TC class add dev ppp0 parent 1:1 classid 1:30 htb rate 7Kbit ceil 28Kbit burst 5k prio 3
> 
> $TC qdisc add dev ppp0 parent 1:10 handle 10: sfq perturb 10
> $TC qdisc add dev ppp0 parent 1:20 handle 20: sfq perturb 10
> $TC qdisc add dev ppp0 parent 1:30 handle 30: sfq perturb 10
> 
> $TC filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 \
>   match ip tos 0x10 0xff  flowid 1:10
> 
> $TC filter add dev ppp0 parent 1: protocol ip prio 10 u32 \
>    match ip protocol 6 0xff \
>    match u8 0x05 0x0f at 0 \
>    match u16 0x0000 0xffc0 at 2 \
>    match u8 0x10 0xff at 33 \
>    flowid 1:10
> 
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -j MARK --set-mark 12
> 
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p icmp -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --sport 22 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --sport 80 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 80 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 21 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 20 -j MARK --set-mark 11
> 
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MARK --set-mark 13
> 
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 80 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 443 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 53 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p udp --dport 53 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 22 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 23 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 21 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 25 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 110 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 5190 -j MARK --set-mark 11
> $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 6661:6669 -j MARK --set-mark 11
> 
> $TC filter add dev ppp0 parent 1:0 protocol ip handle 11 fw flowid 1:10
> $TC filter add dev ppp0 parent 1:0 protocol ip handle 12 fw flowid 1:20
> $TC filter add dev ppp0 parent 1:0 protocol ip handle 13 fw flowid 1:30
> --------------------------------------------------------------------------
> 
> This configuration works rather well. But I decided to start a SQUID
> HTTP caching transparent proxy on the same server box. I have
> configured squid on the 8080 port, and I redirect all the HTTP traffic
> to the SQUID proxy server:
> iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080
> 
> The redirection works OK, and transparent proxy does its work. But
> what about HTTP downstream traffic shaping ? In my earlier configuration
> (without SQUID), I just put HTB classes on my internal eth0 interface,
> so I could point HTTP traffic into high rate/priority class. But if I
> redirect HTTP traffic through SQUID proxy, this shaping becomes not
> effective, because I can shape only outgoing traffic on each
> interface. What would be your suggestions about this issue ? Perhaps
> it is a bad idea to use SQUID proxy ? The most important thing for me
> is to reduce the download of big files via FTP, KaZaA and etc. (all
> non-priviledeged ports), and to give the WWW and other important
> traffic the highest bandwith rate and priority and to speed the WWW...
> I would be very grateful if you could give me suggestions how to speed
> up WWW...
> 
>      Rokas Zakarevicius
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/