Gentoo Archives: gentoo-user

From: Xamindar <junkxamindar@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] I can't get traffic shaping to work properly :(
Date: Tue, 06 Nov 2007 06:29:16
Message-Id: 47300868.7040608@gmail.com
1 I have tried following the howto here:
2 http://gentoo-wiki.com/HOWTO_Packet_Shaping
3 But it doesn't work. First of all it ends up limiting both upload AND
4 download. I have tried a few different ways with all the same result.
5 Anyone know what is wrong here?
6
7 Here is my firewall file:
8 Code:
9
10 #!/bin/bash
11 #############################################################################
12 # Explaination of iptables for clarity
13 #
14 #############################################################################
15 #filter -> table used to implement the firewall
16 #
17 #nat -> table used to implement IP masquerading (=internet sharing)
18 #
19 #mangle -> table used for specialized packet alteration
20 #
21 #
22 #
23 # | tables | chains | explaination
24 #
25 #-+-----------+---------------+------------------------------------
26 #
27 # | | |
28 #
29 # | _/-- INPUT --------- for traffic coming into your box
30 #
31 # | filter <_--- OUTPUT -------- for traffic going out of your box
32 #
33 # | \-- FORWARD ------- for packets being routed through the
34 box (= packets that aren't meant for you)
35 # | | |
36 #
37 # | _/-- PREROUTING ---- for altering traffic as soon as it
38 comes in
39 # | nat ---<_--- POSTROUTING --- for altering traffic locally-generated
40 packages before routing
41 # | \-- OUTPUT -------- for altering traffic as it's about to
42 go out
43 # | | |
44 #
45 # | | |
46 #
47 # | mangle <
48 #
49 # | |
50 #
51 # | |
52 #
53 #############################################################################
54 # Options for new rules (-A rules)
55 # -----------------------------------
56 # -p -> protocol (tcp, udp, icmp, or all)
57 # -s -> source
58 # -d -> destination
59 # -j -> target of the rule (where to send it)
60 # -i -> in interface (only for INPUT, FORWARD and PREROUTING chains)
61 # -o -> out interface (only for FORWARD, OUTPUT and POSTROUTING chains)
62 #
63 #
64 #
65
66 ## Variables applying to the system
67 IPTABLES='/sbin/iptables'
68 # external interface
69 EXTIF='eth0'
70 # internal interface
71 INTIF='eth1'
72 TORRENT_CLIENT_PORT='65123'
73 ### Modules needed, just add one per line.
74 MODULES="ip_tables
75 iptable_nat
76 ip_nat_ftp
77 ip_conntrack_ftp"
78 for i in $MODULES;
79 do
80 echo "Inserting module $i"
81 modprobe $i
82 done
83
84 # Flush rules and delete chains
85 $IPTABLES -F
86 $IPTABLES -X
87 $IPTABLES -F -t nat
88 $IPTABLES -F -t mangle
89 # Set the default policies for the chains
90 $IPTABLES -t filter -P INPUT DROP
91 $IPTABLES -t filter -P OUTPUT ACCEPT
92 $IPTABLES -t filter -P FORWARD DROP
93 $IPTABLES -t nat -P PREROUTING ACCEPT
94 $IPTABLES -t nat -P POSTROUTING ACCEPT
95 $IPTABLES -t nat -P OUTPUT ACCEPT
96
97 ### Set up the firewall rules
98 # Allow all connections established by me (because default is to drop)
99 $IPTABLES -t filter -A INPUT -i lo -j ACCEPT
100 # Allow anything from the lan to this box
101 $IPTABLES -t filter -A INPUT -i $INTIF -j ACCEPT
102 # Allow anything from outside in if connection is already established
103 $IPTABLES -t filter -A INPUT -i $EXTIF -m state --state
104 RELATED,ESTABLISHED -j ACCEPT
105 # Allow the following services in from the wild
106 $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport ssh -j ACCEPT
107 $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
108 # allow ftp on special port
109 $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 6543:6599 -j ACCEPT
110 $IPTABLES -t filter -A INPUT -i $EXTIF -p udp --dport 6543:6599 -j ACCEPT
111 #$IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT
112 #$IPTABLES -t filter -A INPUT -i $EXTIF -p udp --dport 20 -j ACCEPT
113
114 ## Prioritizing packets for shaping
115 MARKPRIO1="1"
116 MARKPRIO2="2"
117 MARKPRIO3="3"
118 MARKPRIO4="4"
119 # Setting priority marks
120
121 # Prio 1
122 # icmp
123 iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1
124 iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1
125 # ssh
126 iptables -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark
127 $MARKPRIO1
128 iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1
129 # non tcp
130 iptables -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1
131 iptables -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1
132
133 # Prio 2
134
135 # Prio 3
136 # http
137 iptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark
138 $MARKPRIO3
139 iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
140 # https
141 iptables -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark
142 $MARKPRIO3
143 iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark
144 $MARKPRIO3
145 # smtp
146 iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark
147 $MARKPRIO3
148 iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
149
150 # Prio 4
151 # packets > 1024 bytes
152 iptables -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK
153 --set-mark $MARKPRIO4
154 # bittorrent
155 iptables -t mangle -A FORWARD -i eth0 -p tcp --sport 1025:65535 -j MARK
156 --set-mark $MARKPRIO4
157 iptables -t mangle -A FORWARD -i eth0 -p tcp --dport 1025:65535 -j MARK
158 --set-mark $MARKPRIO4
159
160 # Remaining packets are marked according to TOS
161 iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark
162 --mark 0 -j MARK --set-mark $MARKPRIO1
163 iptables -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Throughput -m
164 mark --mark 0 -j MARK --set-mark $MARKPRIO2
165 iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Cost -m mark
166 --mark 0 -j MARK --set-mark $MARKPRIO4
167
168 ## To work around comcast torrent block
169 #iptables -A INPUT -p tcp â??dport $TORRENT_CLIENT_PORT â??tcp-flags RST
170 RST -j DROP
171 ##END torrent block
172
173 ### create custom chains
174 #$IPTABLES -N private-internet
175 #$IPTABLES -N internet-private
176 #$IPTABLES -N icmp_accept
177 # Create a special log and drop chain
178 $IPTABLES -N log_drop
179 $IPTABLES -A log_drop -j LOG --log-prefix "DROP---> "
180 $IPTABLES -A log_drop -j DROP
181 # log and reject chain
182 $IPTABLES -N log_reject
183 $IPTABLES -A log_reject -j LOG --log-prefix "REJECT---> "
184 $IPTABLES -A log_reject -j REJECT
185 # log and drop test for new rules
186 $IPTABLES -N log_drop_test
187 $IPTABLES -A log_drop_test -j LOG --log-prefix "TEST-DROP---> "
188 $IPTABLES -A log_drop_test -j DROP
189
190 ### Special forwarding for internal servers and certain programs
191
192 ## lain forwards (192.168.2.22)
193 # quake 3 on lain
194 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27960 -j DNAT
195 --to 192.168.2.22:27960
196 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 27960 -j
197 ACCEPT
198 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27961 -j DNAT
199 --to 192.168.2.22:27961
200 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 27961 -j
201 ACCEPT
202 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 27960 -j DNAT
203 --to 192.168.2.22:27960
204 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 27960 -j
205 ACCEPT
206 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 27961 -j DNAT
207 --to 192.168.2.22:27961
208 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 27961 -j
209 ACCEPT
210
211 # Descent 3 on lain
212 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2092 -j DNAT
213 --to 192.168.2.22:2092
214 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 2092 -j
215 ACCEPT
216 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2093 -j DNAT
217 --to 192.168.2.22:2093
218 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 2093 -j
219 ACCEPT
220 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2092 -j DNAT
221 --to 192.168.2.22:2092
222 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 2092 -j
223 ACCEPT
224 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2093 -j DNAT
225 --to 192.168.2.22:2093
226 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 2093 -j
227 ACCEPT
228
229
230 # azureus on laptop
231 $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 65124 -j DNAT
232 --to 192.168.2.22:65124
233 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 65124 -j DNAT
234 --to 192.168.2.22:65124
235 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 65124 -j
236 ACCEPT
237 $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 65124 -j
238 ACCEPT
239 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34625 -j DNAT
240 --to 192.168.2.22:34625
241 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 34625 -j
242 ACCEPT
243 # azureus to lain - 192.168.1.22
244 $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 65123 -j DNAT
245 --to 192.168.2.23:65123
246 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 65123 -j DNAT
247 --to 192.168.2.23:65123
248 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.23 --dport 65123 -j
249 ACCEPT
250 $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 65123 -j
251 ACCEPT
252 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34625 -j DNAT
253 --to 192.168.2.23:34625
254 $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 34625 -j
255 ACCEPT
256 # gtk-gnutella to laptop
257 $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 34064 -j DNAT
258 --to 192.168.2.22:34064
259 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34064 -j DNAT
260 --to 192.168.2.22:34064
261 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 34064 -j
262 ACCEPT
263 $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 34064 -j
264 ACCEPT
265 $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 34065 -j DNAT
266 --to 192.168.2.23:34065
267 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34065 -j DNAT
268 --to 192.168.2.23:34065
269 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.23 --dport 34065 -j
270 ACCEPT
271 $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 34065 -j
272 ACCEPT
273
274
275 # VNC to lain
276 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5900 -j DNAT
277 --to 192.168.2.28:5900
278 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 5900 -j
279 ACCEPT
280
281
282 # rdesktop to lain
283 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT
284 --to 192.168.2.22:3389
285 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 3389 -j
286 ACCEPT
287 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 3389 -j DNAT
288 --to 192.168.2.22:3389
289 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 3389 -j
290 ACCEPT
291
292 ##nyuu forwards (192.168.2.28)
293 # Descent 3 server to nyuu (192.168.2.28)
294 # trackers
295 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 22999 -j DNAT
296 --to 192.168.2.28:22999
297 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 22999 -j
298 ACCEPT
299 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27900 -j DNAT
300 --to 192.168.2.28:27900
301 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 27900 -j
302 ACCEPT
303 # d3 game servers
304 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2111:2119 -j
305 DNAT --to 192.168.2.28:2111-2119
306 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 2111:2119
307 -j ACCEPT
308 #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2111:2119 -j
309 DNAT --to 192.168.2.28:2111-2119
310 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 2111:2119
311 -j ACCEPT
312 # nyuu: vnc incoming
313 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5910 -j DNAT
314 --to 192.168.2.28:5910
315 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 5910 -j
316 ACCEPT
317 #
318 # ftp to proliant
319 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 21 -j DNAT --to
320 192.168.2.26:21
321 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.26 --dport 21 -j ACCEPT
322 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 20 -j DNAT --to
323 192.168.2.26:20
324 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.26 --dport 20 -j ACCEPT
325 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 21 -j DNAT --to
326 192.168.2.22:21
327 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 21 -j ACCEPT
328 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 20 -j DNAT --to
329 192.168.2.22:20
330 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 20 -j ACCEPT
331
332
333
334 # palantir on MythTV box
335 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3000 -j DNAT
336 --to 192.168.2.24:3000
337 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.24 --dport 3000 -j
338 ACCEPT
339 # mythweb (apache server) on MythTV box
340 $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8080 -j DNAT
341 --to 192.168.2.24:8080
342 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.24 --dport 8080 -j ACCEPT
343 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 8080 -j DNAT
344 --to 192.168.2.24:8080
345 $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.24 --dport 8080 -j ACCEPT
346
347
348
349
350 ### Set up the ip forwarding
351 $IPTABLES -t filter -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
352 $IPTABLES -t filter -A FORWARD -i $EXTIF -o $INTIF -m state --state
353 RELATED,ESTABLISHED -j ACCEPT
354
355 ### Set up ip masquerading
356 # Allow the internal boxes onto the Internet
357 $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
358 ## enable ip forwarding in the kernel
359 echo 1 > /proc/sys/net/ipv4/ip_forward
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387 And here is the script that sets up the traffic shaping
388 Code:
389
390 #clear it out first
391 tc qdisc del dev eth0 root
392 ##
393
394
395 #Constants
396
397 # Interface you want to do shaping on
398 # eth2, eth1 for direct connection; ppp0 or so for dsl
399 # and other dialup connections (check ifconfig)
400 IFACE=eth0
401
402 # Priority marks
403 MARKPRIO1="1"
404 MARKPRIO2="2"
405 MARKPRIO3="3"
406 MARKPRIO4="4"
407
408 # Rates
409 UPRATE="152kbit"
410 #P2PRATE=$UPRATE
411 P2PRATE="128kbit"
412 PRIORATE1="65kbit"
413 PRIORATE2="46kbit"
414 PRIORATE3="27kbit"
415 PRIORATE4="8kbit"
416
417 # Quantum
418 QUANTUM1="12187"
419 QUANTUM2="8625"
420 QUANTUM3="5062"
421 QUANTUM4="1500"
422
423 # Burst
424 BURST1="6k"
425 BURST2="4k"
426 BURST3="2k"
427 BURST4="0k"
428 CBURST1="3k"
429 CBURST2="2k"
430 CBURST3="1k"
431 CBURST4="0k"
432
433 # Set queue length for IFACE
434 ifconfig $IFACE txqueuelen 16
435
436 # Specify queue discipline
437 tc qdisc add dev $IFACE root handle 1:0 htb default 103 r2q 1
438
439 # Set root class
440 tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE burst
441 $BURST1 cburst $CBURST1
442 # Specify sub classes
443 tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1
444 ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0
445 tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2
446 ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1
447 tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3
448 ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2
449 tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4
450 ceil $P2PRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3
451
452 # Filter packets
453 tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1
454 fw classid 1:101
455 tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2
456 fw classid 1:102
457 tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3
458 fw classid 1:103
459 tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4
460 fw classid 1:104
461
462 # Add queuing disciplines
463 tc qdisc add dev $IFACE parent 1:101 sfq perturb 16 quantum $QUANTUM1
464 tc qdisc add dev $IFACE parent 1:102 sfq perturb 16 quantum $QUANTUM2
465 tc qdisc add dev $IFACE parent 1:103 sfq perturb 16 quantum $QUANTUM3
466 tc qdisc add dev $IFACE parent 1:104 sfq perturb 16 quantum $QUANTUM4

Attachments

File name MIME type
firewall.sh application/x-shellscript
shaping2.sh application/x-shellscript

Replies

Subject Author
Re: [gentoo-user] I can't get traffic shaping to work properly :( Daniel Iliev <daniel.iliev@×××××.com>