Chandrashekhar Rane
2002-Oct-23 10:45 UTC
How to control incoming and outgoing traffic using tc + iptables
Dear All, I try to implement bandwidth control using tc + iptables. Following is the setup i have at my premises. eth0 -- Connected to local LAN eth1 -- Connected with ISP Following is my requirement. 1) I want to split 10Kbps pipe into two(5kbps each) 2) One 5kbps pipe is again split into 2kbps and 3kbps The 2kbps pipe i am going to use to give internet access to all the machine in my local LAN (i.e 192.168.2.0/24) The 3 kbps for SMTP,SSH connection for all 3) The second 5kbps pipe is split into 512bytes and 4.5kbps The 512bytes pipe i want to give it to say some specific machine whos ip is 192.168.2.12 and 4.5 kbps pipe i want to dedicate for ip say 192.168.2.22 The tc script for implementing the same is as follows --------------------------------------------------------------------------- tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8 tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8 tc class add dev eth1 parent 1: classid 1:80 cbq bandwidth 10Mbit rate 80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth1 parent 1:80 classid 1:801 cbq bandwidth 10Mbit rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth1 parent 1:801 classid 1:8011 cbq bandwidth 10Mbit rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth1 parent 1:8011 handle 8011 tbf rate 16Kbit buffer 2048 limit 2048 mtu 1500 tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 3 fw classid 1:8011 tc class add dev eth1 parent 1:801 classid 1:8012 cbq bandwidth 10Mbit rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth1 parent 1:8012 handle 8012 tbf rate 24Kbit buffer 3072 limit 3072 mtu 1500 tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw classid 1:8012 tc class add dev eth1 parent 1:80 classid 1:802 cbq bandwidth 10Mbit rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth1 parent 1:802 classid 1:8021 cbq bandwidth 10Mbit rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth1 parent 1:8021 handle 8021 tbf rate 4Kbit buffer 512 limit 512 mtu 1500 tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 4 fw classid 1:8021 tc class add dev eth1 parent 1:802 classid 1:8022 cbq bandwidth 10Mbit rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth1 parent 1:8022 handle 8022 tbf rate 36Kbit buffer 4608 limit 4608 mtu 1500 tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 1 fw classid 1:8022 tc class add dev eth0 parent 1: classid 1:90 cbq bandwidth 10Mbit rate 80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth0 parent 1:90 classid 1:901 cbq bandwidth 10Mbit rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth0 parent 1:901 classid 1:9011 cbq bandwidth 10Mbit rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 1:9011 handle 9011 tbf rate 16Kbit buffer 2048 limit 2048 mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 7 fw classid 1:9011 tc class add dev eth0 parent 1:901 classid 1:9012 cbq bandwidth 10Mbit rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 1:9012 handle 9012 tbf rate 24Kbit buffer 3072 limit 3072 mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 6 fw classid 1:9012 tc class add dev eth0 parent 1:90 classid 1:902 cbq bandwidth 10Mbit rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated tc class add dev eth0 parent 1:902 classid 1:9021 cbq bandwidth 10Mbit rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 1:9021 handle 9021 tbf rate 4Kbit buffer 512 limit 512 mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 8 fw classid 1:9021 tc class add dev eth0 parent 1:902 classid 1:9022 cbq bandwidth 10Mbit rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded tc qdisc add dev eth0 parent 1:9022 handle 9022 tbf rate 36Kbit buffer 4608 limit 4608 mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 5 fw classid 1:9022 ------------------------------------------------------------------------- And the corresponding iptables script is as follows. # The absolute path for iptables command IPTABLES=/sbin/iptables # Flush the rules if any already present in mangle table. $IPTABLES -t mangle -F ########################################################################### # Rules for uplink # ########################################################################### $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.12 \ -d ! 192.168.2.0/24 -j MARK --set-mark 4 $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.22 \ -d ! 192.168.2.0/24 -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ -d ! 192.168.2.0/24 -p tcp --dport 25 \ -j MARK --set-mark 3 $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ -d ! 192.168.2.0/24 -p tcp --dport 22 \ -j MARK --set-mark 3 $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ -d ! 192.168.2.0/24 -j MARK --set-mark 2 ########################################################################### # Rules for downlink # ########################################################################### $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -d 192.168.2.12 -j MARK --set-mark 8 $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -d 192.168.2.22 -j MARK --set-mark 5 $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -p tcp --dport 25 -d 192.168.2.0/24 \ -j MARK --set-mark 7 $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -p tcp --dport 22 -d 192.168.2.0/24 \ -j MARK --set-mark 7 $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED \ -s ! 192.168.2.0/24 -d 192.168.2.0/24 -j MARK --set-mark 6 Really get stuck. Help will be most appreciated. Thanks in advance shekhar _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene
2002-Oct-23 12:53 UTC
Re: How to control incoming and outgoing traffic using tc + iptables
I don''t have time to check the script (I''m at work now, but I will check it tonight), but what''s your problem?? You never told us. One tip, remove all isolated parameters, it''s not working and they can cause very strange results. Second tip, the tbf qdiscs are useless. You are already limiting the speed in the class. If you want the classes to be able to share the non-used bandwidth, you have to remove the bounded option. Stef On Wednesday 23 October 2002 12:45, Chandrashekhar Rane wrote:> Dear All, > > I try to implement bandwidth control using tc + iptables. > > Following is the setup i have at my premises. > > eth0 -- Connected to local LAN > eth1 -- Connected with ISP > > Following is my requirement. > 1) I want to split 10Kbps pipe into two(5kbps each) > 2) One 5kbps pipe is again split into 2kbps and 3kbps > The 2kbps pipe i am going to use to give internet access to all the > machine in my local LAN (i.e 192.168.2.0/24) > The 3 kbps for SMTP,SSH connection for all > 3) The second 5kbps pipe is split into 512bytes and 4.5kbps > The 512bytes pipe i want to give it to say some specific machine whos > ip is 192.168.2.12 and 4.5 kbps pipe i want to dedicate for ip say > 192.168.2.22 > > The tc script for implementing the same is as follows > --------------------------------------------------------------------------- > tc qdisc del dev eth0 root > > tc qdisc add dev eth0 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell > 8 > > tc qdisc del dev eth1 root > > tc qdisc add dev eth1 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell > 8 > > tc class add dev eth1 parent 1: classid 1:80 cbq bandwidth 10Mbit rate > 80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated > > tc class add dev eth1 parent 1:80 classid 1:801 cbq bandwidth 10Mbit > rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated > > tc class add dev eth1 parent 1:801 classid 1:8011 cbq bandwidth 10Mbit > rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth1 parent 1:8011 handle 8011 tbf rate 16Kbit buffer > 2048 limit 2048 mtu 1500 > > tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 3 fw > classid 1:8011 > > tc class add dev eth1 parent 1:801 classid 1:8012 cbq bandwidth 10Mbit > rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth1 parent 1:8012 handle 8012 tbf rate 24Kbit buffer > 3072 limit 3072 mtu 1500 > > tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw > classid 1:8012 > > tc class add dev eth1 parent 1:80 classid 1:802 cbq bandwidth 10Mbit > rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated > > tc class add dev eth1 parent 1:802 classid 1:8021 cbq bandwidth 10Mbit > rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth1 parent 1:8021 handle 8021 tbf rate 4Kbit buffer > 512 limit 512 mtu 1500 > > tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 4 fw > classid 1:8021 > > tc class add dev eth1 parent 1:802 classid 1:8022 cbq bandwidth 10Mbit > rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth1 parent 1:8022 handle 8022 tbf rate 36Kbit buffer > 4608 limit 4608 mtu 1500 > > tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 1 fw > classid 1:8022 > > tc class add dev eth0 parent 1: classid 1:90 cbq bandwidth 10Mbit rate > 80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated > > tc class add dev eth0 parent 1:90 classid 1:901 cbq bandwidth 10Mbit > rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated > > tc class add dev eth0 parent 1:901 classid 1:9011 cbq bandwidth 10Mbit > rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth0 parent 1:9011 handle 9011 tbf rate 16Kbit buffer > 2048 limit 2048 mtu 1500 > > tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 7 fw > classid 1:9011 > > tc class add dev eth0 parent 1:901 classid 1:9012 cbq bandwidth 10Mbit > rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth0 parent 1:9012 handle 9012 tbf rate 24Kbit buffer > 3072 limit 3072 mtu 1500 > > tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 6 fw > classid 1:9012 > > tc class add dev eth0 parent 1:90 classid 1:902 cbq bandwidth 10Mbit > rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated > > tc class add dev eth0 parent 1:902 classid 1:9021 cbq bandwidth 10Mbit > rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth0 parent 1:9021 handle 9021 tbf rate 4Kbit buffer > 512 limit 512 mtu 1500 > > tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 8 fw > classid 1:9021 > > tc class add dev eth0 parent 1:902 classid 1:9022 cbq bandwidth 10Mbit > rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded > > tc qdisc add dev eth0 parent 1:9022 handle 9022 tbf rate 36Kbit buffer > 4608 limit 4608 mtu 1500 > > tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 5 fw > classid 1:9022 > ------------------------------------------------------------------------- > > And the corresponding iptables script is as follows. > > # The absolute path for iptables command > IPTABLES=/sbin/iptables > > # Flush the rules if any already present in mangle table. > $IPTABLES -t mangle -F > > ########################################################################### > # Rules for uplink > # > ########################################################################### > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.12 \ > -d ! 192.168.2.0/24 -j MARK --set-mark 4 > > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.22 \ > -d ! 192.168.2.0/24 -j MARK --set-mark 1 > > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ > -d ! 192.168.2.0/24 -p tcp --dport 25 \ > -j MARK --set-mark 3 > > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ > -d ! 192.168.2.0/24 -p tcp --dport 22 \ > -j MARK --set-mark 3 > > $IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \ > -d ! 192.168.2.0/24 -j MARK --set-mark 2 > > ########################################################################### > # Rules for downlink > # > ########################################################################### > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED > \ > -s ! 192.168.2.0/24 -d 192.168.2.12 -j MARK --set-mark 8 > > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED > \ > -s ! 192.168.2.0/24 -d 192.168.2.22 -j MARK --set-mark 5 > > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED > \ > -s ! 192.168.2.0/24 -p tcp --dport 25 -d 192.168.2.0/24 \ > -j MARK --set-mark 7 > > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED > \ > -s ! 192.168.2.0/24 -p tcp --dport 22 -d 192.168.2.0/24 \ > -j MARK --set-mark 7 > > $IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED > \ > -s ! 192.168.2.0/24 -d 192.168.2.0/24 -j MARK --set-mark 6 > > > Really get stuck. > Help will be most appreciated. > > Thanks in advance > > shekhar > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/-- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/