| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Rage
Guest
Posts: n/a
|
Hi all,
After some reaserch I mannaged to setup a packet filtering firewall with iptables, all good. I then wanted to add traffic shaping so my brothers bittorrent doesn't kill my counterstrike/web/SSH. Bach to reaserch on the web, I found this page: http://linuxreviews.org/howtos/netwo.../en/x2261.html and tried to apply what this guy says ontop of my firewall settings. The problem is that almost all the packets go through the default class. I have been playing counterstrike for about 4 hours and there are 36 pakets in the high priority count, that can't be right. I also had an ssh session open and did a bit of web stuff (only 20 pkts in priority 3 class). What have I done wrong? Thanks very much for any help you can give. Rage Here are the scripts I have writen: iptables-firewall: #!/bin/bash # PORTS TO OPEN: PORTS=22,80 # eth0 -> Inet # eth1 -> LAN # delete old configuration, if any #Flush all the rules in filter and nat tables echo IPTABLES SCRIPT RUNNING..... echo ...Flush tables... iptables --flush iptables --table nat --flush # delete all chains that are not in default filter and nat table echo ...Remove User chains... iptables --delete-chain iptables --table nat --delete-chain echo ...Enable MASQUERADE... # Set up IP FORWARDing and Masquerading (NAT) iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT ################################################## ### # SETUP SHAPER HERE SO IT'S RULES ARE HIT FIRST! # ################################################## ### shaper echo ...Set INPUT/OUTPUT policy to DROP... #router : default = DROP iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP echo ...Allow all outgoing and only RELATED and ESTABLISHED incoming... iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT echo ...FORWARD chain accepts only incomming ESTABLISHED AND RELATED... iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT echo ...Open ports: $PORTS... iptables -A INPUT -p tcp -m multiport -i eth0 --destination-ports $PORTS -j ACCEPT # Replaces: # iptables -A INPUT -p tcp --dport XX -j ACCEPT echo ...ALLOW ALL CONNECTIONS FROM LAN... #allow all connections from LAN: iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT echo ...ALLOW ALL LOOPBACK... iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT shaper: called from about the middle of iptables-firewall #!/bin/bash echo TRAFFIC SHAPING SCRIPT RUNNING...... echo ...killing any old conf... unshape echo ...Creating Qdiscs... CEIL=240 # DEFAULT TO 14 (priority 5 not 6) so place for p2p is 15 aka 6. tc qdisc add dev eth0 root handle 1: htb default 14 tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil ${CEIL}kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 80kbit ceil 80kbit prio 0 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 80kbit ceil ${CEIL}kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 20kbit ceil ${CEIL}kbit prio 2 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 20kbit ceil ${CEIL}kbit prio 2 tc class add dev eth0 parent 1:1 classid 1:14 htb rate 10kbit ceil ${CEIL}kbit prio 3 tc class add dev eth0 parent 1:1 classid 1:15 htb rate 30kbit ceil ${CEIL}kbit prio 3 tc qdisc add dev eth0 parent 1:12 handle 120: sfq perturb 10 tc qdisc add dev eth0 parent 1:13 handle 130: sfq perturb 10 tc qdisc add dev eth0 parent 1:14 handle 140: sfq perturb 10 tc qdisc add dev eth0 parent 1:15 handle 150: sfq perturb 10 # protocol ip prio 1 echo ...Setup Filters... tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11 tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12 tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13 tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14 tc filter add dev eth0 parent 1:0 protocol ip prio 6 handle 6 fw classid 1:15 # Mark packets belonging to a marked connection the same as the connection: #echo ...Setup connection marking... #iptables -t mangle -A PREROUTING -m connmark --mark 0x1 -j MARK --set-mark 0x1 #iptables -t mangle -A PREROUTING -m connmark --mark 0x2 -j MARK --set-mark 0x2 #iptables -t mangle -A PREROUTING -m connmark --mark 0x3 -j MARK --set-mark 0x3 #iptables -t mangle -A PREROUTING -m connmark --mark 0x4 -j MARK --set-mark 0x4 #iptables -t mangle -A PREROUTING -m connmark --mark 0x5 -j MARK --set-mark 0x5 #iptables -t mangle -A PREROUTING -m connmark --mark 0x6 -j MARK --set-mark 0x6 ################################################## ##################### ########## SHAPING GOES ON HERE ############## #echo ...ICMP... iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p icmp -j RETURN iptables -t mangle -A OUTPUT -o eth0 -p icmp -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -o eth0 -p icmp -j RETURN P1_TCP=27015,21,22,23,123,194,6667 P1_UDP=27015,21,22,23,123,194,6667 P3_TCP=80,8080,20,69 P3_UDP=80,8080,20,69 #i What about: #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j CONNMARK --set-mark 0x1 echo ...Priority 1 tcp: $P1_TCP... iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P1_TCP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports $P1_TCP -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P1_TCP -j RETURN iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports $P1_TCP -j RETURN echo ...Priority 1 udp: $P1_UDP... iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P1_UDP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports $P1_UDP -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P1_UDP -j RETURN iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports $P1_UDP -j RETURN echo ...Priority 3 tcp: $P3_TCP iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P3_TCP -j MARK --set-mark 0x3 iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports $P3_TCP -j MARK --set-mark 0x3 iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P3_TCP -j RETURN iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports $P3_TCP -j RETURN echo ...Priority 3 udp: $P3_UDP iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P3_UDP -j MARK --set-mark 0x3 iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports $P3_UDP -j MARK --set-mark 0x3 iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P3_UDP -j RETURN iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports $P3_UDP -j RETURN echo ...SYN,RST,ACK... iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x2 iptables -t mangle -I OUTPUT -o eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x2 iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN iptables -t mangle -I OUTPUT -o eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN ################# ##################### ################################################## ##################### # DEFAULT TO PRIORITY 5 instead of 6 so i have a place to throw peer to peer crap... #iptables -t mangle -A PREROUTING -j MARK --set-mark 0x5 #iptables -t mangle -A OUTPUT -j MARK --set-mark 0x5 echo TRAFIC SHAPING DONE Scripts also avalable at: http://wrathnet.homeip.net/~rage/projects/server/ Thanks again. Rage -- FREE FPS DEATHMATCH: http://www.nexuiz.com PLAY IT FREE! |
|
|
|
|
|||
|
|||
|
|
|
| |
|
Rage
Guest
Posts: n/a
|
Sorry to top post and reply to myself.
I fixed the problem by using --dports as well as --sports rules. I am leaving this post in the hope that it may help others. Rage Rage wrote: > Hi all, > > After some reaserch I mannaged to setup a packet filtering firewall with > iptables, all good. > I then wanted to add traffic shaping so my brothers bittorrent doesn't > kill my counterstrike/web/SSH. > Bach to reaserch on the web, I found this page: > http://linuxreviews.org/howtos/netwo.../en/x2261.html > and tried to apply what this guy says ontop of my firewall settings. > > The problem is that almost all the packets go through the default class. > I have been playing counterstrike for about 4 hours and there are 36 > pakets in the high priority count, that can't be right. > I also had an ssh session open and did a bit of web stuff (only 20 pkts > in priority 3 class). What have I done wrong? > > Thanks very much for any help you can give. > > Rage > > Here are the scripts I have writen: > iptables-firewall: > > #!/bin/bash > > # PORTS TO OPEN: > PORTS=22,80 > > # eth0 -> Inet > # eth1 -> LAN > > # delete old configuration, if any > #Flush all the rules in filter and nat tables > echo IPTABLES SCRIPT RUNNING..... > echo ...Flush tables... > iptables --flush > iptables --table nat --flush > > # delete all chains that are not in default filter and nat table > echo ...Remove User chains... > iptables --delete-chain > iptables --table nat --delete-chain > > echo ...Enable MASQUERADE... > # Set up IP FORWARDing and Masquerading (NAT) > iptables --table nat --append POSTROUTING --out-interface eth0 -j > MASQUERADE > iptables --append FORWARD --in-interface eth1 -j ACCEPT > > ################################################## ### > # SETUP SHAPER HERE SO IT'S RULES ARE HIT FIRST! # > ################################################## ### > shaper > > echo ...Set INPUT/OUTPUT policy to DROP... > #router : default = DROP > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > echo ...Allow all outgoing and only RELATED and ESTABLISHED incoming... > iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED,NEW -j > ACCEPT > iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > > echo ...FORWARD chain accepts only incomming ESTABLISHED AND RELATED... > iptables -A FORWARD -i eth1 -o eth0 -m state --state > ESTABLISHED,RELATED,NEW -j ACCEPT > iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED > -j ACCEPT > > echo ...Open ports: $PORTS... > iptables -A INPUT -p tcp -m multiport -i eth0 --destination-ports $PORTS > -j ACCEPT > # Replaces: > # iptables -A INPUT -p tcp --dport XX -j ACCEPT > > echo ...ALLOW ALL CONNECTIONS FROM LAN... > #allow all connections from LAN: > iptables -A INPUT -i eth1 -j ACCEPT > iptables -A OUTPUT -o eth1 -j ACCEPT > > echo ...ALLOW ALL LOOPBACK... > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > > > > > > shaper: called from about the middle of iptables-firewall > > #!/bin/bash > echo TRAFFIC SHAPING SCRIPT RUNNING...... > > echo ...killing any old conf... > unshape > > echo ...Creating Qdiscs... > CEIL=240 > # DEFAULT TO 14 (priority 5 not 6) so place for p2p is 15 aka 6. > tc qdisc add dev eth0 root handle 1: htb default 14 > tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil > ${CEIL}kbit > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 80kbit ceil > 80kbit prio 0 > tc class add dev eth0 parent 1:1 classid 1:11 htb rate 80kbit ceil > ${CEIL}kbit prio 1 > tc class add dev eth0 parent 1:1 classid 1:12 htb rate 20kbit ceil > ${CEIL}kbit prio 2 > tc class add dev eth0 parent 1:1 classid 1:13 htb rate 20kbit ceil > ${CEIL}kbit prio 2 > tc class add dev eth0 parent 1:1 classid 1:14 htb rate 10kbit ceil > ${CEIL}kbit prio 3 > tc class add dev eth0 parent 1:1 classid 1:15 htb rate 30kbit ceil > ${CEIL}kbit prio 3 > tc qdisc add dev eth0 parent 1:12 handle 120: sfq perturb 10 > tc qdisc add dev eth0 parent 1:13 handle 130: sfq perturb 10 > tc qdisc add dev eth0 parent 1:14 handle 140: sfq perturb 10 > tc qdisc add dev eth0 parent 1:15 handle 150: sfq perturb 10 > > # protocol ip prio 1 > > echo ...Setup Filters... > tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid > 1:10 > tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid > 1:11 > tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw classid > 1:12 > tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 4 fw classid > 1:13 > tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 5 fw classid > 1:14 > tc filter add dev eth0 parent 1:0 protocol ip prio 6 handle 6 fw classid > 1:15 > > # Mark packets belonging to a marked connection the same as the connection: > #echo ...Setup connection marking... > #iptables -t mangle -A PREROUTING -m connmark --mark 0x1 -j MARK > --set-mark 0x1 > #iptables -t mangle -A PREROUTING -m connmark --mark 0x2 -j MARK > --set-mark 0x2 > #iptables -t mangle -A PREROUTING -m connmark --mark 0x3 -j MARK > --set-mark 0x3 > #iptables -t mangle -A PREROUTING -m connmark --mark 0x4 -j MARK > --set-mark 0x4 > #iptables -t mangle -A PREROUTING -m connmark --mark 0x5 -j MARK > --set-mark 0x5 > #iptables -t mangle -A PREROUTING -m connmark --mark 0x6 -j MARK > --set-mark 0x6 > > ################################################## ##################### > ########## SHAPING GOES ON HERE ############## > > #echo ...ICMP... > iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1 > iptables -t mangle -A PREROUTING -p icmp -j RETURN > iptables -t mangle -A OUTPUT -o eth0 -p icmp -j MARK --set-mark 0x1 > iptables -t mangle -A OUTPUT -o eth0 -p icmp -j RETURN > > P1_TCP=27015,21,22,23,123,194,6667 > P1_UDP=27015,21,22,23,123,194,6667 > > P3_TCP=80,8080,20,69 > P3_UDP=80,8080,20,69 > > #i What about: > #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j CONNMARK > --set-mark 0x1 > > echo ...Priority 1 tcp: $P1_TCP... > iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P1_TCP -j > MARK --set-mark 0x1 > iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports > $P1_TCP -j MARK --set-mark 0x1 > iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P1_TCP -j > RETURN > iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports > $P1_TCP -j RETURN > > echo ...Priority 1 udp: $P1_UDP... > iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P1_UDP -j > MARK --set-mark 0x1 > iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports > $P1_UDP -j MARK --set-mark 0x1 > iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P1_UDP -j > RETURN > iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports > $P1_UDP -j RETURN > > echo ...Priority 3 tcp: $P3_TCP > iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P3_TCP -j > MARK --set-mark 0x3 > iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports > $P3_TCP -j MARK --set-mark 0x3 > iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P3_TCP -j > RETURN > iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports > $P3_TCP -j RETURN > > echo ...Priority 3 udp: $P3_UDP > iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P3_UDP -j > MARK --set-mark 0x3 > iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports > $P3_UDP -j MARK --set-mark 0x3 > iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P3_UDP -j > RETURN > iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports > $P3_UDP -j RETURN > > echo ...SYN,RST,ACK... > iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK > SYN -j MARK --set-mark 0x2 > iptables -t mangle -I OUTPUT -o eth0 -p tcp -m tcp --tcp-flags > SYN,RST,ACK SYN -j MARK --set-mark 0x2 > iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK > SYN -j RETURN > iptables -t mangle -I OUTPUT -o eth0 -p tcp -m tcp --tcp-flags > SYN,RST,ACK SYN -j RETURN > > ################# ##################### > ################################################## ##################### > > # DEFAULT TO PRIORITY 5 instead of 6 so i have a place to throw peer to > peer crap... > #iptables -t mangle -A PREROUTING -j MARK --set-mark 0x5 > #iptables -t mangle -A OUTPUT -j MARK --set-mark 0x5 > > echo TRAFIC SHAPING DONE > > > > Scripts also avalable at: > http://wrathnet.homeip.net/~rage/projects/server/ > > Thanks again. > > Rage > > -- FREE FPS DEATHMATCH: http://www.nexuiz.com PLAY IT FREE! |
|
|
|
|
|||
|
|
|||
|
Rage
Guest
Posts: n/a
|
Rage wrote:
> Sorry to top post and reply to myself. > > I fixed the problem by using --dports as well as --sports rules. > > I am leaving this post in the hope that it may help others. > > Rage > > > Rage wrote: > >> Hi all, >> >> After some reaserch I mannaged to setup a packet filtering firewall >> with iptables, all good. >> I then wanted to add traffic shaping so my brothers bittorrent doesn't >> kill my counterstrike/web/SSH. >> Bach to reaserch on the web, I found this page: >> http://linuxreviews.org/howtos/netwo.../en/x2261.html >> and tried to apply what this guy says ontop of my firewall settings. >> >> The problem is that almost all the packets go through the default class. >> I have been playing counterstrike for about 4 hours and there are 36 >> pakets in the high priority count, that can't be right. >> I also had an ssh session open and did a bit of web stuff (only 20 >> pkts in priority 3 class). What have I done wrong? >> >> Thanks very much for any help you can give. >> >> Rage >> >> Here are the scripts I have writen: >> iptables-firewall: >> >> #!/bin/bash >> >> # PORTS TO OPEN: >> PORTS=22,80 >> >> # eth0 -> Inet >> # eth1 -> LAN >> >> # delete old configuration, if any >> #Flush all the rules in filter and nat tables >> echo IPTABLES SCRIPT RUNNING..... >> echo ...Flush tables... >> iptables --flush >> iptables --table nat --flush >> >> # delete all chains that are not in default filter and nat table >> echo ...Remove User chains... >> iptables --delete-chain >> iptables --table nat --delete-chain >> >> echo ...Enable MASQUERADE... >> # Set up IP FORWARDing and Masquerading (NAT) >> iptables --table nat --append POSTROUTING --out-interface eth0 -j >> MASQUERADE >> iptables --append FORWARD --in-interface eth1 -j ACCEPT >> >> ################################################## ### >> # SETUP SHAPER HERE SO IT'S RULES ARE HIT FIRST! # >> ################################################## ### >> shaper >> >> echo ...Set INPUT/OUTPUT policy to DROP... >> #router : default = DROP >> iptables -P INPUT DROP >> iptables -P OUTPUT DROP >> iptables -P FORWARD DROP >> >> echo ...Allow all outgoing and only RELATED and ESTABLISHED incoming... >> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED,NEW -j >> ACCEPT >> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> echo ...FORWARD chain accepts only incomming ESTABLISHED AND RELATED... >> iptables -A FORWARD -i eth1 -o eth0 -m state --state >> ESTABLISHED,RELATED,NEW -j ACCEPT >> iptables -A FORWARD -i eth0 -o eth1 -m state --state >> ESTABLISHED,RELATED -j ACCEPT >> >> echo ...Open ports: $PORTS... >> iptables -A INPUT -p tcp -m multiport -i eth0 --destination-ports >> $PORTS -j ACCEPT >> # Replaces: >> # iptables -A INPUT -p tcp --dport XX -j ACCEPT >> >> echo ...ALLOW ALL CONNECTIONS FROM LAN... >> #allow all connections from LAN: >> iptables -A INPUT -i eth1 -j ACCEPT >> iptables -A OUTPUT -o eth1 -j ACCEPT >> >> echo ...ALLOW ALL LOOPBACK... >> iptables -A INPUT -i lo -j ACCEPT >> iptables -A OUTPUT -o lo -j ACCEPT >> >> >> >> >> >> >> shaper: called from about the middle of iptables-firewall >> >> #!/bin/bash >> echo TRAFFIC SHAPING SCRIPT RUNNING...... >> >> echo ...killing any old conf... >> unshape >> >> echo ...Creating Qdiscs... >> CEIL=240 >> # DEFAULT TO 14 (priority 5 not 6) so place for p2p is 15 aka 6. >> tc qdisc add dev eth0 root handle 1: htb default 14 >> tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil >> ${CEIL}kbit >> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 80kbit ceil >> 80kbit prio 0 >> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 80kbit ceil >> ${CEIL}kbit prio 1 >> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 20kbit ceil >> ${CEIL}kbit prio 2 >> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 20kbit ceil >> ${CEIL}kbit prio 2 >> tc class add dev eth0 parent 1:1 classid 1:14 htb rate 10kbit ceil >> ${CEIL}kbit prio 3 >> tc class add dev eth0 parent 1:1 classid 1:15 htb rate 30kbit ceil >> ${CEIL}kbit prio 3 >> tc qdisc add dev eth0 parent 1:12 handle 120: sfq perturb 10 >> tc qdisc add dev eth0 parent 1:13 handle 130: sfq perturb 10 >> tc qdisc add dev eth0 parent 1:14 handle 140: sfq perturb 10 >> tc qdisc add dev eth0 parent 1:15 handle 150: sfq perturb 10 >> >> # protocol ip prio 1 >> >> echo ...Setup Filters... >> tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw >> classid 1:10 >> tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw >> classid 1:11 >> tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw >> classid 1:12 >> tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 4 fw >> classid 1:13 >> tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 5 fw >> classid 1:14 >> tc filter add dev eth0 parent 1:0 protocol ip prio 6 handle 6 fw >> classid 1:15 >> >> # Mark packets belonging to a marked connection the same as the >> connection: >> #echo ...Setup connection marking... >> #iptables -t mangle -A PREROUTING -m connmark --mark 0x1 -j MARK >> --set-mark 0x1 >> #iptables -t mangle -A PREROUTING -m connmark --mark 0x2 -j MARK >> --set-mark 0x2 >> #iptables -t mangle -A PREROUTING -m connmark --mark 0x3 -j MARK >> --set-mark 0x3 >> #iptables -t mangle -A PREROUTING -m connmark --mark 0x4 -j MARK >> --set-mark 0x4 >> #iptables -t mangle -A PREROUTING -m connmark --mark 0x5 -j MARK >> --set-mark 0x5 >> #iptables -t mangle -A PREROUTING -m connmark --mark 0x6 -j MARK >> --set-mark 0x6 >> >> ################################################## ##################### >> ########## SHAPING GOES ON HERE ############## >> >> #echo ...ICMP... >> iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1 >> iptables -t mangle -A PREROUTING -p icmp -j RETURN >> iptables -t mangle -A OUTPUT -o eth0 -p icmp -j MARK --set-mark 0x1 >> iptables -t mangle -A OUTPUT -o eth0 -p icmp -j RETURN >> >> P1_TCP=27015,21,22,23,123,194,6667 >> P1_UDP=27015,21,22,23,123,194,6667 >> >> P3_TCP=80,8080,20,69 >> P3_UDP=80,8080,20,69 >> >> #i What about: >> #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j CONNMARK >> --set-mark 0x1 >> >> echo ...Priority 1 tcp: $P1_TCP... >> iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P1_TCP >> -j MARK --set-mark 0x1 >> iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports >> $P1_TCP -j MARK --set-mark 0x1 >> iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P1_TCP >> -j RETURN >> iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports >> $P1_TCP -j RETURN >> >> echo ...Priority 1 udp: $P1_UDP... >> iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P1_UDP >> -j MARK --set-mark 0x1 >> iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports >> $P1_UDP -j MARK --set-mark 0x1 >> iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P1_UDP >> -j RETURN >> iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports >> $P1_UDP -j RETURN >> >> echo ...Priority 3 tcp: $P3_TCP >> iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P3_TCP >> -j MARK --set-mark 0x3 >> iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports >> $P3_TCP -j MARK --set-mark 0x3 >> iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P3_TCP >> -j RETURN >> iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports >> $P3_TCP -j RETURN >> >> echo ...Priority 3 udp: $P3_UDP >> iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P3_UDP >> -j MARK --set-mark 0x3 >> iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports >> $P3_UDP -j MARK --set-mark 0x3 >> iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P3_UDP >> -j RETURN >> iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports >> $P3_UDP -j RETURN >> >> echo ...SYN,RST,ACK... >> iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK >> SYN -j MARK --set-mark 0x2 >> iptables -t mangle -I OUTPUT -o eth0 -p tcp -m tcp --tcp-flags >> SYN,RST,ACK SYN -j MARK --set-mark 0x2 >> iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK >> SYN -j RETURN >> iptables -t mangle -I OUTPUT -o eth0 -p tcp -m tcp --tcp-flags >> SYN,RST,ACK SYN -j RETURN >> >> ################# ##################### >> ################################################## ##################### >> >> # DEFAULT TO PRIORITY 5 instead of 6 so i have a place to throw peer >> to peer crap... >> #iptables -t mangle -A PREROUTING -j MARK --set-mark 0x5 >> #iptables -t mangle -A OUTPUT -j MARK --set-mark 0x5 >> >> echo TRAFIC SHAPING DONE >> >> >> >> Scripts also avalable at: >> http://wrathnet.homeip.net/~rage/projects/server/ >> >> Thanks again. >> >> Rage >> >> > > NOTE: You need to add the line: iptables --table mangle --flush To flush the mangle table to get back to a clear state before config. Add it where the other flush lines are. Rage -- FREE FPS DEATHMATCH: http://www.nexuiz.com PLAY IT FREE! |
|
|
|
|
|||
|
|
|||
|
Scott R. Haven
Guest
Posts: n/a
|
Rage wrote:
> Rage wrote: > >> Sorry to top post and reply to myself. >> >> I fixed the problem by using --dports as well as --sports rules. >> >> I am leaving this post in the hope that it may help others. >> >> Rage >> >> >> Rage wrote: >> >>> Hi all, >>> >>> After some reaserch I mannaged to setup a packet filtering firewall >>> with iptables, all good. >>> I then wanted to add traffic shaping so my brothers bittorrent >>> doesn't kill my counterstrike/web/SSH. >>> Bach to reaserch on the web, I found this page: >>> http://linuxreviews.org/howtos/netwo.../en/x2261.html >>> and tried to apply what this guy says ontop of my firewall settings. >>> >>> The problem is that almost all the packets go through the default class. >>> I have been playing counterstrike for about 4 hours and there are 36 >>> pakets in the high priority count, that can't be right. >>> I also had an ssh session open and did a bit of web stuff (only 20 >>> pkts in priority 3 class). What have I done wrong? >>> >>> Thanks very much for any help you can give. >>> >>> Rage >>> >>> Here are the scripts I have writen: >>> iptables-firewall: >>> >>> #!/bin/bash >>> >>> # PORTS TO OPEN: >>> PORTS=22,80 >>> >>> # eth0 -> Inet >>> # eth1 -> LAN >>> >>> # delete old configuration, if any >>> #Flush all the rules in filter and nat tables >>> echo IPTABLES SCRIPT RUNNING..... >>> echo ...Flush tables... >>> iptables --flush >>> iptables --table nat --flush >>> >>> # delete all chains that are not in default filter and nat table >>> echo ...Remove User chains... >>> iptables --delete-chain >>> iptables --table nat --delete-chain >>> >>> echo ...Enable MASQUERADE... >>> # Set up IP FORWARDing and Masquerading (NAT) >>> iptables --table nat --append POSTROUTING --out-interface eth0 -j >>> MASQUERADE >>> iptables --append FORWARD --in-interface eth1 -j ACCEPT >>> >>> ################################################## ### >>> # SETUP SHAPER HERE SO IT'S RULES ARE HIT FIRST! # >>> ################################################## ### >>> shaper >>> >>> echo ...Set INPUT/OUTPUT policy to DROP... >>> #router : default = DROP >>> iptables -P INPUT DROP >>> iptables -P OUTPUT DROP >>> iptables -P FORWARD DROP >>> >>> echo ...Allow all outgoing and only RELATED and ESTABLISHED incoming... >>> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED,NEW >>> -j ACCEPT >>> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j >>> ACCEPT >>> >>> echo ...FORWARD chain accepts only incomming ESTABLISHED AND RELATED... >>> iptables -A FORWARD -i eth1 -o eth0 -m state --state >>> ESTABLISHED,RELATED,NEW -j ACCEPT >>> iptables -A FORWARD -i eth0 -o eth1 -m state --state >>> ESTABLISHED,RELATED -j ACCEPT >>> >>> echo ...Open ports: $PORTS... >>> iptables -A INPUT -p tcp -m multiport -i eth0 --destination-ports >>> $PORTS -j ACCEPT >>> # Replaces: >>> # iptables -A INPUT -p tcp --dport XX -j ACCEPT >>> >>> echo ...ALLOW ALL CONNECTIONS FROM LAN... >>> #allow all connections from LAN: >>> iptables -A INPUT -i eth1 -j ACCEPT >>> iptables -A OUTPUT -o eth1 -j ACCEPT >>> >>> echo ...ALLOW ALL LOOPBACK... >>> iptables -A INPUT -i lo -j ACCEPT >>> iptables -A OUTPUT -o lo -j ACCEPT >>> >>> >>> >>> >>> >>> >>> shaper: called from about the middle of iptables-firewall >>> >>> #!/bin/bash >>> echo TRAFFIC SHAPING SCRIPT RUNNING...... >>> >>> echo ...killing any old conf... >>> unshape >>> >>> echo ...Creating Qdiscs... >>> CEIL=240 >>> # DEFAULT TO 14 (priority 5 not 6) so place for p2p is 15 aka 6. >>> tc qdisc add dev eth0 root handle 1: htb default 14 >>> tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil >>> ${CEIL}kbit >>> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 80kbit ceil >>> 80kbit prio 0 >>> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 80kbit ceil >>> ${CEIL}kbit prio 1 >>> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 20kbit ceil >>> ${CEIL}kbit prio 2 >>> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 20kbit ceil >>> ${CEIL}kbit prio 2 >>> tc class add dev eth0 parent 1:1 classid 1:14 htb rate 10kbit ceil >>> ${CEIL}kbit prio 3 >>> tc class add dev eth0 parent 1:1 classid 1:15 htb rate 30kbit ceil >>> ${CEIL}kbit prio 3 >>> tc qdisc add dev eth0 parent 1:12 handle 120: sfq perturb 10 >>> tc qdisc add dev eth0 parent 1:13 handle 130: sfq perturb 10 >>> tc qdisc add dev eth0 parent 1:14 handle 140: sfq perturb 10 >>> tc qdisc add dev eth0 parent 1:15 handle 150: sfq perturb 10 >>> >>> # protocol ip prio 1 >>> >>> echo ...Setup Filters... >>> tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw >>> classid 1:10 >>> tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw >>> classid 1:11 >>> tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw >>> classid 1:12 >>> tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 4 fw >>> classid 1:13 >>> tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 5 fw >>> classid 1:14 >>> tc filter add dev eth0 parent 1:0 protocol ip prio 6 handle 6 fw >>> classid 1:15 >>> >>> # Mark packets belonging to a marked connection the same as the >>> connection: >>> #echo ...Setup connection marking... >>> #iptables -t mangle -A PREROUTING -m connmark --mark 0x1 -j MARK >>> --set-mark 0x1 >>> #iptables -t mangle -A PREROUTING -m connmark --mark 0x2 -j MARK >>> --set-mark 0x2 >>> #iptables -t mangle -A PREROUTING -m connmark --mark 0x3 -j MARK >>> --set-mark 0x3 >>> #iptables -t mangle -A PREROUTING -m connmark --mark 0x4 -j MARK >>> --set-mark 0x4 >>> #iptables -t mangle -A PREROUTING -m connmark --mark 0x5 -j MARK >>> --set-mark 0x5 >>> #iptables -t mangle -A PREROUTING -m connmark --mark 0x6 -j MARK >>> --set-mark 0x6 >>> >>> ################################################## ##################### >>> ########## SHAPING GOES ON HERE ############## >>> >>> #echo ...ICMP... >>> iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1 >>> iptables -t mangle -A PREROUTING -p icmp -j RETURN >>> iptables -t mangle -A OUTPUT -o eth0 -p icmp -j MARK --set-mark 0x1 >>> iptables -t mangle -A OUTPUT -o eth0 -p icmp -j RETURN >>> >>> P1_TCP=27015,21,22,23,123,194,6667 >>> P1_UDP=27015,21,22,23,123,194,6667 >>> >>> P3_TCP=80,8080,20,69 >>> P3_UDP=80,8080,20,69 >>> >>> #i What about: >>> #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j >>> CONNMARK --set-mark 0x1 >>> >>> echo ...Priority 1 tcp: $P1_TCP... >>> iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P1_TCP >>> -j MARK --set-mark 0x1 >>> iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports >>> $P1_TCP -j MARK --set-mark 0x1 >>> iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P1_TCP >>> -j RETURN >>> iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports >>> $P1_TCP -j RETURN >>> >>> echo ...Priority 1 udp: $P1_UDP... >>> iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P1_UDP >>> -j MARK --set-mark 0x1 >>> iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports >>> $P1_UDP -j MARK --set-mark 0x1 >>> iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P1_UDP >>> -j RETURN >>> iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports >>> $P1_UDP -j RETURN >>> >>> echo ...Priority 3 tcp: $P3_TCP >>> iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P3_TCP >>> -j MARK --set-mark 0x3 >>> iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports >>> $P3_TCP -j MARK --set-mark 0x3 >>> iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $P3_TCP >>> -j RETURN >>> iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sports >>> $P3_TCP -j RETURN >>> >>> echo ...Priority 3 udp: $P3_UDP >>> iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P3_UDP >>> -j MARK --set-mark 0x3 >>> iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports >>> $P3_UDP -j MARK --set-mark 0x3 >>> iptables -t mangle -A PREROUTING -p udp -m multiport --sports $P3_UDP >>> -j RETURN >>> iptables -t mangle -A OUTPUT -o eth0 -p udp -m multiport --sports >>> $P3_UDP -j RETURN >>> >>> echo ...SYN,RST,ACK... >>> iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags >>> SYN,RST,ACK SYN -j MARK --set-mark 0x2 >>> iptables -t mangle -I OUTPUT -o eth0 -p tcp -m tcp --tcp-flags >>> SYN,RST,ACK SYN -j MARK --set-mark 0x2 >>> iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags >>> SYN,RST,ACK SYN -j RETURN >>> iptables -t mangle -I OUTPUT -o eth0 -p tcp -m tcp --tcp-flags >>> SYN,RST,ACK SYN -j RETURN >>> >>> ################# ##################### >>> ################################################## ##################### >>> >>> # DEFAULT TO PRIORITY 5 instead of 6 so i have a place to throw peer >>> to peer crap... >>> #iptables -t mangle -A PREROUTING -j MARK --set-mark 0x5 >>> #iptables -t mangle -A OUTPUT -j MARK --set-mark 0x5 >>> >>> echo TRAFIC SHAPING DONE >>> >>> >>> >>> Scripts also avalable at: >>> http://wrathnet.homeip.net/~rage/projects/server/ >>> >>> Thanks again. >>> >>> Rage >>> >>> >> >> > > > NOTE: > You need to add the line: > iptables --table mangle --flush > > To flush the mangle table to get back to a clear state before config. > Add it where the other flush lines are. > > Rage > If you want to get crafty you can also shape the other interface. Example: eth0 -> Internet eth1 -> LAN (create bottleneck here) Be careful that you only shape traffic from the Internet to the LAN not traffic from the firewall itself. With DSL and Cable you may need to set CEIL to the "actual" bandwidth limit otherwise the bottleneck will be at the provider. This is tough because the max bandwidth will vary. For unimportant traffic I'd set CEIL a little lower than 100%. Scott R. Haven Sr. Systems Engineer Paisley Systems Inc. managed services, consulting, and support www.paisleysystems.com |
|
|
|
|
|||
|
|
|||
|
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| traffic-shaping? | peter pilsl | Linux Networking | 0 | 04-15-2007 08:20 PM |
| Traffic Shaping Question | X | Linux Networking | 16 | 03-15-2006 07:36 PM |
| MN-100 and traffic shaping | Nikitas | Broadband Hardware | 1 | 07-25-2004 01:19 AM |
| shaping traffic | Benjamin Hirsch | Home Networking | 3 | 02-12-2004 07:51 PM |
| Traffic Shaping | Leonardo H. Machado | Linux Networking | 0 | 10-12-2003 03:26 AM |
Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc. |
Linear Mode
