[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: QoS & Tor example?



admin wrote:
> Anyone using a setup that uses the QoS features of
> IPTables to gurantee internal connections get the
> needed service (vs the tor connections)? This would
> allow to give the tor connections the max bandwidth
> w/o the fear of starving the local net.
> 
> I am looking for an example and to mooch the setup
> (if I can). Regards, -Manuel
> 
> 

Attached is the qos script I use. You can probably simplify it a lot.

Martin
#!/bin/bash

UPLINK_SPEED=688
#UPLINK_SPEED=688
INET_DEV=eth1
DOWNLINK_THROTTLE=N		# Set to 'Y' if you want to anable downlink throttle
DOWNLINK_SPEED=1450

if [ "$1" = "status" ]
then
	tc -s qdisc ls dev $INET_DEV
	tc -s class ls dev $INET_DEV
	exit
fi

# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev $INET_DEV root    2> /dev/null > /dev/null
tc qdisc del dev $INET_DEV ingress 2> /dev/null > /dev/null
iptables -F -t mangle

if [ "$1" = "stop" ] 
then 
	exit
fi

#################################################################################################
# qdiscs, classes and filters

# add HTB root qdisc
tc qdisc add dev $INET_DEV root handle 1: htb default 14

tc class add dev $INET_DEV parent 1: classid 1:1 htb rate ${UPLINK_SPEED}kbit ceil ${UPLINK_SPEED}kbit

tc class add dev $INET_DEV parent 1:1 classid 1:10 htb rate $[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 0
tc class add dev $INET_DEV parent 1:1 classid 1:11 htb rate $[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 1
tc class add dev $INET_DEV parent 1:1 classid 1:12 htb rate $[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 2
tc class add dev $INET_DEV parent 1:1 classid 1:13 htb rate $[$UPLINK_SPEED/100*30]kbit ceil $[$UPLINK_SPEED]kbit prio 4
tc class add dev $INET_DEV parent 1:1 classid 1:14 htb rate $[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 5

tc qdisc add dev $INET_DEV parent 1:10 handle 100: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:11 handle 110: sfq perturb 10 
tc qdisc add dev $INET_DEV parent 1:12 handle 120: sfq perturb 10 
tc qdisc add dev $INET_DEV parent 1:13 handle 130: sfq perturb 10 
tc qdisc add dev $INET_DEV parent 1:14 handle 140: sfq perturb 10 

# filters
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14

#################################################################################################
#
# classid 1:10 htb rate $[$UPLINK_SPEED/5]kbit ceil $[$UPLINK_SPEED]kbit prio 0 [mark 1]
#    This is the higher priority class. The packets in this class will have the lowest delay 
#    and would get the excess of bandwith first so it's a good idea to limit the ceil rate to 
#    this class. We will send through this class the following packets that benefit from low 
#    delay, such as interactive traffic: ssh, telnet, dns, quake3, irc, and packets with the 
#    SYN flag.
#
# classid 1:11 htb rate $[$UPLINK_SPEED/5]kbit ceil $[$UPLINK_SPEED]kbit prio 1 [mark 2]
#    Here we have the first class in which we can start to put bulk traffic. In my example I have
#    traffic from the local web server and requests for web pages: source port 80, and destination
#    port 80 respectively. 
#
# classid 1:12 htb rate $[$UPLINK_SPEED/5]kbit ceil $[9*$UPLINK_SPEED/10]kbit prio 2 [mark 3]
#    In this class I will put traffic with Maximize-Throughput TOS bit set and the rest of the
#    traffic that goes from local processes on the router to the Internet. So the following 
#    classes will only have traffic that is "routed through" the box. 
#
# classid 1:13 htb rate $[$UPLINK_SPEED/5]kbit ceil $[7*$UPLINK_SPEED/10]kbit prio 3 [mark 4]
#    Here goes mail traffic (SMTP,pop3...) and packets with Minimize-Cost TOS bit set. 
#
# classid 1:14 htb rate $[$UPLINK_SPEED/5]kbit ceil $[8*$UPLINK_SPEED/10]kbit prio 4 [mark 5]
#    And finally here we have bulk traffic from the NATed machines behind the router. All kazaa,
#    edonkey, and others will go here, in order to not interfere with other services. 
#
#################################################################################################
# Packets from internal LAN - rule order does matter !
# Use --dport if you connect TO that port on a server on the internet (the only option that makes
# sense in the PREROUTING chain).

# priority hosts
iptables -t mangle -A PREROUTING -d 192.168.0.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 192.168.0.0/24 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.106/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.106/32 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.107/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.107/32 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.108/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.108/32 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.109/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.109/32 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.110/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.110/32 -j RETURN

# SYN packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN

# ICMP packets
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p icmp -j RETURN	

# SSH packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j RETURN

# POP and SMTP packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 110 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 110 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 143 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 143 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 993 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 993 -j RETURN

# HTTP packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN

# TOS rules
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN

# All other packets get lowest priority
iptables -t mangle -A PREROUTING -j MARK --set-mark 4

#################################################################################################
# Packets originating from localhost - rule order does matter !
# Use --dport if you connect TO that port on a server on the internet
# Use --sport to mark packets emmenating from this computer at specified port (for services
# running on this computer).
#
# Example :
# If I connect to a remote computer with SSH, the DESTINATION port will be port 22
# The packets that leave this computer have source port xxx and destination port 22
#
# If someone connects to this computer with SSH the SOURCE port will be 22
# The packets that leave this computer will have source port 22 and destination port xxxx

# priority hosts
iptables -t mangle -A OUTPUT -d 62.177.186.106/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.106/32 -j RETURN
iptables -t mangle -A OUTPUT -d 62.177.186.107/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.107/32 -j RETURN
iptables -t mangle -A OUTPUT -d 62.177.186.108/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.108/32 -j RETURN
iptables -t mangle -A OUTPUT -d 62.177.186.109/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.109/32 -j RETURN
iptables -t mangle -A OUTPUT -d 62.177.186.110/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.110/32 -j RETURN
iptables -t mangle -A OUTPUT -d 194.151.164.2/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 194.151.164.2/32 -j RETURN

# SYN packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN

# ICMP packets
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p icmp -j RETURN	

# SSH packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN

# POP and SMTP packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 110 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 110 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 993 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 993 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j RETURN

# TOS rules
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j RETURN

# packets owned by a specific UID
iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j RETURN	

# All other packets (Tor etc.)
iptables -t mangle -A OUTPUT -j MARK --set-mark 5


if [ $DOWNLINK_THROTTLE = "N" ] 
then 
	exit
fi

########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent 
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:

tc qdisc add dev $INET_DEV handle ffff: ingress

# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:

tc filter add dev $INET_DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK_SPEED}kbit burst 10k drop flowid :1