fair_traffic_shaping_an_adsl_line_for_a_local_network_using_linux
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
fair_traffic_shaping_an_adsl_line_for_a_local_network_using_linux [2018/12/06 20:07] abeverley |
fair_traffic_shaping_an_adsl_line_for_a_local_network_using_linux [2018/12/06 21:55] abeverley |
||
|---|---|---|---|
| Line 16: | Line 16: | ||
| IPset is not yet in the stable kernel, so the easiest way to install it (in Debian Squeeze) is: | IPset is not yet in the stable kernel, so the easiest way to install it (in Debian Squeeze) is: | ||
| - | ''%% aptitude install ipset ipset-source module-assistant%%''\\ | + | aptitude install ipset ipset-source module-assistant |
| - | ''%% module-assistant auto-install ipset-source%%'' | + | module-assistant auto-install ipset-source |
| ===== Principle of operation ===== | ===== Principle of operation ===== | ||
| Line 44: | Line 44: | ||
| The first task is to create an ipset for storing the IP addresses of all our naughty users slurping up the bandwidth with constantly downloading P2P software. A timeout of 60 seconds is used, so that as soon as they turn off their software their IP address is removed. The current IP addresses in the IPset can be monitored with the 'ipset -L' comand from the bash prompt | The first task is to create an ipset for storing the IP addresses of all our naughty users slurping up the bandwidth with constantly downloading P2P software. A timeout of 60 seconds is used, so that as soon as they turn off their software their IP address is removed. The current IP addresses in the IPset can be monitored with the 'ipset -L' comand from the bash prompt | ||
| - | ''%% # Create a set called p2p with 60 second timeout%%''\\ | + | # Create a set called p2p with 60 second timeout |
| - | ''%% ipset -N p2p iptree --timeout 60%%'' | + | ipset -N p2p iptree --timeout 60 |
| Next we need to mark traffic as required, using the principles set out earlier. The following code contains some examples. | Next we need to mark traffic as required, using the principles set out earlier. The following code contains some examples. | ||
| - | ''%% # Set default mark for forwarded packets%%''\\ | + | # Set default mark for forwarded packets |
| - | ''%% $IPTABLES -t mangle -A FORWARD -j MARK --set-mark 40%%''\\ | + | $IPTABLES -t mangle -A FORWARD -j MARK --set-mark 40 |
| - | ''%% %%''\\ | + | |
| - | ''%% # Mark http and https traffic as 30, both in and out%%''\\ | + | # Mark http and https traffic as 30, both in and out |
| - | ''%% $IPTABLES -t mangle -A FORWARD -p tcp --sport 80 -i ppp0 -j MARK --set-mark 30%%''\\ | + | $IPTABLES -t mangle -A FORWARD -p tcp --sport 80 -i ppp0 -j MARK --set-mark 30 |
| - | ''%% $IPTABLES -t mangle -A FORWARD -p tcp --dport 80 -o ppp0 -j MARK --set-mark 30%%''\\ | + | $IPTABLES -t mangle -A FORWARD -p tcp --dport 80 -o ppp0 -j MARK --set-mark 30 |
| - | ''%% $IPTABLES -t mangle -A FORWARD -p tcp --sport 443 -i ppp0 -j MARK --set-mark 30%%''\\ | + | $IPTABLES -t mangle -A FORWARD -p tcp --sport 443 -i ppp0 -j MARK --set-mark 30 |
| - | ''%% $IPTABLES -t mangle -A FORWARD -p tcp --dport 443 -i eth0 -j MARK --set-mark 30%%''\\ | + | $IPTABLES -t mangle -A FORWARD -p tcp --dport 443 -i eth0 -j MARK --set-mark 30 |
| - | ''%% %%''\\ | + | |
| - | ''%% # Mark in and out SSH traffic as high priority%%''\\ | + | # Mark in and out SSH traffic as high priority |
| - | ''%% $IPTABLES -t mangle -A FORWARD -p tcp --sport 22 -i ppp0 -j MARK --set-mark 10%%''\\ | + | $IPTABLES -t mangle -A FORWARD -p tcp --sport 22 -i ppp0 -j MARK --set-mark 10 |
| - | ''%% $IPTABLES -t mangle -A FORWARD -p tcp --dport 22 -o ppp0 -j MARK --set-mark 10%%''\\ | + | $IPTABLES -t mangle -A FORWARD -p tcp --dport 22 -o ppp0 -j MARK --set-mark 10 |
| - | ''%% %%''\\ | + | |
| - | ''%% # Mark DNS traffic from localhost%%''\\ | + | # Mark DNS traffic from localhost |
| - | ''%% $IPTABLES -t mangle -A OUTPUT -m udp -p udp --dport 53 -o ppp0 -j MARK --set-mark 10%%''\\ | + | $IPTABLES -t mangle -A OUTPUT -m udp -p udp --dport 53 -o ppp0 -j MARK --set-mark 10 |
| - | ''%% $IPTABLES -t mangle -A OUTPUT -m udp -p udp --sport 53 -o eth0 -j MARK --set-mark 10%%''\\ | + | $IPTABLES -t mangle -A OUTPUT -m udp -p udp --sport 53 -o eth0 -j MARK --set-mark 10 |
| - | ''%% %%''\\ | + | |
| - | ''%% # IMAP%%''\\ | + | # IMAP |
| - | ''%% $IPTABLES -t mangle -A FORWARD -p tcp --sport 993 -i ppp0 -j MARK --set-mark 30%%''\\ | + | $IPTABLES -t mangle -A FORWARD -p tcp --sport 993 -i ppp0 -j MARK --set-mark 30 |
| - | ''%% $IPTABLES -t mangle -A FORWARD -p tcp --dport 993 -o ppp0 -j MARK --set-mark 30%%''\\ | + | $IPTABLES -t mangle -A FORWARD -p tcp --dport 993 -o ppp0 -j MARK --set-mark 30 |
| - | ''%% %%''\\ | + | |
| - | ''%% # Mark any large downloads as 40 (they may have been marked 30 or 10 earlier)%%''\\ | + | # Mark any large downloads as 40 (they may have been marked 30 or 10 earlier) |
| - | ''%% $IPTABLES -t mangle -A FORWARD -m connbytes --connbytes 504857: --connbytes-dir both \%%''\\ | + | $IPTABLES -t mangle -A FORWARD -m connbytes --connbytes 504857: --connbytes-dir both \\ |
| - | ''%% --connbytes-mode bytes -j MARK --set-mark 40%%''\\ | + | --connbytes-mode bytes -j MARK --set-mark 40 |
| - | ''%% %%''\\ | + | |
| - | ''%% # To speed up downloads while an upload is going on, put short ACK%%''\\ | + | # To speed up downloads while an upload is going on, put short ACK |
| - | ''%% # packets in their own class:%%''\\ | + | # packets in their own class: |
| - | ''%% $IPTABLES -t mangle -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length :64 -j MARK --set-mark 20%%'' | + | $IPTABLES -t mangle -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length :64 -j MARK --set-mark 20 |
| Now we need to look out for all those P2P connections. We're going to find these out by looking for a client on the network making lots of connections to high port numbers, which is generally what P2P software does. This isn't foolproof of course: I have seen P2P software start to use port 80, and there could be false negatives, but on the whole it seems to work better than any other solutions out there that I have tried. | Now we need to look out for all those P2P connections. We're going to find these out by looking for a client on the network making lots of connections to high port numbers, which is generally what P2P software does. This isn't foolproof of course: I have seen P2P software start to use port 80, and there could be false negatives, but on the whole it seems to work better than any other solutions out there that I have tried. | ||
fair_traffic_shaping_an_adsl_line_for_a_local_network_using_linux.txt · Last modified: 2018/12/06 22:02 by abeverley
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
