[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: QoS & Tor example?
admin wrote:
> Anyone using a setup that uses the QoS features of
> IPTables to gurantee internal connections get the
> needed service (vs the tor connections)? This would
> allow to give the tor connections the max bandwidth
> w/o the fear of starving the local net.
>
> I am looking for an example and to mooch the setup
> (if I can). Regards, -Manuel
>
>
Attached is the qos script I use. You can probably simplify it a lot.
Martin
#!/bin/bash
UPLINK_SPEED=688
#UPLINK_SPEED=688
INET_DEV=eth1
DOWNLINK_THROTTLE=N # Set to 'Y' if you want to anable downlink throttle
DOWNLINK_SPEED=1450
if [ "$1" = "status" ]
then
tc -s qdisc ls dev $INET_DEV
tc -s class ls dev $INET_DEV
exit
fi
# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev $INET_DEV root 2> /dev/null > /dev/null
tc qdisc del dev $INET_DEV ingress 2> /dev/null > /dev/null
iptables -F -t mangle
if [ "$1" = "stop" ]
then
exit
fi
#################################################################################################
# qdiscs, classes and filters
# add HTB root qdisc
tc qdisc add dev $INET_DEV root handle 1: htb default 14
tc class add dev $INET_DEV parent 1: classid 1:1 htb rate ${UPLINK_SPEED}kbit ceil ${UPLINK_SPEED}kbit
tc class add dev $INET_DEV parent 1:1 classid 1:10 htb rate $[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 0
tc class add dev $INET_DEV parent 1:1 classid 1:11 htb rate $[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 1
tc class add dev $INET_DEV parent 1:1 classid 1:12 htb rate $[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 2
tc class add dev $INET_DEV parent 1:1 classid 1:13 htb rate $[$UPLINK_SPEED/100*30]kbit ceil $[$UPLINK_SPEED]kbit prio 4
tc class add dev $INET_DEV parent 1:1 classid 1:14 htb rate $[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 5
tc qdisc add dev $INET_DEV parent 1:10 handle 100: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:11 handle 110: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:12 handle 120: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:13 handle 130: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:14 handle 140: sfq perturb 10
# filters
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14
#################################################################################################
#
# classid 1:10 htb rate $[$UPLINK_SPEED/5]kbit ceil $[$UPLINK_SPEED]kbit prio 0 [mark 1]
# This is the higher priority class. The packets in this class will have the lowest delay
# and would get the excess of bandwith first so it's a good idea to limit the ceil rate to
# this class. We will send through this class the following packets that benefit from low
# delay, such as interactive traffic: ssh, telnet, dns, quake3, irc, and packets with the
# SYN flag.
#
# classid 1:11 htb rate $[$UPLINK_SPEED/5]kbit ceil $[$UPLINK_SPEED]kbit prio 1 [mark 2]
# Here we have the first class in which we can start to put bulk traffic. In my example I have
# traffic from the local web server and requests for web pages: source port 80, and destination
# port 80 respectively.
#
# classid 1:12 htb rate $[$UPLINK_SPEED/5]kbit ceil $[9*$UPLINK_SPEED/10]kbit prio 2 [mark 3]
# In this class I will put traffic with Maximize-Throughput TOS bit set and the rest of the
# traffic that goes from local processes on the router to the Internet. So the following
# classes will only have traffic that is "routed through" the box.
#
# classid 1:13 htb rate $[$UPLINK_SPEED/5]kbit ceil $[7*$UPLINK_SPEED/10]kbit prio 3 [mark 4]
# Here goes mail traffic (SMTP,pop3...) and packets with Minimize-Cost TOS bit set.
#
# classid 1:14 htb rate $[$UPLINK_SPEED/5]kbit ceil $[8*$UPLINK_SPEED/10]kbit prio 4 [mark 5]
# And finally here we have bulk traffic from the NATed machines behind the router. All kazaa,
# edonkey, and others will go here, in order to not interfere with other services.
#
#################################################################################################
# Packets from internal LAN - rule order does matter !
# Use --dport if you connect TO that port on a server on the internet (the only option that makes
# sense in the PREROUTING chain).
# priority hosts
iptables -t mangle -A PREROUTING -d 192.168.0.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 192.168.0.0/24 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.106/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.106/32 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.107/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.107/32 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.108/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.108/32 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.109/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.109/32 -j RETURN
iptables -t mangle -A PREROUTING -d 62.177.186.110/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 62.177.186.110/32 -j RETURN
# SYN packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
# ICMP packets
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p icmp -j RETURN
# SSH packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j RETURN
# POP and SMTP packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 110 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 110 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 143 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 143 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 993 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 993 -j RETURN
# HTTP packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN
# TOS rules
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN
# All other packets get lowest priority
iptables -t mangle -A PREROUTING -j MARK --set-mark 4
#################################################################################################
# Packets originating from localhost - rule order does matter !
# Use --dport if you connect TO that port on a server on the internet
# Use --sport to mark packets emmenating from this computer at specified port (for services
# running on this computer).
#
# Example :
# If I connect to a remote computer with SSH, the DESTINATION port will be port 22
# The packets that leave this computer have source port xxx and destination port 22
#
# If someone connects to this computer with SSH the SOURCE port will be 22
# The packets that leave this computer will have source port 22 and destination port xxxx
# priority hosts
iptables -t mangle -A OUTPUT -d 62.177.186.106/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.106/32 -j RETURN
iptables -t mangle -A OUTPUT -d 62.177.186.107/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.107/32 -j RETURN
iptables -t mangle -A OUTPUT -d 62.177.186.108/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.108/32 -j RETURN
iptables -t mangle -A OUTPUT -d 62.177.186.109/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.109/32 -j RETURN
iptables -t mangle -A OUTPUT -d 62.177.186.110/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 62.177.186.110/32 -j RETURN
iptables -t mangle -A OUTPUT -d 194.151.164.2/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 194.151.164.2/32 -j RETURN
# SYN packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
# ICMP packets
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p icmp -j RETURN
# SSH packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN
# POP and SMTP packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 110 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 110 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 993 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 993 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j RETURN
# TOS rules
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j RETURN
# packets owned by a specific UID
iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j RETURN
# All other packets (Tor etc.)
iptables -t mangle -A OUTPUT -j MARK --set-mark 5
if [ $DOWNLINK_THROTTLE = "N" ]
then
exit
fi
########## downlink #############
# slow downloads down to somewhat less than the real speed to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:
tc qdisc add dev $INET_DEV handle ffff: ingress
# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:
tc filter add dev $INET_DEV parent ffff: protocol ip prio 50 u32 match ip src \
0.0.0.0/0 police rate ${DOWNLINK_SPEED}kbit burst 10k drop flowid :1