2012年1月30日 星期一

頻寬管理/限制 QOS + HTB 指令

HOST + upload

50kbyte/s for upload
25kbyte/s for http -> class 10:100
15kbyte/s for ftp -> class 10:200
10kbyte/s for others -> class 10:20

rate = 保證頻寬
ceil = 最大頻寬
attachments/month_200611/1163600502.png


# 刪除現有的規則
tc qdisc del dev eth0 root

# 定義頂層root規則
tc qdisc add dev eth0 root handle 10: htb default 20

# 定義class 10:1,這裡的50kbps即為50KByte/s
tc class add dev eth0 parent 10: classid 10:1 htb rate 50kbps ceil 50kbps

# 定義class 10:10
tc class add dev eth0 parent 10:1 classid 10:10 htb rate 40kbps ceil 40kbps

# 定義class 10:100
tc class add dev eth0 parent 10:10 classid 10:100 htb rate 25kbps ceil 40kbps
tc qdisc add dev eth0 parent 10:100 handle 101: pfifo
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 100 fw classid 10:100

# 定義class 10:200
tc class add dev eth0 parent 10:10 classid 10:200 htb rate 15kbps ceil 40kbps
tc qdisc add dev eth0 parent 10:200 handle 102: pfifo
tc filter add dev eth0 paent 10: protocol ip prio 100 handle 200 fw classid 10:200

# 定義class 10:20
tc class add dev eth0 parent 10:1 classid 10:20 htb rate 10kbps ceil 50kbps
tc qdisc add dev eth0 parent 10:20 handle 103: pfifo

#
iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 100
iptables -t mangle -A OUTPUT -m owner --uid-owner ftp -j MARK --set-mark 200



NAT + download

200KByte/s for download

class 10:10 prio 0 for 優先使用者或伺服器
class 10:20 prio 1 for 一般 ''
class 10:30 prio 2 for 濫用 ''

attachments/month_200611/1163600506.png


# 刪除現有的規則
tc qdisc del dev eth0 root

# root
tc qdisc add dev eth0 root handle 10: htb default 20

# root 10:1 class
tc class add dev eth0 parent 10: classid 10:1 htb rate 200kbps ceil 200kbps

# 10:10 class
tc class add dev eth0 parent 10:1 classid 10:10 htb rate 100kbps ceil 200kbps prio 0
tc qdisc add dev eth0 parent 10:10 handle 101: pfifo
# 將 MARK為 10的歸類於 class 10:10
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 10 fw classid 10:10

# 10:20 class
tc class add dev eth0 parent 10:1 classid 10:20 htb rate 70kbps ceil 150kbps prio 1
tc qdisc add dev eth0 parent 10:20 handle 102: pfifo

# 10:30 class
tc class add dev eth0 parent 10:1 classid 10:30 htb rate 30kbps ceil 100kbps prio 2
tc qdisc add dev eth0 parent 10:30 handle 103: pfifo
# 將 MARK為 30的歸類於 class 10:30
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 30 fw classid 10:30

iptables -t mangle -A POSTROUTING -d 192.168.0.135 -j MARK --set-mark 10
iptables -t mangle -A POSTROUTING -d 192.168.0.32 -j MARK --set-mark 30



NAT + upload

25KByte/s for upload

class 20:100 for HTTP
class 20:200 for 高優先權
class 20:20  for 一般
class 20:30  for 濫用

attachments/month_200611/1163600509.png


#
tc qdisc del dev ppp0 root

#
tc qdisc add dev ppp0 root handle 20: htb default 20
tc class add dev ppp0 parent 20: classid 20:1 htb rate 25kbps ceil 25kbps
tc class add dev ppp0 parent 20:1 classid 20:10 htb rate 15kbps ceil 25kbps
tc class add dev ppp0 parent 20:1 classid 20:20 htb rate 7kbps ceil 20kbps prio 2
tc class add dev ppp0 parent 20:1 classid 20:30 htb rate 3kbps ceil 10kbps prio 3
tc class add dev ppp0 parent 20:10 classid 20:100 htb rate 8kbps ceil 25kbps prio 0
tc class add dev ppp0 parent 20:10 classid 20:200 htb rate 7kbps ceil 25kbps prio 1

#
tc qdisc add dev ppp0 parent 20:20 handle 101: pfifo
tc qdisc add dev ppp0 parent 20:30 handle 102: pfifo
tc qdisc add dev ppp0 parent 20:100 handle 201: pfifo
tc qdisc add dev ppp0 parent 20:200 handle 202: pfifo

#
tc filter add dev ppp0 parent 20: protocol ip prio 100 handle 20 fw classid 20:20
tc filter add dev ppp0 parent 20: protocol ip prio 100 handle 30 fw classid 20:30
tc filter add dev ppp0 parent 20: protocol ip prio 100 handle 100 fw classid 20:100
tc filter add dev ppp0 parent 20: protocol ip prio 100 handle 200 fw classid 20:200

#
iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 100
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.135 -j MARK --set-mark 200
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.32 -j MARK --set-mark 30


沒有留言:

張貼留言

DNSSEC安全技術簡介 作者:游子興 / 臺灣大學計算機及資訊網路中心網路組約聘幹事 DNS 是一套已經廣泛使用的Internet 服務,但因先天的技術限制導致容易成為駭客攻擊的目標。本文主要在介紹DNSSEC 之緣起與技術背景,及其使用的加解密技術如何確保資料的完整...