Chandrashekhar Rane
2002-Oct-23 03:45 UTC
How to control incoming and outgoing traffic using tc + iptables
Dear All, I try to implement bandwidth control using tc + iptables. Following is the setup i have at my premises. eth0 -- Connected to local LAN eth1 -- Connected with ISP Following is my requirement. 1) I want to split 10Kbps pipe into two(5kbps each) 2) One 5kbps pipe is again split into 2kbps and 3kbps The 2kbps pipe i am going to use to give internet access to all the machine in my local LAN (i.e 192.168.2.0/24) The 3 kbps for SMTP,SSH connection for all 3) The second 5kbps pipe is split into 512bytes and 4.5kbps The 512bytes pipe i want to give it to say some specific machine whos ip is 192.168.2.12 and 4.5 kbps pipe i want to dedicate for ip say 192.168.2.22 The tc script for implementing the same is as follows --------------------------------------------------------------------------- tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8 tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8 tc class add dev eth1 parent 1: classid 1:80 cbq bandwidth 10Mbit rate 80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth1 parent 1:80 classid 1:801 cbq bandwidth 10Mbit rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth1 parent 1:801 classid 1:8011 cbq bandwidth 10Mbit rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth1 parent 1:8011 handle 8011 tbf rate 16Kbit buffer 2048 limit 2048 mtu 1500 tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 3 fw classid 1:8011 tc class add dev eth1 parent 1:801 classid 1:8012 cbq bandwidth 10Mbit rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth1 parent 1:8012 handle 8012 tbf rate 24Kbit buffer 3072 limit 3072 mtu 1500 tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw classid 1:8012 tc class add dev eth1 parent 1:80 classid 1:802 cbq bandwidth 10Mbit rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth1 parent 1:802 classid 1:8021 cbq bandwidth 10Mbit rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth1 parent 1:8021 handle 8021 tbf rate 4Kbit buffer 512 limit 512 mtu 1500 tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 4 fw classid 1:8021 tc class add dev eth1 parent 1:802 classid 1:8022 cbq bandwidth 10Mbit rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth1 parent 1:8022 handle 8022 tbf rate 36Kbit buffer 4608 limit 4608 mtu 1500 tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 1 fw classid 1:8022 tc class add dev eth0 parent 1: classid 1:90 cbq bandwidth 10Mbit rate 80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth0 parent 1:90 classid 1:901 cbq bandwidth 10Mbit rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth0 parent 1:901 classid 1:9011 cbq bandwidth 10Mbit rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 1:9011 handle 9011 tbf rate 16Kbit buffer 2048 limit 2048 mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 7 fw classid 1:9011 tc class add dev eth0 parent 1:901 classid 1:9012 cbq bandwidth 10Mbit rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 1:9012 handle 9012 tbf rate 24Kbit buffer 3072 limit 3072 mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 6 fw classid 1:9012 tc class add dev eth0 parent 1:90 classid 1:902 cbq bandwidth 10Mbit rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth0 parent 1:902 classid 1:9021 cbq bandwidth 10Mbit rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 1:9021 handle 9021 tbf rate 4Kbit buffer 512 limit 512 mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 8 fw classid 1:9021 tc class add dev eth0 parent 1:902 classid 1:9022 cbq bandwidth 10Mbit rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 1:9022 handle 9022 tbf rate 36Kbit buffer 4608 limit 4608 mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 5 fw classid 1:9022 ------------------------------------------------------------------------- And the corresponding iptables script is as follows. # The absolute path for iptables command IPTABLES=/sbin/iptables # Flush the rules if any already present in mangle table. $IPTABLES -t mangle -F ########################################################################### # Rules for uplink # ########################################################################### $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.12 \ -d ! 192.168.2.0/24 -j MARK --set-mark 4 $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.22 \ -d ! 192.168.2.0/24 -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ -d ! 192.168.2.0/24 -p tcp --dport 25 \ -j MARK --set-mark 3 $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ -d ! 192.168.2.0/24 -p tcp --dport 22 \ -j MARK --set-mark 3 $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ -d ! 192.168.2.0/24 -j MARK --set-mark 2 ########################################################################### # Rules for downlink # ########################################################################### $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -d 192.168.2.12 -j MARK --set-mark 8 $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -d 192.168.2.22 -j MARK --set-mark 5 $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -p tcp --dport 25 -d 192.168.2.0/24 \ -j MARK --set-mark 7 $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -p tcp --dport 22 -d 192.168.2.0/24 \ -j MARK --set-mark 7 $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -d 192.168.2.0/24 -j MARK --set-mark 6 Really get stuck. Help will be most appreciated. Thanks in advance shekhar
Stef Coene
2002-Oct-23 05:53 UTC
How to control incoming and outgoing traffic using tc + iptables
I don't have time to check the script (I'm at work now, but I will check = it=20 tonight), but what's your problem?? You never told us. One tip, remove all isolated parameters, it's not working and they can ca= use=20 very strange results. Second tip, the tbf qdiscs are useless. You are already limiting the spe= ed in=20 the class. If you want the classes to be able to share the non-used bandwidth, you h= ave=20 to remove the bounded option. Stef On Wednesday 23 October 2002 12:45, Chandrashekhar Rane wrote: > Dear All, > > I try to implement bandwidth control using tc + iptables. > > Following is the setup i have at my premises. > > eth0 -- Connected to local LAN > eth1 -- Connected with ISP > > Following is my requirement. > 1) I want to split 10Kbps pipe into two(5kbps each) > 2) One 5kbps pipe is again split into 2kbps and 3kbps > =09The 2kbps pipe i am going to use to give internet access to all the > machine in my local LAN (i.e 192.168.2.0/24) > =09The 3 kbps for SMTP,SSH connection for all > 3) The second 5kbps pipe is split into 512bytes and 4.5kbps > =09The 512bytes pipe i want to give it to say some specific machine who= s > ip is 192.168.2.12 and 4.5 kbps pipe i want to dedicate for ip say > 192.168.2.22 > > The tc script for implementing the same is as follows > -----------------------------------------------------------------------= ---- > tc qdisc del dev eth0 root > > tc qdisc add dev eth0 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cel= l > 8 > > tc qdisc del dev eth1 root > > tc qdisc add dev eth1 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cel= l > 8 > > tc class add dev eth1 parent 1: classid 1:80 cbq bandwidth 10Mbit rate > 80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated > > tc class add dev eth1 parent 1:80 classid 1:801 cbq bandwidth 10Mbit > rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded isolated > > tc class add dev eth1 parent 1:801 classid 1:8011 cbq bandwidth 10Mbit > rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded > > tc qdisc add dev eth1 parent 1:8011 handle 8011 tbf rate 16Kbit buffer > 2048 limit 2048 mtu 1500 > > tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 3 fw > classid 1:8011 > > tc class add dev eth1 parent 1:801 classid 1:8012 cbq bandwidth 10Mbit > rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded > > tc qdisc add dev eth1 parent 1:8012 handle 8012 tbf rate 24Kbit buffer > 3072 limit 3072 mtu 1500 > > tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw > classid 1:8012 > > tc class add dev eth1 parent 1:80 classid 1:802 cbq bandwidth 10Mbit > rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded isolated > > tc class add dev eth1 parent 1:802 classid 1:8021 cbq bandwidth 10Mbit > rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth1 parent 1:8021 handle 8021 tbf rate 4Kbit buffer > 512 limit 512 mtu 1500 > > tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 4 fw > classid 1:8021 > > tc class add dev eth1 parent 1:802 classid 1:8022 cbq bandwidth 10Mbit > rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded > > tc qdisc add dev eth1 parent 1:8022 handle 8022 tbf rate 36Kbit buffer > 4608 limit 4608 mtu 1500 > > tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 1 fw > classid 1:8022 > > tc class add dev eth0 parent 1: classid 1:90 cbq bandwidth 10Mbit rate > 80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated > > tc class add dev eth0 parent 1:90 classid 1:901 cbq bandwidth 10Mbit > rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded isolated > > tc class add dev eth0 parent 1:901 classid 1:9011 cbq bandwidth 10Mbit > rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded > > tc qdisc add dev eth0 parent 1:9011 handle 9011 tbf rate 16Kbit buffer > 2048 limit 2048 mtu 1500 > > tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 7 fw > classid 1:9011 > > tc class add dev eth0 parent 1:901 classid 1:9012 cbq bandwidth 10Mbit > rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded > > tc qdisc add dev eth0 parent 1:9012 handle 9012 tbf rate 24Kbit buffer > 3072 limit 3072 mtu 1500 > > tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 6 fw > classid 1:9012 > > tc class add dev eth0 parent 1:90 classid 1:902 cbq bandwidth 10Mbit > rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded isolated > > tc class add dev eth0 parent 1:902 classid 1:9021 cbq bandwidth 10Mbit > rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth0 parent 1:9021 handle 9021 tbf rate 4Kbit buffer > 512 limit 512 mtu 1500 > > tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 8 fw > classid 1:9021 > > tc class add dev eth0 parent 1:902 classid 1:9022 cbq bandwidth 10Mbit > rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 100= 0 > bounded > > tc qdisc add dev eth0 parent 1:9022 handle 9022 tbf rate 36Kbit buffer > 4608 limit 4608 mtu 1500 > > tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 5 fw > classid 1:9022 > -----------------------------------------------------------------------= -- > > And the corresponding iptables script is as follows. > > # The absolute path for iptables command > IPTABLES=3D/sbin/iptables > > # Flush the rules if any already present in mangle table. > $IPTABLES -t mangle -F > > #######################################################################= #### > # Rules for uplink > # > #######################################################################= #### > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.12 \ > =09 -d ! 192.168.2.0/24 -j MARK --set-mark 4 > > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.22 \ > =09-d ! 192.168.2.0/24 -j MARK --set-mark 1 > > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ > =09-d ! 192.168.2.0/24 -p tcp --dport 25 \ > =09-j MARK --set-mark 3 > > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ > =09-d ! 192.168.2.0/24 -p tcp --dport 22 \ > =09-j MARK --set-mark 3 > > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ > =09-d ! 192.168.2.0/24 -j MARK --set-mark 2 > > #######################################################################= #### > # Rules for downlink > # > #######################################################################= #### > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHE= D > \ > =09-s ! 192.168.2.0/24 -d 192.168.2.12 -j MARK --set-mark 8 > > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHE= D > \ > =09-s ! 192.168.2.0/24 -d 192.168.2.22 -j MARK --set-mark 5 > > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED > \ > =09-s ! 192.168.2.0/24 -p tcp --dport 25 -d 192.168.2.0/24 \ > =09-j MARK --set-mark 7 > > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED > \ > =09-s ! 192.168.2.0/24 -p tcp --dport 22 -d 192.168.2.0/24 \ > =09-j MARK --set-mark 7 > > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED > \ > =09-s ! 192.168.2.0/24 -d 192.168.2.0/24 -j MARK --set-mark 6 > > > Really get stuck. > Help will be most appreciated. > > Thanks in advance > > shekhar > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net