[ SlackList ] [ WkikiSlack ]



problem z imq i podzialem lacza

From: Damian Kamiński <blonders_malpka_go2.pl>
Date: Tue Oct 25 2005 - 10:10:56 CEST

Witam zgromadzonych !

     Jakis czas postanowilem temu zmienic podzial lacza na imq + htb ale po zmianach nie otrzymalem
efektu ktory zamierzylem, moze przedstawie co i jezeli ktos bedzie mnial mozliwosc prosze o korekty,
moze ja gdzies popelniam blad i nie widze tego. W sumie posiadam 4 interfejsy przy czym na dsl czyli
eth3 wychodzi caly ruch www i nic wiecej do znakowanie pakietow stosuje IPMARK.
Dodam tylko ze przekopilowane jadro , jak i iptables + wszelkie laty zostaly zrobione dobrze i bez
bledow ( a moze tak mi sie tak tylko wydaje ) - tak czy inaczej bledow podczas rekompilacji nie bylo

- lan : eth0 ( 192.168.0.1 ) , eth2 ( 172.24.10.1 )
- wlan : eth1 ( 2mbit/2mbit ), eth3 ( 2mbit/256kbit )

-- start wycinek firewall;a --

#cieci p2p na dsl'u
iptables -t mangle -A FORWARD -i eth3 -m ipp2p --ipp2p -j DROP
iptables -t mangle -A FORWARD -i eth3 -m ipp2p --ipp2p-data -j DROP
iptables -t mangle -A FORWARD -o eth3 -m ipp2p --ipp2p -j DROP
iptables -t mangle -A FORWARD -o eth3 -m ipp2p --ipp2p-data -j DROP
iptables -t mangle -A OUTPUT -o eth3 -m ipp2p --ipp2p -j DROP
iptables -t mangle -A OUTPUT -o eth3 -m ipp2p --ipp2p-data -j DROP
iptables -t mangle -A INPUT -i eth3 -m ipp2p --ipp2p -j DROP
iptables -t mangle -A INPUT -i eth3 -m ipp2p --ipp2p-data -j DROP

#ustawiamy znaznkowanie IPMARK
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A FORWARD -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark

#download
iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0
iptables -t mangle -A POSTROUTING -o eth2 -j IMQ --todev 0

iptables -t mangle -A POSTROUTING -o eth0 -p udp --sport 53 -j IPMARK --addr=dst --and-mask=0xffff --or-mask=0x010000
iptables -t mangle -A POSTROUTING -o eth2 -p udp --sport 53 -j IPMARK --addr=dst --and-mask=0xffff --or-mask=0x010000
iptables -t mangle -A POSTROUTING -o eth0 -j IPMARK --addr=dst --and-mask=0xffff --or-mask=0x020000
iptables -t mangle -A POSTROUTING -o eth2 -j IPMARK --addr=dst --and-mask=0xffff --or-mask=0x020000

#upload
iptables -t mangle -A POSTROUTING -o eth1 -j IMQ --todev 1
iptables -t mangle -A POSTROUTING -o eth3 -j IMQ --todev 1

iptables -t mangle -A FORWARD -i eth0 -p udp --dport 53 -j IPMARK --addr=src --and-mask=0xffff --or-mask=0x050000
iptables -t mangle -A FORWARD -i eth2 -p udp --dport 53 -j IPMARK --addr=src --and-mask=0xffff --or-mask=0x050000

iptables -t mangle -A FORWARD -i eth0 -j IPMARK --addr=src --and-mask=0xffff --or-mask=0x060000
iptables -t mangle -A FORWARD -i eth2 -j IPMARK --addr=src --and-mask=0xffff --or-mask=0x060000
iptables -t mangle -A OUTPUT -o eth1 -j IPMARK --addr=src --and-mask=0xffff --or-mask=0x060000
iptables -t mangle -A OUTPUT -o eth3 -j IPMARK --addr=src --and-mask=0xffff --or-mask=0x060000

#oapisywanie znakowania
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t mangle -A FORWARD -j CONNMARK --save-mark
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

#ograniczenie liczby polaczen
# - wychodzacych
iptables -A FORWARD -s $USER_IP/32 -o eth1 -p tcp --syn -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
# - przychodzacych
iptables -A FORWARD -d $USER_IP/32 -i eth1 -p tcp --syn -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset

#necik dla jednego usera ktory jest podpiety przez eth0.
iptables -A FORWARD -o eth0 -d $USER_IP/32 -s 0.0.0.0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -s $USER_IP/32 -d 0.0.0.0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -s $USER_IP/32 -d $ETH1_IP -j ACCEPT
iptables -t nat -A POSTROUTING -s $USER_IP/32 -j SNAT --to-source $ETH1_IP

-- stop wycinek firewall;a --

-- start htb --

/sbin/tc qdisc add dev imq0 root handle 1:0 htb default 20
/sbin/tc qdisc add dev imq1 root handle 2:0 htb default 20

/sbin/tc class add dev imq0 parent 1:0 classid 1:1 htb prio 1 rate 90000kbit ceil 90000kbit
/sbin/tc class add dev imq1 parent 2:0 classid 2:1 htb prio 1 rate 90000kbit ceil 90000kbit

/sbin/tc class add dev imq0 parent 1:1 classid 1:2 htb prio 2 rate 80000kbit ceil 80000kbit
/sbin/tc filter add dev imq0 protocol ip parent 1:0 u32 match ip src 192.168.0.1 flowid 1:2
/sbin/tc filter add dev imq0 protocol ip parent 1:0 u32 match ip src 172.24.10.1 flowid 1:2
/sbin/tc qdisc add dev imq0 parent 1:2 handle 102:0 sfq perturb 10

/sbin/tc class add dev imq0 parent 1:1 classid 1:3 htb prio 1 rate 1920kbit ceil 1920kbit
/sbin/tc qdisc add dev imq0 parent 1:3 handle 103:0 sfq perturb 10
/sbin/tc class add dev imq1 parent 2:1 classid 2:3 htb prio 1 rate 1440kbit ceil 1440kbit
/sbin/tc qdisc add dev imq1 parent 2:3 handle 203:0 sfq perturb 10

# ( default )
/sbin/tc class add dev imq0 parent 1:1 classid 1:20 htb prio 40 rate 16kbit ceil 160kbit
/sbin/tc qdisc add dev imq0 parent 1:20 handle 120:0 sfq perturb 10
/sbin/tc class add dev imq1 parent 2:1 classid 2:20 htb prio 40 rate 16kbit ceil 160kbit
/sbin/tc qdisc add dev imq1 parent 2:20 handle 220:0 sfq perturb 10

#user1
/sbin/tc class add dev imq0 parent 1:3 classid 1:1101 htb rate 32kbit ceil 256kbit quantum 1
/sbin/tc filter add dev imq0 protocol ip parent 1:0 prio 2 handle 0x010065 fw classid 1:2
/sbin/tc filter add dev imq0 protocol ip parent 1:0 prio 3 handle 0x020065 fw classid 1:1101
/sbin/tc qdisc add dev imq0 parent 1:1101 handle 1101:0 sfq perturb 10
/sbin/tc class add dev imq1 parent 2:3 classid 2:2101 htb rate 24kbit ceil 160kbit quantum 1
/sbin/tc filter add dev imq1 protocol ip parent 2:0 prio 2 handle 0x050065 fw classid 2:2101
/sbin/tc filter add dev imq1 protocol ip parent 2:0 prio 3 handle 0x060065 fw classid 2:2101
/sbin/tc qdisc add dev imq1 parent 2:2101 handle 2101:0 sfq perturb 10

#user2
/sbin/tc class add dev imq0 parent 1:3 classid 1:1102 htb rate 32kbit ceil 256kbit quantum 1
/sbin/tc filter add dev imq0 protocol ip parent 1:0 prio 2 handle 0x010068 fw classid 1:2
/sbin/tc filter add dev imq0 protocol ip parent 1:0 prio 3 handle 0x020068 fw classid 1:1102
/sbin/tc qdisc add dev imq0 parent 1:1102 handle 1102:0 sfq perturb 10
/sbin/tc class add dev imq1 parent 2:3 classid 2:2102 htb rate 24kbit ceil 160kbit quantum 1
/sbin/tc filter add dev imq1 protocol ip parent 2:0 prio 2 handle 0x050068 fw classid 2:2102
/sbin/tc filter add dev imq1 protocol ip parent 2:0 prio 3 handle 0x060068 fw classid 2:2102
/sbin/tc qdisc add dev imq1 parent 2:2102 handle 2102:0 sfq perturb 10

-- stop htb -- 

-- 
Pozdrowienia,
Damian Kamiński
gg : 4729448
Received on Tue Oct 25 10:18:19 2005
This archive was generated by hypermail 2.1.8. Wyprawa Shackleton 2014