[LARTC] How to control incoming and outgoing traffic using tc + iptables

Chandrashekhar Rane Wed, 23 Oct 2002 03:43:03 -0700

Dear All,

I try to implement bandwidth control using tc + iptables.


Following is the setup i have at my premises.

eth0 -- Connected to local LAN
eth1 -- Connected with ISP

Following is my requirement.
1) I want to split 10Kbps pipe into two(5kbps each)
2) One 5kbps pipe is again split into 2kbps and 3kbps
        The 2kbps pipe i am going to use to give internet access to all the
machine in my local LAN (i.e 192.168.2.0/24)
        The 3 kbps for SMTP,SSH connection for all
3) The second 5kbps pipe is split into 512bytes and 4.5kbps
        The 512bytes pipe i want to give it to say some specific machine whos
ip is 192.168.2.12 and 4.5 kbps pipe i want to dedicate for ip say
192.168.2.22

The tc script for implementing the same is as follows
---------------------------------------------------------------------------
tc qdisc del dev eth0 root

tc qdisc add dev eth0 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell
8

tc qdisc del dev eth1 root

tc qdisc add dev eth1 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell
8

tc class add dev eth1 parent 1: classid 1:80 cbq bandwidth 10Mbit rate
80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded isolated

tc class add dev eth1 parent 1:80 classid 1:801 cbq bandwidth 10Mbit
rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded isolated

tc class add dev eth1 parent 1:801 classid 1:8011 cbq bandwidth 10Mbit
rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded

tc qdisc add dev eth1 parent 1:8011 handle 8011 tbf rate 16Kbit buffer
2048 limit 2048 mtu 1500

tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 3 fw
classid 1:8011

tc class add dev eth1 parent 1:801 classid 1:8012 cbq bandwidth 10Mbit
rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded

tc qdisc add dev eth1 parent 1:8012 handle 8012 tbf rate 24Kbit buffer
3072 limit 3072 mtu 1500

tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw
classid 1:8012

tc class add dev eth1 parent 1:80 classid 1:802 cbq bandwidth 10Mbit
rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded isolated

tc class add dev eth1 parent 1:802 classid 1:8021 cbq bandwidth 10Mbit
rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded

tc qdisc add dev eth1 parent 1:8021 handle 8021 tbf rate 4Kbit buffer
512 limit 512 mtu 1500

tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 4 fw
classid 1:8021

tc class add dev eth1 parent 1:802 classid 1:8022 cbq bandwidth 10Mbit
rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded

tc qdisc add dev eth1 parent 1:8022 handle 8022 tbf rate 36Kbit buffer
4608 limit 4608 mtu 1500

tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 1 fw
classid 1:8022

tc class add dev eth0 parent 1: classid 1:90 cbq bandwidth 10Mbit rate
80Kbit weight 8Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded isolated

tc class add dev eth0 parent 1:90 classid 1:901 cbq bandwidth 10Mbit
rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded isolated

tc class add dev eth0 parent 1:901 classid 1:9011 cbq bandwidth 10Mbit
rate 16Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded

tc qdisc add dev eth0 parent 1:9011 handle 9011 tbf rate 16Kbit buffer
2048 limit 2048 mtu 1500

tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 7 fw
classid 1:9011

tc class add dev eth0 parent 1:901 classid 1:9012 cbq bandwidth 10Mbit
rate 24Kbit weight 3Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded

tc qdisc add dev eth0 parent 1:9012 handle 9012 tbf rate 24Kbit buffer
3072 limit 3072 mtu 1500

tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 6 fw
classid 1:9012

tc class add dev eth0 parent 1:90 classid 1:902 cbq bandwidth 10Mbit
rate 40Kbit weight 4Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded isolated

tc class add dev eth0 parent 1:902 classid 1:9021 cbq bandwidth 10Mbit
rate 4Kbit weight 1Kbit prio 4 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded

tc qdisc add dev eth0 parent 1:9021 handle 9021 tbf rate 4Kbit buffer
512 limit 512 mtu 1500

tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 8 fw
classid 1:9021

tc class add dev eth0 parent 1:902 classid 1:9022 cbq bandwidth 10Mbit
rate 36Kbit weight 4Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded

tc qdisc add dev eth0 parent 1:9022 handle 9022 tbf rate 36Kbit buffer
4608 limit 4608 mtu 1500

tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 5 fw
classid 1:9022 
-------------------------------------------------------------------------

And the corresponding iptables script is as follows.

# The absolute path for iptables command
IPTABLES=/sbin/iptables

# Flush the rules if any already present in mangle table. 
$IPTABLES -t mangle -F 

###########################################################################
#                      Rules for uplink                                
#
###########################################################################
$IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.12 \
         -d ! 192.168.2.0/24 -j MARK --set-mark 4 

$IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.22 \
        -d ! 192.168.2.0/24 -j MARK --set-mark 1 

$IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \
        -d ! 192.168.2.0/24 -p tcp --dport 25 \
        -j MARK --set-mark 3 

$IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \
        -d ! 192.168.2.0/24 -p tcp --dport 22 \
        -j MARK --set-mark 3 

$IPTABLES -t mangle -A FORWARD -m state --state NEW -s 192.168.2.0/24 \
        -d ! 192.168.2.0/24 -j MARK --set-mark 2 

###########################################################################
#                      Rules for downlink                              
#
###########################################################################
$IPTABLES -t mangle  -A POSTROUTING -m state --state RELATED,ESTABLISHED
\
        -s ! 192.168.2.0/24 -d 192.168.2.12 -j MARK --set-mark 8

$IPTABLES -t mangle  -A POSTROUTING -m state --state RELATED,ESTABLISHED
\
        -s ! 192.168.2.0/24 -d 192.168.2.22 -j MARK --set-mark 5

$IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED
\
        -s ! 192.168.2.0/24 -p tcp --dport 25 -d 192.168.2.0/24 \
        -j MARK --set-mark 7

$IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED
\
        -s ! 192.168.2.0/24 -p tcp --dport 22 -d 192.168.2.0/24 \
        -j MARK --set-mark 7

$IPTABLES -t mangle -A POSTROUTING -m state --state RELATED,ESTABLISHED
\
        -s ! 192.168.2.0/24 -d 192.168.2.0/24 -j MARK --set-mark 6


Really get stuck.
Help will be most appreciated.

Thanks in advance

shekhar




_______________________________________________
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] How to control incoming and outgoing traffic using tc + iptables

Reply via email to