thr3ads.net - LARTC - Too slow computer? [Aug 2005]

If this information is useful, please help other people find it:
Share via:

panca sorin

2005-Aug-09 16:53 UTC

Too slow computer?

Hello! I''ve put some questions on this list some weeks
ago and I''ve got good answers. Thank you!
Now I''ve finished my (beautyful) script and I ran it
on my router...
About my script:
It routes packages based on their destination on the
Internet. I have about 1650 preffered destination
networks listed in some file. The script read this
file and marks every package for those networks with
the mark value of 1.
Then, I''ve built the classes: 1:0 is the HTB qdisc;
1:1 is for unmarked packets and 1:2 is for marked
packets. 1:FF is the default class, and has as parent
the 1:0 qdisc.
1:1 is divided in 1:10 for two LAN networks
192.168.101.0/24 and 10.0.0.0/24 attached to eth1 and
eth2 respectivly. eth0 is attached to my ISP.
1:11 is a class for two IPs sharing the same
bandwidth.
1:12 is a class for one IP.

When I shape the traffic for eth0, eth1 and eth2 the
console is unuseable (is too slow). I think that
marking and matching those packets takes all the
available CPU cycles (the kernel has the biggest
priority over the CPU). Another thing that''s going on
here: I test the router with only one station attached
to eth1 and eth2 alternativly. I should have a speed
of (at least) 10Mbit with the networks listed in my
network list and I have a maximum of 3.2Mbit (class
1:2). In the 1:1 class I have maximum speed allowed.

Another question: How can I build the mark value?
I need to mark the packets based on two criteria. My
theoretic solution was to assign bit #1 to be set if
the packet matches the first criteria and bits #2 & #3
should indicate 4 situations (00,01,10 and 11). Is
there any way to set a packet''s mark bits additively
in two places of my script?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Andreas Klauer

2005-Aug-09 17:12 UTC

head link

Re: Too slow computer?

On Tuesday 09 August 2005 18:53, panca sorin wrote:> I have about 1650 preffered destination networks listed in some file. The
> script read this file and marks every package for those networks with
> the mark value of 1.
If you have a lot of IPs in this list, a hashed approach might work faster. 
See LARTC Howto, 12.4 Hashing filters. Although it describes tc filters, 
approach should be similar for iptables. Furthermore, using CONNMARK might 
speed things up. With it, you can skip testing packets of connections that 
already matched (and, if used right, you can also skip packets of 
connections that don''t match as well). There are also patches that
allow
bitwise modification of mark values.

You can get this stuff from www.netfilter.org, the patches are in pom-ng.

HTH
Andreas

Andy Furniss

2005-Aug-09 17:46 UTC

head link

Re: Too slow computer?

Andreas Klauer wrote:> On Tuesday 09 August 2005 18:53, panca sorin wrote:
> 
>>I have about 1650 preffered destination networks listed in some file.
The
>>script read this file and marks every package for those networks with
>>the mark value of 1.
> 
> 
> If you have a lot of IPs in this list, a hashed approach might work faster.
> See LARTC Howto, 12.4 Hashing filters. Although it describes tc filters, 
> approach should be similar for iptables. Furthermore, using CONNMARK might 
> speed things up. With it, you can skip testing packets of connections that 
> already matched (and, if used right, you can also skip packets of 
> connections that don''t match as well). There are also patches that
allow
> bitwise modification of mark values.
> 
> You can get this stuff from www.netfilter.org, the patches are in pom-ng.
Look for ipset if the list is random.

http://people.netfilter.org/kadlec/ipset/

--and-mark and --or-mark are part of main iptables now

Andy.

panca sorin

2005-Aug-09 21:31 UTC

head link

Re: Too slow computer?

Thanck you for your help!
I noticed the ipset tools and I tried to use the
CONNMARK but I don''t know how to verify if bitwise
manipulation works. The IP list is random and the
router is an Athlon at 1200 MHz with 64 MB of SDRAM
and a PIO mode 4 harddisk.
After marking for destination, the packets are marked
for priorization. I tried to use the dsmark and some
ingress policing but I''ve faild to understand how they
work. Also I''m in a hurry and I try to use what I know
for now. Since I have to shape for two speeds, now
I''ve discovered the --limit filter in iptables and I
try to match packets based on their speeds.
Each connected client has its own class on dev eth1.
There are 38 clients now. On eth2 I shape based on
connection ports. Audio/video, chat and interactive
traffic (and connection control packets) have higher
priority. Here are my script and configuration files
(is best viewd unwraped with kwrite):

#!/bin/bash
 ### firewall.sh ###

# firewall 
# TODO: make a README for admin-users, how to add
#        clients with public and privat IPs from dhcpd
and metropolitan addresses
#        use ipset for address and port grouping
#        boost speeds, ports forward, etc.
# http://gentoo-wiki.com/HOWTO_Packet_Shaping
# http://lartc.org/howto
# http://linuxgazette.net/103/odonovan.html
# http://www.netfilter.org/documentation/
# http://www.knowplace.org/shaper/
# http://linux-ip.net/articles/Traffic-Control-HOWTO/
#
http://howtos.linux.com/howtos/Traffic-Control-HOWTO/intro.shtml
# http://andthatsjazz.org:8/lartc/


# programs
ip=/usr/sbin/ip
ipt=/usr/sbin/iptables
ipt_s=/usr/sbin/iptables-save
ipt_r=/usr/sbin/iptables-restore
ips=/usr/sbin/ipset
tc=/usr/sbin/tc

# interfaces
EXT1=eth0
EXT1IP=first external IP
GW1=our gateway''s IP
NetP1=our ISP''s local network
# 64 public space addresses
PUB1Min=first usable public IP
PUB1Max=last usable public IP

#EXT2#EXT1IP#GW2#NetP2
INT1=eth1
INT1IP=192.168.101.1
INT1Mask=255.255.255.0
INT1Bcast=public space broadcast address (not in ISP''s
LAN)
INT1Net=192.168.101.255

INT2=eth2
INT2IP=10.0.0.1
INT2Mask=255.255.255.0
INT2Bcast=10.0.0.255
INT2Net=10.0.0.0

# markers
MARK_NET=0x0 # packets for Internet
MARK_MAN=0x1 # packets for Metropolitan


# interfaces'' aliasses
NETWORK=81.196.157;DEV=eth0
ip address add 172.22.3.112 dev eth0
for IP in $( cat
~adminus/etc/ip_internet/ext1_aliases.conf | grep -v
\# ); do
        $ip addr del $NETWORK.$IP/32 dev $DEV
2>/dev/null >/dev/null
  done
for IP in $( cat
~adminus/etc/ip_internet/ext1_aliases.conf | grep -v
\# ); do
        $ip addr add $NETWORK.$IP/26 brd $NETWORK.255
dev $DEV 
  done
echo " 2. Proxy ARP" 
# proxy ARP
echo 1 >/proc/sys/net/ipv4/conf/$EXT1/proxy_arp
#echo 1 >/proc/sys/net/ipv4/conf/$EXT2/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/$INT1/proxy_arp
#echo 1 >/proc/sys/net/ipv4/conf/$INT1/proxy_arp
for IP in $( cat
~adminus/etc/ip_local/pub_ips_on_int1.conf | grep -v
\# ); do
    $ip route del $IP dev $INT1 2>/dev/null >/dev/null
    $ip route add $IP dev $INT1 
  done
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
    $ip route del $IP dev $INT2 2>/dev/null >/dev/null
    $ip route add $IP dev $INT2 
  done

$ipt -t raw    -F
$ipt -t nat    -F
$ipt -t mangle -F
$ipt -t filter -F



 ### ### ###
 ### raw ###
 ### ### ###

 ### ### ###
 ### nat ###
 ### ### ###

 ### PREROUTING ###
#$ipt -t nat -A PREROUTING -i $INT1 -p tcp --dport 80
-j REDIRECT --to-port 3128
echo " forward ports (5 ports/IP)"
NETWORK=192.168.101;NETID1=21;NETID2=22;NETID3=23;NETID4=24;NETID5=25;
# 20 <= NETID <= 65
for IP in $( cat ~adminus/etc/portfwd.conf | grep -v
\# ); do
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID1$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID1$IP
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID2$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID2$IP
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID3$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID3$IP
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID4$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID4$IP
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID5$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID5$IP
done

 ### POSTROUTING ###
echo " nat POSTROUTING" 
#$ipt -t nat -A POSTROUTING -s $INT2Net/$INT2Mask -j
MASQUERADE --to-ports 20000:30000
$ipt -t nat -A POSTROUTING -s $INT1Net/$INT1Mask -o
$EXT1 -j SNAT --to-source $PUB1Min-$PUB1Max
$ipt -t nat -A POSTROUTING -s $INT2Net/$INT2Mask -o
$EXT1 -j SNAT --to-source $PUB1Min-$PUB1Max
$ipt -t nat -A POSTROUTING -s 10.0.0.100 -j SNAT
--to-source 81.196.157.200
$ipt -t nat -A POSTROUTING -s 10.0.0.99  -j SNAT
--to-source 81.196.157.200

 ### ###  ### ###
 ###  mangle  ###
 ### ###  ### ###

echo " mangle"

 ### PREROUTING ###
# mark for QOS
cat ~adminus/bin/marks | $ipt_r
~adminus/bin/mac.sh

 ### ###  ### ###
 ###  qdiscs  ###
 ### ###  ### ###                                     
 
# building traffic classes and ingress filters
# speeds
ROOT_NET_RATE=500kbit
ROOT_NET_CEIL=$ROOT_NET_RATE
BULK_NET_RATE=1kbit
BULK_NET_CEIL=128kbit
ROOT_MAN_RATE=95Mbit
ROOT_MAN_CEIL=$BULK_NET_RATE
BULK_MAN_RATE=512kbit
BULK_MAN_CEIL=90Mbit

# markers
MARK_NET=0x0 # Internet packet
MARK_MAN=0x1 # Metropolitan packet

echo " qdisc del" 
 $tc qdisc del dev $EXT1 ingress 2>/dev/null>/dev/null
#$tc qdisc del dev $EXT2 ingress 2>/dev/null>/dev/null
 $tc qdisc del dev $INT1 ingress 2>/dev/null>/dev/null
 $tc qdisc del dev $INT2 ingress 2>/dev/null>/dev/null
 $tc qdisc del dev $EXT1 root    2>/dev/null>/dev/null
#$tc qdisc del dev $EXT2 root    2>/dev/null>/dev/null
 $tc qdisc del dev $INT1 root    2>/dev/null>/dev/null
 $tc qdisc del dev $INT2 root    2>/dev/null>/dev/null
echo " qdisc add EXT1 egress "
$tc qdisc add dev $EXT1 root handle 1: htb default
FF01 
echo "  Internet-caffe"
$tc class add dev $EXT1 parent 1:  classid 1:1 htb
rate 500kbit ceil 500kbit # Internet
$tc class add dev $EXT1 parent 1:  classid 1:2 htb
rate  95Mbit ceil  95Mbit # Metropolitan
$tc class add dev $EXT1 parent 1:1 classid 1:7 htb
rate 140kbit ceil 500kbit prio 2 # a/v  net trafic
$tc class add dev $EXT1 parent 1:1 classid 1:5 htb
rate  50kbit ceil 500kbit prio 2 # chat net trafic
$tc class add dev $EXT1 parent 1:1 classid 1:3 htb
rate 100kbit ceil 500kbit prio 2 # www  net trafic
$tc class add dev $EXT1 parent 1:2 classid 1:8 htb
rate  35Mbit ceil  90Mbit prio 2 # a/v  man trafic
$tc class add dev $EXT1 parent 1:2 classid 1:6 htb
rate   5Mbit ceil  90Mbit prio 2 # chat man trafic
$tc class add dev $EXT1 parent 1:2 classid 1:4 htb
rate  20Mbit ceil  90Mbit prio 2 # www  man trafic
$tc class add dev $EXT1 parent 1:1 classid 1:FF01 htb
rate 10kbit ceil 500kbit prio 3 # bulk net trafic
$tc class add dev $EXT1 parent 1:2 classid 1:FF00 htb
rate 30Mbit ceil  90Mbit prio 3 # bulk man trafic
$tc qdisc add dev $EXT1 parent 1:FF01 handle 2: sfq
perturb 10
$tc qdisc add dev $EXT1 parent 1:FF00 handle 3: sfq
perturb 10
echo "qdisc add $EXT1 ingress"
$tc qdisc  add dev $EXT1 ingress
# Metropolitan ingress
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 0 handle 7 fw police rate  10Mbps burst 16k
continue flowid :1 # A/V  in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 1 handle 5 fw police rate  10Mbps burst 16k
continue flowid :1 # chat in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 2 handle 3 fw police rate  10Mbps burst 16k
continue flowid :1 # www  in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 4 handle 1 fw police rate  90Mbps burst 16k
continue flowid :1 # bulk in MAN
echo "CLIENTS";date >~adminus/log/clase_eth0.log;echo
"CLIENTS" >>~adminus/log/clase_eth0.log
$tc class add dev $EXT1 parent 1:1 classid 1:9  htb
rate 140kbit ceil 500kbit prio 2 # bulk clients'' net
$tc class add dev $EXT1 parent 1:1 classid 1:10 htb
rate  20Mbit ceil  90Mbit prio 2 # bulk clients''
M.A.N.
$tc class add dev $EXT1 parent 1:1 classid 1:11 htb
rate 140kbit ceil 500kbit prio 1 # special clients''
net
$tc class add dev $EXT1 parent 1:1 classid 1:12 htb
rate  20Mbit ceil  90Mbit prio 1 # special clients''
M.A.N.
echo "  bulk clients'' classes";echo "  bulk
clients''
classes" >>~adminus/log/clase_eth0.log
NETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don''t edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don''t edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don''t  edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
    hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
    $tc class add dev $EXT1 parent 1:9  classid
1:$hIDnet_PRIV$hIP htb rate $BULK_NET_RATE ceil
$BULK_NET_CEIL prio 3
    $tc class add dev $EXT1 parent 1:10 classid
1:$hIDman_PRIV$hIP htb rate $BULK_MAN_RATE ceil
$BULK_MAN_CEIL prio 3
        echo "$EXT1: $NETWORK.$NET.$IP         net
(1:9): 1:$hIDnet_PRIV$hIP   min: $BULK_NET_RATE  max:
$BULK_NET_CEIL    man (1:10): 1:$hIDman_PRIV$hIP  
min: $BULK_MAN_RATE  max: $BULK_MAN_CEIL">>~adminus/log/clase_eth0.log  done
echo "  special clients'' classes";echo "  special
clients'' classes" >>~sorin/log/clase_eth0.log
echo "     ip-uri private";echo "     private
IPs">>~adminus/log/clase_eth0.logNETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste; 16 < NETID < 192; NETID = network''s
criterium number;
# Set different NETIDs for all private or public
networks; you can set the same NETID for one private
network and one public network
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don''t edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don''t edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don''t edit
 IP=2 # 192.168.101.002 FOCUS DESIGN
 echo "$EXT1: $NETWORK.$NET.$IP         net (1:11):
1:$hIDnet_PRIV$hIP   min: 64kbit  max: 256kbit    man
(1:12): 1:$hIDman_PRIV$hIP   min: 768kbit  max:
90Mbit" >>~adminus/log/clase_eth0.log
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
 $tc class replace dev $EXT1 parent 1:11 classid
1:$hIDnet_PRIV$hIP htb rate  64kbit ceil 256kbit prio
2 # replace because the class'' ID (handle) exists from
the previous network
 $tc class replace dev $EXT1 parent 1:12 classid
1:$hIDman_PRIV$hIP htb rate 768kbit ceil  90Mbit prio
2 # replace because the class'' ID (handle) exists from
the previous network
echo "     ip-uri publice";echo "     public
IPs">>~adminus/log/clase_eth0.logNETWORK=81.196;NET=157;NETID=63 # edit this after
copy-paste
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # astea nu le
edita
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don''t edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don''t edit
IP=253 #  81.196.157.253 VIDEO CHAT
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
        echo "$EXT1: $NETWORK.$NET.$IP         net
(1:11): 1:$hIDnet_PUB$hIP   min: 64kbit  max: 256kbit 
  man (1:12) 1:$hIDman_PUB$hIP   min: 768kbit  max:
90Mbit" >>~adminus/log/clase_eth0.log
 $tc class add dev $EXT1 parent 1:11 classid
1:$hIDnet_PUB$hIP htb rate  64kbit ceil 256kbit prio 1
 $tc class add dev $EXT1 parent 1:12 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil  90Mbit prio 1
IP=254 #  81.196.157.254 VIDEO CHAT
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
        echo "$EXT1: $NETWORK.$NET.$IP         net
(1:11): 1:$hIDnet_PUB$hIP   min: 64kbit  max: 256kbit 
  man (1:12) 1:$hIDman_PUB$hIP    min: 768kbit  max:
90Mbit" >>~adminus/log/clase_eth0.log
 $tc class add dev $EXT1 parent 1:11 classid
1:$hIDnet_PUB$hIP htb rate  64kbit ceil 256kbit prio 1
 $tc class add dev $EXT1 parent 1:12 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil  90Mbit prio 1
# Internet ingress
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 0 handle 6 fw police rate 190kbps burst 16k drop
flowid :1 # A/V  in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 1 handle 4 fw police rate  62kbps burst 32k drop
flowid :1 # chat in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 2 handle 2 fw police rate 126kbps burst 64k drop
flowid :1 # www  in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet

echo " qdisc add INT1 ingress" 
#$tc qdisc  add dev $INT1 ingress 
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 0 handle 0x7 fw flowid :1 police rate  10Mbps
burst 16k continue # A/V  in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 1 handle 0x5 fw flowid :1 police rate  10Mbps
burst 16k continue # chat in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 2 handle 0x3 fw flowid :1 police rate  10Mbps
burst 16k continue # www  in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 4 handle 0x1 fw flowid :1 police rate  95Mbps
burst 16k continue # bulk in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 0 handle 0x6 fw flowid :1 police rate 190kbps
burst 16k continue # A/V  in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 1 handle 0x4 fw flowid :1 police rate  62kbps
burst 32k continue # chat in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 2 handle 0x2 fw flowid :1 police rate 126kbps
burst 64k continue # www  in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet
echo " qdisc add INT1 egress"
$tc qdisc add dev $INT1 root handle 1: htb default
FF01
$tc class add dev $INT1 parent 1:  classid 1:1    htb
rate 250kbit ceil 500kbit # class Internet
$tc class add dev $INT1 parent 1:  classid 1:2    htb
rate  45Mbit ceil  90Mbit # class Metropolitan
$tc class add dev $INT1 parent 1:1 classid 1:3    htb
rate 125kbit ceil 500kbit # class bulk-clients
Internet
$tc class add dev $INT1 parent 1:2 classid 1:4    htb
rate  22Mbit ceil  90Mbit # class bulk-clients
Metropolitan
$tc class add dev $INT1 parent 1:1 classid 1:5    htb
rate 125kbit ceil 500kbit # class special-clients
Internet
$tc class add dev $INT1 parent 1:2 classid 1:6    htb
rate  22Mbit ceil  90Mbit # class special-clients
Metropolitan
$tc class add dev $INT1 parent 1:  classid 1:FF01 htb
rate   1kbit ceil 500kbit # class bulk-traffic
Internet
$tc class add dev $INT1 parent 1:  classid 1:FF00 htb
rate   1kbit ceil  90Mbit # class bulk-traffic
Metropolitan
$tc qdisc add dev $INT1 parent 1:FF01 handle 2: sfq
perturb 10 # Stochastic Fairness for bulk traffic in
Internet
$tc qdisc add dev $INT1 parent 1:FF00 handle 3: sfq
perturb 10 # Stochastic Fairness for bulk traffic in
Metropolitan
echo "CLIENTS";date >~adminus/log/clase_eth1.log;echo
"CLIENTI" >>~adminus/log/clase_eth1.log
echo "  bulk clients";echo "  bulk
clients">>~adminus/log/clase_eth1.logNETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don''t edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don''t edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don''t  edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
    hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
    $tc class add dev $INT1 parent 1:3 classid
1:$hIDnet_PRIV$hIP htb rate $BULK_NET_RATE ceil
$BULK_NET_CEIL prio 3 # bulk clients'' speed in
Internet
    $tc class add dev $INT1 parent 1:4 classid
1:$hIDman_PRIV$hIP htb rate $BULK_MAN_RATE ceil
$BULK_MAN_CEIL prio 3 # bulk clients'' speed in
Metropolitan
        echo "$INT1: $NETWORK.$NET.$IP         net
(1:3):   1:$hIDnet_PRIV$hIP   min: $BULK_NET_RATE 
max: $BULK_NET_CEIL          man (1:4):
1:$hIDman_PRIV$hIP   min: $BULK_MAN_RATE  max:
$BULK_MAN_CEIL" >>~sorin/log/clase_eth1.log
  done
echo "  special clients" >>~adminus/log/clase_eth1.log
echo "     privat IPs" >>~adminus/log/clase_eth1.log
NETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste 
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # astea nu le
edita
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don''t edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don''t edit
 IP=2 # 192.168.101.002 FOCUS DESIGN
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
 $tc class replace dev $INT1 parent 1:5 classid
1:$hIDnet_PRIV$hIP htb rate  64kbit ceil 256kbit prio
2 # speed for client FOCUS DESIGN in Internet
 $tc class replace dev $INT1 parent 1:6 classid
1:$hIDman_PRIV$hIP htb rate 768kbit ceil  90Mbit prio
2 # speed for client FOCUS DESIGN in Metropolitan
        echo "$INT1: $NETWORK.$NET.$IP         net
(1:5):   1:$hIDnet_PRIV$hIP   min: 64kbit  max:
256kbit          man (1:6):   1:$hIDman_PRIV$hIP  
min: 768kbit  max: 90Mbit">>~adminus/log/clase_eth1.logecho "     public IPs" >>~adminus/log/clase_eth1.log
NETWORK=81.196;NET=157;NETID=63 # edit this after
copy-paste (this and the next 3 rows are must be
copied for each used ip in the above network)
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don''t edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don''t edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don''t edit
IP=253 #  81.196.157.253 VIDEO CHAT 1 (this and the
next 3 rows are must be copied for each used ip in the
above network)
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
 $tc class add dev $INT1 parent 1:5 classid
1:$hIDnet_PUB$hIP htb rate  64kbit ceil 256kbit prio 1
# speed for client VIDEO CHAT 1 in Internet
 $tc class add dev $INT1 parent 1:6 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil  90Mbit prio 1
# speed for client VIDEO CHAT 1 in Metropolitan
        echo "$INT1: $NETWORK.$NET.$IP         net
(1:5):   1:$hIDnet_PUB$hIP   min: 64kbit  max: 256kbit
         man (1:6)   1:$hIDman_PUB$hIP   min: 768kbit 
max: 90Mbit" >>~adminus/log/clase_eth1.log
IP=254 #  81.196.157.254 VIDEO CHAT 2 (this and the
next 3 rows are must be copied for each used ip in the
above network)
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
 $tc class add dev $INT1 parent 1:5 classid
1:$hIDnet_PUB$hIP htb rate  64kbit ceil 256kbit prio 1
# speed for client VIDEO CHAT 2 in Internet
 $tc class add dev $INT1 parent 1:6 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil  90Mbit prio 1
# speed for client VIDEO CHAT 2 in Metropolitan
        echo "$INT1: $NETWORK.$NET.$IP         net
(1:5):   1:$hIDnet_PUB$hIP   min: 64kbit  max: 256kbit
         man (1:6)   1:$hIDman_PUB$hIP   min: 768kbit 
max: 90Mbit" >>~adminus/log/clase_eth1.log
echo "CLIENTS done."

echo " qdisc add INT2 root "
$tc qdisc add dev $INT2 root handle 1: htb default
FF01 
$tc class add dev $INT2 parent 1:  classid 1:1 htb
rate 500kbit ceil 500kbit
$tc class add dev $INT2 parent 1:  classid 1:2 htb
rate  95Mbit ceil 95Mbit
$tc class add dev $INT2 parent 1:1 classid 1:7   htb
rate 140kbit ceil 500kbit prio 0 # a/v  net trafic
$tc class add dev $INT2 parent 1:1 classid 1:5   htb
rate  50kbit ceil 500kbit prio 0 # chat net trafic
$tc class add dev $INT2 parent 1:1 classid 1:3   htb
rate 100kbit ceil 500kbit prio 0 # www  net trafic
$tc class add dev $INT2 parent 1:2 classid 1:8   htb
rate  35Mbit ceil  90Mbit prio 0 # a/v  man trafic
$tc class add dev $INT2 parent 1:2 classid 1:6   htb
rate   5Mbit ceil  90Mbit prio 0 # chat man trafic
$tc class add dev $INT2 parent 1:2 classid 1:4   htb
rate  20Mbit ceil  90Mbit prio 0 # www  man trafic
$tc class add dev $INT2 parent 1:1 classid 1:FF01 htb
rate 10kbit ceil 500kbit prio 3 # bulk net trafic
$tc class add dev $INT2 parent 1:2 classid 1:FF00 htb
rate 30Mbit ceil  90Mbit prio 3 # bulk man trafic
$tc qdisc add dev $INT2 parent 1:FF01 handle 2: sfq
perturb 10
$tc qdisc add dev $INT2 parent 1:FF00 handle 3: sfq
perturb 10
echo " qdisc add INT2 ingress"
$tc qdisc  add dev $INT2 ingress 
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 0 handle 0x7 fw flowid :1 police rate  10Mbps
burst 16k drop # A/V  in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 1 handle 0x5 fw flowid :1 police rate  10Mbps
burst 16k drop # chat in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 2 handle 0x3 fw flowid :1 police rate  10Mbps
burst 16k drop # www  in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 4 handle 0x1 fw flowid :1 police rate  95Mbps
burst 16k drop # bulk in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 0 handle 0x6 fw flowid :1 police rate 190kbps
burst 16k drop # A/V  in Internet
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 1 handle 0x4 fw flowid :1 police rate  62kbps
burst 32k drop # chat in Internet
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 2 handle 0x2 fw flowid :1 police rate 126kbps
burst 64k drop # www  in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet

 ### POSTROUTING ###
echo "POSTROUTING"
echo "filters - CLASSIFY $EXT1 egress"

$ipt -t mangle -F POSTROUTING

$ipt -t mangle -A POSTROUTING -m mark --mark 0x7 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:7 # A/V
 in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x5 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:5 #
chat in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x3 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:3 # www
 in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x6 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:8 # A/V
 in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x4 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:6 #
chat in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x2 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:4 # www
 in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x0 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:FF01 #
bulk in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x1 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:FF00 #
bulk in MAN

echo "filters - CLASSIFY $INT1 egress";date>~adminus/log/filtre.log;echo "filters - CLASSIFY$INT1 egress" >>~adminus/log/filtre.log
echo "  bulk clients";echo "  bulk
clients">>~adminus/log/filtre.logNETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste (this row downto done must be copied for
each served network)
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don''t edit
# The first bit in class'' MINOR is: 1 = metropolitan;
0 = Internet
# The second bit in class'' MINOR is: 1 = IP public; 0
= IP privat
# Urmatorii 6 biti reprezinta NETID (class number)
Atention: classes with MINOR from 1 to 6 are used by
parents on $INT1, so NETID >= 7 !!!
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don''t edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #don''t
edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
 #   if IP = { 0 1 2 3 4 5 6 7 8 9 a b c d e f A B C D
E F }; then IP=0$IP; fi
    hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $EXT1
Internet
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $EXT1
Metropolitan 
    #$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $EXT2
Internet
    #$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $EXT2
Metropolitan
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $INT1
Internet
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $INT1
Metropolitan
        echo "$NETWORK.$NET.$IP         $EXT1:   net:
1:$hIDnet_PRIV$hIP   man: 1:$hIDman_PRIV$hIP      
$INT1:   net: 1:$hIDnet_PRIV$hIP   man:
1:$hIDman_PRIV$hIP" >>~sorin/log/filtre.log
  done
echo "  special clients";echo "  special
clients">>~sorin/log/filtre.logNETWORK=81.196;NET=157;NETID=63 # edit this after
copy-paste (downto done is for every served network)
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # do not edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# do not edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # do
not edit
for IP in $( cat
~adminus/etc/ip_local/pub_ips_on_int1.conf | grep -v
\# ); do
#    if IP = { 0 1 2 3 4 5 6 7 8 9 a b c d e f A B C D
E F }; then IP=0$IP; fi
    hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP # IP public in $EXT1
Internet
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PUB$hIP # IP public in $EXT1
Metropolitan
    #$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP 
    #$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hID_man_PUB$hIP 
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP # IP public in $INT1
Internet
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PUB$hIP # IP public in $INT1
Metropolitan
        echo "$NETWORK.$NET.$IP         $EXT1:   net:
1:$hIDnet_PUB$hIP   man: 1:$hIDman_PUB$hIP      
$INT1:   net: 1:$hIDnet_PUB$hIP   man:
1:$hIDman_PUB$hIP" >>~sorin/log/filtre.log
  done

echo "filters - CLASSIFY $INT2 egress"
$ipt -t mangle -A POSTROUTING -m mark --mark 0x7 -o
$INT2 -j CLASSIFY --set-class 1:7
$ipt -t mangle -A POSTROUTING -m mark --mark 0x5 -o
$INT2 -j CLASSIFY --set-class 1:5
$ipt -t mangle -A POSTROUTING -m mark --mark 0x3 -o
$INT2 -j CLASSIFY --set-class 1:3
$ipt -t mangle -A POSTROUTING -m mark --mark 0x6 -o
$INT2 -j CLASSIFY --set-class 1:8
$ipt -t mangle -A POSTROUTING -m mark --mark 0x4 -o
$INT2 -j CLASSIFY --set-class 1:6
$ipt -t mangle -A POSTROUTING -m mark --mark 0x2 -o
$INT2 -j CLASSIFY --set-class 1:4
$ipt -t mangle -A POSTROUTING -m mark --mark 0x0 -o
$INT2 -j CLASSIFY --set-class 1:FF01
$ipt -t mangle -A POSTROUTING -m mark --mark 0x1 -o
$INT2 -j CLASSIFY --set-class 1:FF00
 ### ###  ### ###
 ###  mangle  ###
 ### ###  ### ###


 ### PREROUTING ###
$ipt -t mangle -F PREROUTING
echo " creem MAN, QOS si CLIENT" 
$ipt -t mangle -X MAN
$ipt -t mangle -X QOS
$ipt -t mangle -N MAN
$ipt -t mangle -N QOS
$ipt -t mangle -Z MAN
$ipt -t mangle -Z QOS



$ipt -t mangle -A PREROUTING -j MAN
$ipt -t mangle -A PREROUTING -j QOS


        ### QOS ###
echo " TOS chat-ports" 
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/chat_ports.conf | grep -v
\# ); do
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Reliability 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x4 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Reliability 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x4 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN  
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Reliability 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x4 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Reliability 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j MARK
--set-mark 0x4 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN 
done
echo " TOS audio-video ports" 
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/av_ports.conf | grep -v \#
); do
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x6 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Minimize-Delay
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x6 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Minimize-Delay
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x6 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Minimize-Delay
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p udp --sport $PORT -j MARK
--set-mark 0x6 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN 
done
echo " TOS www ports" 
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/www_ports.conf | grep -v
\# ); do
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x2 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x2 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x2 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x2 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN 
done
echo " TOS tcp flags" 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
MARK --set-mark 0x6 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Minimize-Delay 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Maximize-Throughput 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Maximize-Reliability 
$ipt -t mangle -A QOS -j CONNMARK --save-mark 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
RETURN 
$ipt -t mangle -A QOS -j CONNMARK --save-mark 
$ipt -t mangle -A QOS -p ALL -j RETURN 


        ### MAN ###
echo " MAN mark man (order a pizza and eat till I
finish this)" 
for PEER_IP in $( cat
~sorin/etc/ip_internet/peer_ips.conf | grep -v \# );
do
    $ipt -t mangle -A MAN -d $PEER_IP -j MARK
--set-mark $MARK_MAN 
    $ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe 
    $ipt -t mangle -A MAN -d $PEER_IP -j RETURN 
    $ipt -t mangle -A MAN -s $PEER_IP -j MARK
--set-mark $MARK_MAN 
    $ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe 
    $ipt -t mangle -A MAN -s $PEER_IP -j RETURN 
 done
echo " MAN mark net" 
$ipt -t mangle -A MAN -d 0.0.0.0/0 -j MARK --set-mark
$MARK_NET 
$ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe 
$ipt -t mangle -A MAN -d 0.0.0.0/0 -j RETURN 

$ipt_s >~adminus/bin/marks

 ### POSTROUTING ###
if [ -x /mnt/usb/tc-restore ]; then
        /mnt/usb/tc-restore
        cp /mnt/usb/tc-restore ~sorin/bin/
   else ~sorin/bin/tc-restore
fi
# each IP has its own class

 ### ###  ### ###
 ###  filter  ###
 ### ###  ### ###

 ### INPUT ###
echo "INPUT" 
# TODO: Use ~adminus/etc/ports_input_allowed, use -m
mport --port for both direction ports if they *ARE*
equal
$ipt -t filter -P INPUT DROP 
$ipt -t filter -A INPUT -i lo -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --sport 0:1023 -m state
--state ESTABLISHED,RELATED -j ACCEPT 
$ipt -t filter -A INPUT -i lo -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --tcp-flags ACK ACK -j
ACCEPT 
$ipt -t filter -A INPUT -m state --state ESTABLISHED
-j ACCEPT 
$ipt -t filter -A INPUT -m state --state RELATED -j
ACCEPT 
$ipt -t filter -A INPUT -p udp --dport 1024:65535
--sport 53 -j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type echo-reply
-j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type
destination-unreachable -j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type
source-quench -j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type
time-exceeded -j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type
parameter-problem -j ACCEPT 
$ipt -t filter -A INPUT -p tcp -m state ! --state NEW
--sport 0:1023 -j ACCEPT 
$ipt -t filter -A INPUT -p udp --sport 0:1023 -j
ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport ssh -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport auth -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport ftp -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport rmt -j ACCEPT 
$ipt -t filter -A INPUT -p udp --dport rmt -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport ftp-data -j
ACCEPT 
$ipt -t filter -A INPUT -p udp --dport time -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport http -j ACCEPT 
$ipt -t filter -A INPUT -p icmp -m limit --icmp-type
echo-request --limit 3/second --limit-burst 1000 -j
ACCEPT 
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
2049:2050 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
2049:2050 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
6000:6063 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
6000:6063 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
7000:7010 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
7000:7010 -j DROP 
$ipt -t filter -A INPUT -p tcp --sport 1024:65535 -j
ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport 1024:65535 -j
ACCEPT 
$ipt -t filter -A INPUT -p udp --sport 1024:65535 -j
ACCEPT 
$ipt -t filter -A INPUT -p udp --dport 1024:65535 -j
ACCEPT 

 ### FORWARD ###
echo "FORWARD" 
$ipt -t filter -P FORWARD DROP 
$ipt -t filter -A FORWARD -i lo -j ACCEPT 
$ipt -t filter -A FORWARD -o lo -j ACCEPT 

echo " ip/mac ACCEPT"
~sorin/bin/mac.sh
$ipt -t filter -A FORWARD -o $INT1 -d
$INT1Net/$INT1Mask -j ACCEPT
$ipt -t filter -A FORWARD -i $INT2 -s
$INT2Net/$INT2Mask -j ACCEPT
$ipt -t filter -A FORWARD -o $INT2 -d
$INT2Net/$INT2Mask -j ACCEPT
$ipt -t filter -A FORWARD -i $EXT1 -o $INT1 -j ACCEPT 
$ipt -t filter -A FORWARD -i $EXT1 -o $INT2 -m state
--state ESTABLISHED,RELATED -j ACCEPT 
$ipt -t filter -A FORWARD -i $INT1 -o $INT2 -j ACCEPT 
$ipt -t filter -A FORWARD -i $INT2 -o $INT1 -j ACCEPT 
#$ipt -t filter -A FORWARD -i $INT1 -o $EXT1 -j ACCEPT
# Se face pe mac address
$ipt -t filter -A FORWARD -i $INT2 -o $EXT1 -j ACCEPT

echo " connection/port ACCEPT/DROP" 
#$ipt -t filter -A FORWARD -f -j ACCEPT 
$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST
SYN -j TCPMSS  --clamp-mss-to-pmtu 
#$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST
SYN -j TCPMSS --set-mss 128 
$ipt -t filter -A FORWARD -i ! $INT1 -s
$INT1Net/$INT1Mask -j DROP 
$ipt -t filter -A FORWARD -i ! $INT2 -s
$INT2Net/$INT2Mask -j DROP 
$ipt -t filter -A FORWARD -p icmp -d $INT1Bcast -j
DROP 
$ipt -t filter -A FORWARD -p icmp -d $INT2Bcast -j
DROP 
$ipt -t filter -A FORWARD -p tcp  --syn -m limit
--limit 10/s -j ACCEPT 
$ipt -t filter -A FORWARD -p tcp  --tcp-flags
SYN,ACK,FIN,RST RST -m limit --limit 10/s -j ACCEPT 
$ipt -t filter -A FORWARD -p icmp --icmp-type
echo-request -m limit --limit 3/s -j ACCEPT
$ipt -t filter -A FORWARD -p icmp --icmp-type
echo-reply   -m limit --limit 3/s -j ACCEPT
$ipt -t filter -A FORWARD -p udp  --sport 53 -j ACCEPT
$ipt -t filter -A FORWARD -p udp  --dport 53 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp  --dport 139 -j DROP 
$ipt -t filter -A FORWARD -p tcp  --dport 445 -j DROP 

 ### OUTPUT ###
echo "OUTPUT" 
$ipt -t filter -P OUTPUT ACCEPT 

echo "Preparing for reboot... (iptables-save)"
/usr/sbin/iptables-save >/home/adminus/iptables

A/V ports:531 554 583 7070 1754:1755 1397:1398 1516
1518 2232 4444 5555 5713:5714 6000 6010

CHAT ports: 53 5050 1863 113 529 994 6660:6667 7000 63
5190:5193 22 23 992 37 123 21 990 1517 1519 2103:2105
5222 5269 5715:5717

WWW ports (and games): 80 443 280 488 25 109:110 995
143 220 993 516 532 563 631 901 666 4557 4559 27005 27015


	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail

Andy Furniss

2005-Aug-11 16:10 UTC

head link

Re: Too slow computer?

panca sorin wrote:> Thanck you for your help!
> I noticed the ipset tools and I tried to use the
> CONNMARK but I don''t know how to verify if bitwise
> manipulation works. The IP list is random and the
> router is an Athlon at 1200 MHz with 64 MB of SDRAM
> and a PIO mode 4 harddisk.
> After marking for destination, the packets are marked
> for priorization. I tried to use the dsmark and some
> ingress policing but I''ve faild to understand how they
> work. Also I''m in a hurry and I try to use what I know
> for now. Since I have to shape for two speeds, now
> I''ve discovered the --limit filter in iptables and I
> try to match packets based on their speeds.
> Each connected client has its own class on dev eth1.
> There are 38 clients now. On eth2 I shape based on
> connection ports. Audio/video, chat and interactive
> traffic (and connection control packets) have higher
> priority. Here are my script and configuration files
> (is best viewd unwraped with kwrite):
That''s a big script - I haven''t had time to read it properly
and I''d
still be likely to miss things :-)

Ingress policers won''t work with fw if your kernel config has packet 
actions selected. If you don''t it will work but only with marks set in 
prerouting.

Bitwise manipulation of normal marks should work for recent iptables 
just remember to use 0x as it uses decimal otherwise. If you want to 
test just make an empty match and look at the counters. So to set bit 2 
of the mark use --or-mark 0x2 instead of --set-mark.

I''ve never used ipset but it seems suited to what you need.

If you choose to use mark/connmark then you can get htb to treat marks 
like classify - you just put an empty fw on the root and have to make 
sure the marks have the major id in the top 16bits and you have a class 
for the minor.

Andy.

Apparently Analagous Threads

Search for more maybe matching threads

LARTC - Aug 2005 - Too slow computer?

Too slow computer?

Re: Too slow computer?

Re: Too slow computer?

Re: Too slow computer?

Re: Too slow computer?

Apparently Analagous Threads