Здравствуйте
для тестирования понадобилость 64Kb ограничить входящий/исходящий
траффик для определённого порта. Решил начать с ssh. В аттачменте -
скрипт что я переделал из какого-то найденного в гугле.
К сожалению этот скрипт почему-то ограничивает только исходящий траффик
- при копировании scp с этой машины всё хорошо - порядка 8-10KB, но при
копировании на эту машину - траффик ограничен 500KB, (и я думаю это
ограничение возникает из-за ограничения исходящего).
Что я делаю не так?
kernel-2.4.20
Вот результирующая таблица iptables и tc:
eth0:
qdisc cbq 11: rate 100Mbit (bounded,isolated) prio no-transmit
class cbq 11: root rate 100Mbit (bounded,isolated) prio no-transmit
class cbq 11:1 parent 11: rate 64Kbit (bounded) prio 1
filter parent 11: protocol ip pref 49152 fw
filter parent 11: protocol ip pref 49152 fw handle 0x4 classid 11:1
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- anywhere anywhere tcp spt:ssh
MARK set 0x4
MARK tcp -- anywhere anywhere tcp dpt:ssh
MARK set 0x4
Chain INPUT (policy ACCEPT)
target prot opt source destination
MARK tcp -- anywhere anywhere tcp spt:ssh
MARK set 0x4
MARK tcp -- anywhere anywhere tcp dpt:ssh
MARK set 0x4
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK tcp -- anywhere anywhere tcp spt:ssh
MARK set 0x4
MARK tcp -- anywhere anywhere tcp dpt:ssh
MARK set 0x4
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- anywhere anywhere tcp spt:ssh
MARK set 0x4
MARK tcp -- anywhere anywhere tcp dpt:ssh
MARK set 0x4
Спасибо
--
Best regards, Sergey Spiridonov
#!/bin/bash
#
# All Rates are in Kbits, so in order to gets Bytes divide by 8
# e.g. 25Kbps == 3.125KB/s
#
TC=/sbin/tc
IPTABLES=/sbin/iptables
PORT=22
DNLD=64Kbit # DOWNLOAD Limit
DWEIGHT=6Kbit # DOWNLOAD Weight Factor ~ 1/10 of DOWNLOAD Limit
#UPLD=25KBit # UPLOAD Limit
#UWEIGHT=2Kbit # UPLOAD Weight Factor
# CHAIN=("POSTROUTING" "PREROUTING" "INPUT" "OUTPUT")
CHAIN=("POSTROUTING" "PREROUTING" "INPUT" "OUTPUT")
# PROTOCOL=("tcp" "udp")
PROTOCOL=("tcp")
# DIRECTION=("--sport" "--dport")
DIRECTION=("--sport" "--dport")
# PORT=("22")
PORT=("22")
tc_start() {
$TC qdisc add dev eth0 root handle 11: cbq bandwidth 100Mbit avpkt 1000
mpu 64
$TC class add dev eth0 parent 11:0 classid 11:1 cbq rate $DNLD weight
$DWEIGHT allot 1514 prio 1 avpkt 1000 bounded
$TC filter add dev eth0 parent 11:0 protocol ip handle 4 fw flowid 11:1
for chain in [EMAIL PROTECTED]
do
for protocol in [EMAIL PROTECTED]
do
for direction in [EMAIL PROTECTED]
do
for port in [EMAIL PROTECTED]
do
${IPTABLES} -t mangle -A ${chain} -p ${protocol} ${direction}
${port} -j MARK --set-mark 4
done
done
done
done
# $TC qdisc add dev eth1 root handle 10: cbq bandwidth 10Mbit avpkt 1000
mpu 64
# $TC class add dev eth1 parent 10:0 classid 10:1 cbq rate $UPLD weight
$UWEIGHT allot 1514 prio 1 avpkt 1000 bounded
# $TC filter add dev eth1 parent 10:0 protocol ip handle 3 fw flowid 10:1
}
tc_stop() {
$TC qdisc del dev eth0 root
for chain in [EMAIL PROTECTED]
do
for protocol in [EMAIL PROTECTED]
do
for direction in [EMAIL PROTECTED]
do
for port in [EMAIL PROTECTED]
do
${IPTABLES} -t mangle -D ${chain} -p ${protocol} ${direction}
${port} -j MARK --set-mark 4
done
done
done
done
# $TC qdisc del dev eth1 root
}
tc_restart() {
tc_stop
sleep 1
tc_start
}
tc_show() {
echo ""
echo "eth0:"
$TC qdisc show dev eth0
$TC class show dev eth0
$TC filter show dev eth0
echo ""
$IPTABLES -t mangle --list
# echo "eth1:"
# $TC qdisc show dev eth1
# $TC class show dev eth1
# $TC filter show dev eth1
# echo ""
}
case "$1" in
start)
echo -n "Starting bandwidth shaping: "
tc_start
echo "done"
;;
stop)
echo -n "Stopping bandwidth shaping: "
tc_stop
echo "done"
;;
restart)
echo -n "Restarting bandwidth shaping: "
tc_restart
echo "done"
;;
show)
tc_show
;;
*)
echo "Usage: /etc/init.d/tc.sh {start|stop|restart|show}"
;;
esac
exit 0
