#! /Bin/bash
Dev = "tun0"
Uplink ink = 300
# About half of the downstream downlink 3200 K, so as to get more concurrent connections
Downlink = 2048
VIP1 = "192.168.1.159/32"
VIP2 = "192.168.1.163/32"
# Two VIP users
Echo "=============================== packetfilter and traffic control by Network Technology Department ver. 1.0 ================================="
Start_routing (){
Echo-n "queue settings start ......"
# TC qdisc del Dev $ Dev root> null 2 &> 1
# Delete the original queue
#1. Add a root queue. If no data packet is classified, is the default class:
TC qdisc add Dev $ Dev root handle 1: htb default 24
#1.1 Add a main Class 1 under the root team: the speed is $ uplink K
TC class add Dev $ Dev parent 1: classid 1:1 htb rate $ {uplink} kbit Ceil $ {uplink} kbit PRIO 0
#1.1.1 create the first leaf class under trunk Class 1, which is a class with the highest priority. This channel is required for high-priority and high-speed packets, such as SYN, ack, and ICMP.
TC class add Dev $ Dev parent classid htb rate $ [$ uplink] kbit Ceil $ {uplink} kbit PRIO 1
#1.1.2 create the second leaf class under primary class 1, which is a class with a low priority. For example, our important CRM data.
TC class add Dev $ Dev parent classid htb rate $ [$ UPLINK-150] kbit Ceil $ {UPLINK-50} kbit PRIO 2
#1.2 create a secondary stem class classid under the root class. All the following priorities of the category are lower than those of the main category to prevent important data congestion.
TC class add Dev $ Dev parent 1: classid htb rate $ [$ UPLINK-150] kbit PRIO 3
#1.2.1 create the first leaf class under the secondary stem class and run it for example HTTP or pop.
TC class add Dev $ Dev parent classid htb rate 100 kbit Ceil $ [$ UPLINK-150] kbit PRIO 4
#1.2.2 create the second leaf category under the secondary stem class. The speed is not too high to prevent large attachments from occupying a large amount of bandwidth, such as SMTP.
TC class add Dev $ Dev parent classid htb rate 30 kbit Ceil $ [$ UPLINK-160] kbit PRIO 5
#1.2.3 create the third leaf class under the secondary stem class. Do not use too much bandwidth to prevent network congestion caused by a large amount of data, such as ftp-data,
TC class add Dev $ Dev parent classid htb rate 15 kbit Ceil $ [$ UPLINK-170] kbit PRIO 6
#1.2.4 create the fourth leaf category under the secondary stem class. There is no need for too much bandwidth for indifferent data channels to prevent indifferent people from interfering with the business.
TC class add Dev $ Dev parent classid htb rate 5 kbit Ceil $ [$ UPLINK-250] kbit PRIO 7
#1.3 create a third leaf category under trunk Class 1 and give it to VIP users (as fast as possible)
TC class add Dev $ Dev parent 1: classid htb rate $ [$ uplink + 1000] kbit PRIO 3
# Add another queue rule under each category. The random fair queue (SFQ) is not used by a connection to ensure the average fair use of bandwidth:
# SFQ (Stochastic fairness queueing, random fair queue), the keyword of SFQ is "session" (or "stream "),
# Mainly for a TCP session or UDP stream. Traffic is divided into a considerable number of FIFO queues. Each queue corresponds to a session.
# Data is sent in a simple round-robin manner, and each session receives sending opportunities in order. This method is very fair, ensuring that every
# No other sessions will be drowned. SFQ is called "random" because it is not really created for each session.
# A queue uses a hash algorithm to map all sessions to a limited number of queues.
# The number of seconds after the perturb parameter is reconfigured. The default value is 10.
TC qdisc add Dev $ Dev parent handle 111: SFQ perturb 5
TC qdisc add Dev $ Dev parent handle 112: SFQ perturb 5
TC qdisc add Dev $ Dev parent 1:3 handle 13: SFQ perturb 5
TC qdisc add Dev $ Dev parent handle 121: SFQ perturb 10
TC qdisc add Dev $ Dev parent handle 122: SFQ perturb 10
TC qdisc add Dev $ Dev parent handle 133: SFQ perturb 10
TC qdisc add Dev $ Dev parent handle 124: SFQ perturb 10
Echo "the queue is set successfully. Done ."
Echo-n "set the packet filter setting up filters ......"
# Set the filter here. Handle is the value of iptables for mark, so that iptables can select different values for Mark in the mangle chain.
# Classid, and PRIO is the priority of the filter.
TC filter add Dev $ Dev parent 1:0 Protocol ip prio 1 handle 1 FW classid :11
TC filter add Dev $ Dev parent 1:0 Protocol ip prio 2 handle 2 FW classid :12
TC filter add Dev $ Dev parent 1:0 Protocol ip prio 3 handle 3 FW classid :21
TC filter add Dev $ Dev parent 1:0 Protocol ip prio 3 handle 3 FW classid :3
TC filter add Dev $ Dev parent 1:0 Protocol ip prio 4 handle 4 FW classid :22
TC filter add Dev $ Dev parent 1:0 Protocol ip prio 5 handle 5 FW classid :23
TC filter add Dev $ Dev parent 1:0 Protocol ip prio 6 handle 6 FW classid :24
Echo "filter set successfully. Done ."
########## Downlink ############################# ######################################## #####
#6. downstream restrictions:
# Set the queuing rules because some ports that often cause large file downloads are controlled to prevent them from coming too quickly, resulting in congestion.
.
# (1). Set the downlink speed to around-K, because the speed is enough to get more concurrent download connections.
TC qdisc add Dev $ Dev handle FFFF: Ingress
TC filter add Dev $ Dev parent FFFF: Protocol ip prio 50 handle 8 FW police rate $ {downlink} kbit burst 10 k drop flowid: 8
# VIP channel, high priority and high download speed for Special IP addresses
TC filter add Dev $ Dev parent FFFF: Protocol ip prio 3 u32 Match ip DST $ VIP1 police rate 2000 kbit burst 10 k drop flowid: 1
TC filter add Dev $ Dev parent FFFF: Protocol ip prio 3 u32 Match ip DST $ VIP2 police rate 2000 kbit burst 10 k drop flowid: 1
# (2). If the intranet data stream is not crazy, you don't need to restrict the download. Use the # symbol to block the above two lines.
# (3). If you want to limit the speed of any incoming data, you can use the following sentence:
TC filter add Dev $ Dev parent FFFF: Protocol ip prio 10 u32 Match ip SRC 0.0.0.0/0 police rate $ {downlink} kbit burst 10 k drop flowid: 1
}
######################################## ######################################## ###############
#7. Start marking the data packet and add the mangle rule to the prerouting chain:
Start_mangle (){
Echo-n "Start marking the data packet... start mangle mark ......"
Iptables-F-T mangle
Iptables-X-T mangle
Iptables-z-T mangle
# (1) Mark mark 1-6 for different types of outgoing data packets (for dport) to mark and let it go through different channels
# (2) Mark mark 8 on the incoming data packet (Sport), so that it is subject to downlink restrictions, so as to avoid the global impact caused by too fast speed.
# (3) the return method is used under each rule to avoid traversing all the rules and speed up processing.
# Set VIP
# Set TOS processing:
Iptables-T mangle-A prerouting-m tos -- TOS minimize-delay-J mark -- Set-mark 1
Iptables-T mangle-A prerouting-m tos -- TOS minimize-delay-J return
Iptables-T mangle-A prerouting-m tos -- TOS minimize-cost-J mark -- Set-mark 4
Iptables-T mangle-A prerouting-m tos -- TOS minimize-cost-J return
Iptables-T mangle-A prerouting-m tos -- TOS maximize-Throughput-J mark -- Set-mark 5
Iptables-T mangle-A prerouting-m tos -- TOS maximize-Throughput-J return
# It is wise to increase the priority of TCP Initial connections (that is, packets with SYN:
Iptables-T mangle-A prerouting-p tcp-m tcp -- TCP-flags SYN, RST, Ack syn-J mark -- Set-mark 1
Iptables-T mangle-A prerouting-p tcp-m tcp -- TCP-flags SYN, RST, Ack syn-J return
###### ICMP. If you want a good Ping response, put it in the first type.
Iptables-T mangle-A prerouting-p icmp-J mark -- Set-mark 1
Iptables-T mangle-A prerouting-p icmp-J return
# Small packets (probably just acks) smaller than 64 packets usually need to be faster, generally used to confirm the TCP connection,
# Let it run faster. You can also block the following two lines, because there are more detailed port categories below.
# Iptables-T mangle-A prerouting-p tcp-m length -- length: 64-J mark -- Set-mark 2
# Iptables-T mangle-A prerouting-p tcp-m length -- length: 64-J return
# Put the FTP 2nd class, because it is generally a small packet, and the ftp-data is put in the 5th class, because it is generally a large amount of data transmission.
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport FTP-J mark -- Set-mark 2
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport FTP-J return
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport FTP-data-J mark -- Set-mark 5
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport FTP-data-J return
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport FTP-J mark -- Set-mark 8
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport FTP-J return
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport FTP-data-J mark -- Set-mark 8
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport FTP-data-J return
# Improve the priority of SSH data packets: Put it in the 1st class. You must know that SSH is interactive and important, so it is not too slow.
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 22-J mark -- Set-mark 1
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 22-J return
#
# Smtp mail: Put it in the 4th class, because sometimes someone sends a large mail. To avoid blocking it, let it run four lines.
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 25-J mark -- Set-mark 4
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 25-J return
# Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 25-J mark -- Set-mark 8
# Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 25-J return
# Name-Domain Server: Put it in the 1st class, so that the connection with a domain name can quickly find the corresponding address, improving the speed
Iptables-T mangle-A prerouting-p udp-m udp -- dport 53-J mark -- Set-mark 1
Iptables-T mangle-A prerouting-p udp-m udp -- dport 53-J return
#
# Http: put in the 3rd class, which is the most commonly used and most commonly used,
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 80-J mark -- Set-mark 3
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 80-J return
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 80-J mark -- Set-mark 8
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 80-J return
# POP Mail: in the 3rd category
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 110-J mark -- Set-mark 3
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 110-J return
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 110-J mark -- Set-mark 8
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 110-J return
# Https: Put in 3rd class
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 443-J mark -- Set-mark 3
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 443-J return
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 443-J mark -- Set-mark 8
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 443-J return
# Microsoft-SQL-server: in the 2nd class, I think it is important to ensure speed and priority.
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 1433-J mark -- Set-mark 2
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 1433-J return
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 1433-J mark -- Set-mark 8
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 1433-J return
# Improve the Performance of VoIP, and ensure that the voice channel remains at high speed.
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 1720-J mark -- Set-mark 1
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 1720-J return
Iptables-T mangle-A prerouting-p udp-m udp -- dport 1720-J mark -- Set-mark 1
Iptables-T mangle-A prerouting-p udp-m udp -- dport 1720-J return
# VPN, used as a VoIP service, must also go through the highway to avoid intermittent interruption.
Iptables-T mangle-A prerouting-p udp-m udp -- dport 1723-J mark -- Set-mark 1
Iptables-T mangle-A prerouting-p udp-m udp -- dport 1723-J return
# Put It In the 1st class, because I think it is very important in my mind and takes priority.
# Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 7070-J mark -- Set-mark 1
# Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 7070-J return
# WWW caching service: Put it in class 3rd
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 8080-J mark -- Set-mark 3
Iptables-T mangle-A prerouting-p tcp-m tcp -- dport 8080-J return
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 8080-J mark -- Set-mark 8
Iptables-T mangle-A prerouting-p tcp-m tcp -- Sport 8080-J return
# Improve the priority of local data packets: Put it in 1st
Iptables-T mangle-A output-p tcp-m tcp -- dport 22-J mark -- Set-mark 1
Iptables-T mangle-A output-p tcp-m tcp -- dport 22-J return
Iptables-T mangle-A output-p icmp-J mark -- Set-mark 1
Iptables-T mangle-A output-p icmp-J return
# Local small packets (probably just acks)
Iptables-T mangle-A output-p tcp-m length -- length: 64-J mark -- Set-mark 2
Iptables-T mangle-A output-p tcp-m length -- length: 64-J return
# (4). After adding the mangle rule to the prerouting, use this rule to end the prerouting table:
# In other words, packets that have not been marked before will be handed over to for processing.
# It is actually unnecessary, because is the default class, but it is still marked to keep the overall settings consistent, and
# You can also see the rule package count.
Iptables-T mangle-A prerouting-I $ Dev-J mark -- Set-mark 6
Echo "marked! Mangle Mark done! "
}
# Renewal #-----------------------------------------------------------------------------------------------------
#8. Cancel the custom function used for mangle tag
Stop_mangle (){
Echo-n "Stop data mark stop mangle table ......"
(Iptables-T mangle-F & Echo "OK.") | echo "error ."
}
#9. Used to cancel a queue
Stop_routing (){
Echo-n "(delete all queues ......)"
(TC qdisc del Dev $ Dev root & TC qdisc del Dev $ Dev ingress & Echo "OK. Deleted successfully! ") | Echo" error ."
}
#10. display status
Status (){
Echo "1. Show qdisc $ Dev (show upstream Queue ):----------------------------------------------"
TC-s qdisc show Dev $ Dev
Echo "2. Show class $ Dev (show upstream category ):----------------------------------------------"
TC class show Dev $ Dev
Echo "3. TC-S Class show Dev $ Dev (show upstream queue and classified traffic details ):------------------"
TC-S Class show Dev $ Dev
Echo "3. TC-s filter ls Dev $ Dev (display downlink queue and classified traffic details ):------------------"
TC filter ls Dev $ Dev parent FFFF:
Echo "NOTE: Set the uplink bandwidth of the total queue $ uplink K ."
Echo "1. classid SSH, DNS, and Syn packets. This is the highest priority class package and the First Class"
Echo "2. classid important data, which is a class with a higher priority. "
Echo "3. classid web, POP service"
Echo "4. classid SMTP Service"
Echo "5. classid FTP-Data Service"
Echo "6. classid other services"
Echo "7. classid VIP channel"
}
#11. Show Help
Usage (){
Echo "usage (usage): 'basename $ 0' [Start | stop | restart | status | mangle]"
Echo "Parameter Function :"
Echo "start traffic control"
Echo "Stop stop traffic control"
Echo "restart traffic control"
Echo "status shows queue traffic"
Echo "mangle display mark"
}
# Renewal #----------------------------------------------------------------------------------------------
#12. The following is the control of the script running parameter selection
#
# Kernel = 'kernelversion'
Kernel = 'uname-r | cut-B 1-3'
Case "$ kernel" in
2.2)
Echo "(!) Error: won't do anything with 2.2.x does not support kernel 2.2.x"
Exit 1
;;
2.4 | 2.6)
Case "$1" in
Start)
(Start_routing & start_mangle & Echo "start traffic control! TC started! ") | Echo" error ."
Exit 0
;;
Stop)
(Stop_routing & stop_mangle & Echo "stop traffic control! TC stopped! ") | Echo" error ."
Exit 0
;;
Restart)
Stop_routing
Stop_mangle
Start_routing
Start_mangle
Echo "reload traffic control rules! "
;;
Status)
Status
;;
Mangle)
Echo "iptables-T mangle-l (display details of the current mangle table tag ):"
Iptables-T mangle-nl
;;
*) Usage
Exit 1
;;
Esac
;;
*)
Echo "(!) Error: Unknown kernel version. Check it! "
Exit 1
;;
Esac
Echo "script done! "
Exit 1
The article you are reading is from the network http://bbs.yayaw.com, the original address: http://bbs.yayaw.com/read.php? Tid = 1023