[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor bandwith ratio

To: or-talk@xxxxxxxxxxxxx
Subject: Re: tor bandwith ratio
From: gabrix <gabrix@xxxxxxxxxxxxx>
Date: Fri, 13 Oct 2006 19:10:44 +0200
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Fri, 13 Oct 2006 13:10:58 -0400
In-reply-to: <1085.65.113.40.130.1160751754.squirrel@mail.memcpy.com>
References: <452ECC55.4020509@gabrix.ath.cx> <20061013130352.0943a5a2@localhost> <452F8A73.4010606@gabrix.ath.cx> <1085.65.113.40.130.1160751754.squirrel@mail.memcpy.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.4 (X11/20060516)

Kelly Byrd wrote:

I have had this exact same question for my server. It's running on an
ADSL line, 443 on the OR port, 80 for the Dir port (iptables redirects to
9001 and 9030) and I notice MUCH more bandwidth usage when I turn on the
dir port. Without the dir port, I barely notice tor slowing down my
regular usage. With it, I often want to turn off tor to do anything
interesting on the net.

I've been using the burst and mac bandwidth settings, but I think
prioritizing might be the better way to go. Any good simple references
for ip tables?

Another thought I had: Does opening up port 80 create problems all by
itself?  I'm imagining non-tor users simply going to 80 and doing GET /
and slurping the results from my tor server, but not really wanting it.

As also the /etc/tor/torrc file says you can advertise a privileged port , clients see you listening on that port but in facts binding to an unprivileged one and the syn packet get redirected by iptables to it.What confused me was an iptables i gave at the end of all rules ,a catch all ulog jump and i saw 'some' syn packets hitting the advertising port passing through all chains and not being redirected to the port where tor was really binding and than get dropped by my iptables,so in some way , some times,also the advertised port get involved ?Anyway this is a script i googled around that i modified it and using it.It's just from a little i'm into the 'mangle' ,looks like it works i will update you soon and wait eventual corrections some parts are a bit obscures to me ....

# UPLINK_SPEED=688 #UPLINK_SPEED=688 INET_DEV=eth0 DOWNLINK_THROTTLE=Y # Set to 'Y' if you want to anable downlink throttle DOWNLINK_SPEED=3000
if [ "$1" = "status" ]
then
    tc -s qdisc ls dev $INET_DEV
    tc -s class ls dev $INET_DEV
    exit
fi
# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev $INET_DEV root    2> /dev/null > /dev/null
tc qdisc del dev $INET_DEV ingress 2> /dev/null > /dev/null
iptables -F -t mangle
if [ "$1" = "stop" ]
then
    exit
fi
#################################################################################################
# qdiscs, classes and filters
# add HTB root qdisc
tc qdisc add dev $INET_DEV root handle 1: htb default 14
tc class add dev $INET_DEV parent 1: classid 1:1 htb rate ${UPLINK_SPEED}kbit ceil ${UPLINK_SPEED}kbit

tc class add dev $INET_DEV parent 1:1 classid 1:10 htb rate $[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 0 tc class add dev $INET_DEV parent 1:1 classid 1:11 htb rate $[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 1 tc class add dev $INET_DEV parent 1:1 classid 1:12 htb rate $[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 2 tc class add dev $INET_DEV parent 1:1 classid 1:13 htb rate $[$UPLINK_SPEED/100*30]kbit ceil $[$UPLINK_SPEED]kbit prio 4 tc class add dev $INET_DEV parent 1:1 classid 1:14 htb rate $[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 5
tc qdisc add dev $INET_DEV parent 1:10 handle 100: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:11 handle 110: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:12 handle 120: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:13 handle 130: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:14 handle 140: sfq perturb 10
# filters tc filter add dev $INET_DEV parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev $INET_DEV parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11 tc filter add dev $INET_DEV parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12 tc filter add dev $INET_DEV parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13 tc filter add dev $INET_DEV parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14

################################################################################################# # #classid 1:10 htb rate $[$UPLINK_SPEED/5]kbit ceil $[$UPLINK_SPEED]kbit prio 0 [mark 1] # This is the higher priority class. The packets in this class will have the lowest delay # and would get the excess of bandwith first so it's a good idea to limit the ceil rate to # this class. We will send through this class the following packets that benefit from low # delay, such as interactive traffic: ssh, telnet, dns, quake3, irc, and packets with the # SYN flag. # # classid 1:11 htb rate $[$UPLINK_SPEED/5]kbit ceil $[$UPLINK_SPEED]kbit prio 1 [mark 2] # Here we have the first class in which we can start to put bulk traffic. In my example I have # traffic from the local web server and requests for web pages: source port 80, and destination # port 80 respectively. ???? # # classid 1:12 htb rate $[$UPLINK_SPEED/5]kbit ceil $[9*$UPLINK_SPEED/10]kbit prio 2 [mark 3] # In this class I will put traffic with Maximize-Throughput TOS bit set and the rest of the # traffic that goes from local processes on the router to the Internet. So the following # classes will only have traffic that is "routed through" the box. # # classid 1:13 htb rate $[$UPLINK_SPEED/5]kbit ceil $[7*$UPLINK_SPEED/10]kbit prio 3 [mark 4] # Here goes mail traffic (SMTP,pop3...) and packets with Minimize-Cost TOS bit set. # # classid 1:14 htb rate $[$UPLINK_SPEED/5]kbit ceil $[8*$UPLINK_SPEED/10]kbit prio 4 [mark 5] # And finally here we have bulk traffic from the NATed machines behind the router. All kazaa, # edonkey, and others will go here, in order to not interfere with other services. # ################################################################################################# # Packets from internal LAN - rule order does matter ! # Use --dport if you connect TO that port on a server on the internet (the only option that makes # sense in the PREROUTING chain).
# priority hosts
iptables -t mangle -A PREROUTING -d 192.168.1.4/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 192.168.1.4/32 -j RETURN
iptables -t mangle -A PREROUTING -d 192.168.1.6/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 192.168.1.6/32 -j RETURN
# SYN packets iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
# TOR packets #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j MARK --set-mark 2 #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j RETURN #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j MARK --set-mark 2 #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j RETURN

# POP and SMTP packets iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j RETURN iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j RETURN

# HTTP packets iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j RETURN

# TOS rules iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN
# All other packets get low priority
iptables -t mangle -A PREROUTING -j MARK --set-mark 4
# Tor the lowest iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j MARK --set-mark 5 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j RETURN iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j MARK --set-mark 5 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j RETURN

################################################################################################# # Packets originating from localhost - rule order does matter ! # Use --dport if you connect TO that port on a server on the internet # Use --sport to mark packets emmenating from this computer at specified port (for services # running on this computer). # # Example : # If I connect to a remote computer with SSH, the DESTINATION port will be port 22 # The packets that leave this computer have source port xxx and destination port 22 # # If someone connects to this computer with SSH the SOURCE port will be 22 # The packets that leave this computer will have source port 22 and destination port xxxx (it is the opposite way isn'it ?) # priority hosts #iptables -t mangle -A OUTPUT -d 192.168.0.2/32 -j MARK --set-mark 1 #iptables -t mangle -A OUTPUT -d 192.168.0.2/32 -j RETURN iptables -t mangle -A OUTPUT -d my_isp1_dns/32 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -d my_isp2_dns/32 -j RETURN iptables -t mangle -A OUTPUT -d 87.37.17.11/32 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -d 87.37.17.11/32 -j RETURN

# SYN packets iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 2 iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN

# ICMP packets iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 3 iptables -t mangle -A OUTPUT -p icmp -j RETURN

# HTTP packets iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j RETURN iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 -j MARK --set-mark 2 iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 -j RETURN

# POP and SMTP packets iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-mark 2 iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j RETURN iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j MARK --set-mark 2 iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j RETURN

# TOS rules iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j MARK --set-mark 2 iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j RETURN iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j MARK --set-mark 3 iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j RETURN iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK --set-mark 3 iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j RETURN

# packets owned by a specific UID iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j RETURN
# All other packets (Tor etc.)
iptables -t mangle -A OUTPUT -j MARK --set-mark 5
if [ $DOWNLINK_THROTTLE = "N" ]
then
    exit
fi
########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:
tc qdisc add dev $INET_DEV handle ffff: ingress
# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:
tc filter add dev $INET_DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK_SPEED}kbit burst 10k drop flowid :1

References:
- tor bandwith ratio
  - From: gabrix
- Re: tor bandwith ratio
  - From: Fabian Keil
- Re: tor bandwith ratio
  - From: gabrix
- Re: tor bandwith ratio
  - From: Kelly Byrd

Prev by Author: Re: tor bandwith ratio
Next by Author: Re: Determining currentexit node w/o vidalia
Previous by thread: Re: tor bandwith ratio
Next by thread: Re: tor bandwith ratio
Index(es):
- Author
- Thread