Linux Traffic control

Linux traffic control is in today's Network World, and there may not be many people that TC knows. This article is a reference. Explanations and configuration files recorded in previous studies on TC. Eth1: 192.168.1.1, internal network port business requirements: Ensure normal web browsing, FTP, SMTP, POP3, to all other applications... linux traffic control is in today's Network World, and there may not be many people that TC knows. This article is a reference. Explanations and configuration files recorded in previous studies on TC. Eth1: 192.168.1.1, internal network port business requirements: to ensure normal web browsing, FTP, SMTP, POP3, all other applications are restricted, so as not to affect normal business use. 1. maintain a low latency for interactive data packets, that is, uploading or downloading files does not disturb SSH/telnet. 2. there is a reasonable rate for web browsing during upload or download. even if http is a type of massive data transmission, it should not be greatly affected by other transmission. 3. speed limit on FTP-data, it does not occupy all bandwidth. 4. it limits SMTP and pop3 speed. 5. it limits unclassified bandwidth. 6. ensure that uploading does not affect downloading. uploading data streams may affect downloading speed, this is a common phenomenon. 7. limit the download rate of each IP address. 8. priority levels for obtaining idle bandwidth, such as interactive data, FTP-data, smtp, pop3, and web browsing, other business priorities are at least two. method: [/color6] 1. (eth0) use HTB to divide it into five types: for example, + --------- + | root 1: | + --------- + | + ------------------------------ + | class | + -------------------------------------- + | + ---- ++ | | + ---- ++ ---- + classid 1: 11: 1) This class has the highest priority. You have the lowest latency and obtain the idle bandwidth first. Therefore, you must set the peak rate of this class. Ssh, telnet, dns, quake3, irc, ftp control, smtp commands, and packets with SYN tags all belong to this category. 2) to ensure that the upstream data streams do not harm the downstream data streams, we also need to put the ACK data packets in front of the queue. This is why bidirectional transmission is seriously affected when a large volume of data streams occurs. Because the ACK of the downstream data must compete with the same row stream and be delayed during processing. 3) speed limit: the upload speed is limited to a location that is slightly lower than the available bandwidth, so no queue will be formed in your MODEM. 4) the downstream queue (except occasional bursts) is excluded to ensure that interactive data packets are always at the top of the upstream queue. Classid 1: 12: class for mass transfer. It is mainly used to process web page browsing data packets with the target ports 80, 80, 443,8443. Classid 1: 13: This class is a packet with the maximum throughput of TOS. It is used to process FTP-data whose destination address is xxxx. Classid 1: 14: Here is the minimum cost data flow required for mail (SMTP, pop3) and TOS. It is used to process smtp with the destination address xxxx. pop3 service classid 1: 15: Finally, it is a machine that performs mass transmission through NAT to ensure that they do not interfere with normal services. 2. (eth0) download speed limit :. Discard the packets that are coming too quickly and prevent them from causing the rate of TCP/IP to be lower than we expected. Because we do not want to discard data packets easily, we need to configure "burst" to accommodate burst transmission. 3. (eth1) download speed limit: maximum download rate for each IP address; 3. [/color6] 1. Queue processing # Script: use kbps as the peak speed, adjust CEIL to 75% of the uplink speed. # Set the following values to somewhat lesss than your actual download and uplink speed. DOWNLINK = 2000 UPLINK = 384 # clear existing queues and clear error messages # clean existing down and uplink qdiscs, put the errors to/dev/null tc qdisc del dev eth0 root 2>/dev/null tc qdisc del dev eth0 ingress 2>/dev/null>/dev /null tc qdisc del dev eth1 root 2>/dev/null ##################### ################### upl Ink ####################################### ##### create an HTB parent class, by default, data from the class goes through # install root HTB, point default traffic to 1: 15: tc qdisc add dev eth0 root handle 1: htb default 15 # sets the maximum rate of uplink. # Shape everything at $ UPLINK speed-this prevents huge queues in your DSL modem which destroy latency: # main class tc class add dev eth0 parent 1: classid htb rate $ {UPLINK} kbit ceil $ {UPLINK} kbit # classification, is the highest priority, followed by stmp, pop3, ftp-data, and web browsing again. And the maximum rate is limited for each class. # High prio class 1: 11: tc class add dev eth0 parent classid htb rate 128 kbit ceil 128 kbit prio 0 tc class add dev eth0 parent classid htb rate 128 kbit ceil $ {UPLINK} kbit prio 2 tc class add dev eth0 parent classid htb rate 32 kbit ceil $ {UPLINK} kbit prio 1 tc class add dev eth0 parent classid htb rate 32 kbit ceil $ {UPLINK} kbit prio 1 # bulk & default class-g Ets slightly less traffic, and a lower priority: tc class add dev eth0 parent classid htb rate 16 kbit ceil $ {UPLINK} kbit prio 3 can be added to another queue rule under the class to ensure fair bandwidth usage: # bost get Stochastic Fairness: tc qdisc add dev eth0 parent handle 12: sfq perturb 10 tc qdisc add dev eth0 parent handle 13: sfq perturb 10 tc qdisc add dev eth0 parent :14 handle 14: sfq perturb 10 tc qdisc add dev eth0 p Arent handle 15: sfq perturb 10 2. Category: The above queue processing process is moderate to sending all sent packets to (tc qdisc add dev eth0 root handle 1: htb default 15 ). Now we need to tell the machine which route those packets are going. Set filters to use iptables to classify data packets. You can use the RETURN method to avoid traversing all rules. # TOS Mininum Delay (ssh, telnet) in 1: 11: tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid #80, 80, 443 in tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid # ftp-data in tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw classid 1: 13 # smtp, pop3 in tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 4 fw cl Assid # tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 5 fw classid such a packet will have a specific FWMARK mark value (hanlde x fw ), indicates the class (classid x) to which it should be sent ). Attach a configuration script :###/! Sbin/bash ############ TC control [HTB] ########## varible settingeth = eth0S_NET = 192.168.0.1 # ISP distribule IPINTER_IP = 1.2.3.4 ############ SNAT ####################### iptables -t nat-F # iptables-t nat-I POSTROUTING-s $ S_NET-o $ eth-j SNAT -- to-source $ INTER_IP # iptables-t nat-A POSTROUTING-s $ S_NET-o $ eth-j MASQUERADE # clean existing down and uplink qdiscs, put the errors to/dev/nulltc qdisc del dev eth0 root 2>/dev/null>/dev/nulltc qdisc del dev eth0 ingress 2>/dev/null>/dev/nulltc qdisc del dev eth1 root 2>/dev/null # root classtc qdisc add dev $ eth root handle 1: htb default 10 # classidtc class add dev $ eth parent 1: classid htb rate 2 Mbit ceil 3 Mbittc class add dev $ eth parent classid htb rate 80 Kbit ceil 100 Kbit prio 1tc class add dev $ eth parent classid htb rate 500 Kbit ceil 550 Kbit prio 2tc class add dev $ eth parent classid htb rate 400 Kbit ceil 450 Kbit prio 3tc class add dev $ eth parent classid htb rate 400 Kbit ceil 450 Kbit prio 4 # bost get Stochastic Fairness: tc qdisc add dev $ eth parent handle 12: sfq perturb 10tc qdisc add dev $ eth parent handle 13: sfq perturb 10tc qdisc add dev $ eth parent handle 14: sfq perturb 10 # TOS Mininum Delay (ssh, telnet) in 1: 11: tc filter add dev $ eth parent 1:0 protocol ip prio 1 handle 1 fw classid #80, 8080, 443 in 1: 12tc filter add dev $ eth parent 1:0 protocol ip prio 2 handle 2 fw classid :12 # ftp-data in 1: 13tc filter add dev $ eth parent 1:0 protocol ip prio 3 handle 3 fw classid :13 # smtp, pop3 in 1: 14tc filter add dev $ eth parent 1:0 protocol ip prio 4 handle 4 fw classid :14 ############### IPTABLES handle ###### ####### clear mangle rulesiptables-t mangle-F # ssh, telnetiptables-t mangle-a prerouting-s $ S_NET-p tcp -- dport 22-j MARK -- set-mark 1 iptables-t mangle-a prerouting-s $ S_NET-p tcp -- dport 23-j MARK -- set-mark 1 #80, 80, 443 iptables-t mangle-a prerouting-s $ S_NET-p tcp -- syn -- dport 80-j MARK -- set-mark 2 iptables-t mangle-a prerouting-s $ S_NET- p tcp -- syn -- dport 8080-j MARK -- set-mark 2 iptables-t mangle-a prerouting-s $ S_NET-p tcp -- syn -- dport 443-j MARK -- set- mark 2 # ftp-dataiptables-t mangle-a prerouting-s $ S_NET-p tcp -- dport 21-j MARK -- set-mark 3 iptables-t mangle-a prerouting-s $ s_NET-p tcp -- dport 22-j MARK -- set-mark 3 # smtp, pop3iptables-t mangle-a prerouting-s $ S_NET-p tcp -- dport 25-j MARK -- set-mark 4 iptables-t mangle-a prerouting-s $ S_NET-p tcp -- dport 110-j MARK -- set-mark 4 ########### show tc mangle ############### tc qdisc show dev $ ethtc class show dev $ ethtc filter show dev $ ethiptables-t mangle-l prerouting # ENDecho "[+] setting TC (htb) successful"