[LARTC] Shaping p2p programs

[GoMi]

Hi there, i am going to explain you my setup and post you my scripts in
case they are of any help to anybody :)
This mail is a little long, but i think the only way you can undestandme
is writing you my whole code..

1.- I have to ADSL connections connected through ehternet cards eth0 and
eth1 to the routers
        -Both ADSL are 2Mbit downsteam / 300kbit upstream
        -eth2 goes to my 200 users LAN.

2.- I am doing load balancing (that works great)

3.- I have a mail and web server redirected to eth0's ADSL.

4.- My QoS setup attached to eth0 and eth1
        1 Qdisc for high-priority traffic       (mark 1)
        1 Qdisc for low-priority traffic        (mark 2)
        1 Qdisc for SYN,ACK traffic             (mark 3)
        1 Qdisc for ICMP traffic                (mark 4)
        1 Qdisc for Web-server traffic  (mark 5)
                ->Scripts below

5.- Since i am doing load balancing i have a stateful firewall as
explained in Nano HOWTO
                ->Firewall scripts below

6.- Use the mangle table to mark packets and redirect them to the Qdisc
        Let me explain my reasoning: 
                I want to mark interactive traffic like HTTP,SMTP,etc to
mark 1
                Mark DNS traffic and MSN Messenger(dport 1863) to
interactive High priority mark 1
                
                Mark p2p programs with the ipp2p module to mark p2p
programs to mark 2
                        (dport 1214 is Imesh)
                In order to make sure ACKS and SYN traffic is going out
propperly i have an special qdisc
                If any traffic is unmarked, mark it as low-priority
                ->Mangle setup below


---->PROBLEM:
  The problem comes after having this setup running for an hour or so,
when interactive traffic has VERY HIGH latency, or nearly dIES.
  Anybody having mor or less a similar setup, because i am driving mad
here! 
  Any suggestions are welcome :) Thank you very much!!!!!

  My BOX is an athlon 900MHz with 1GB ram:
        cat /proc/sys/net/ipv4/ip_conntrack_max
        57336

        txqueuelen on all eth cards is 100.

        
----> SCRIPTS
 
IPTABLES MANGLE Table

  iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
     iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT

     iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 4
     iptables -t mangle -A POSTROUTING -p udp --dport 53 -j MARK
--set-mark 1
     iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 2

     iptables -t mangle -A POSTROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 2
     iptables -t mangle -A POSTROUTING -m string --string 'KazaaClient'
-j MARK --set-mark 2
     iptables -t mangle -A POSTROUTING -p tcp --dport 0:1024 -j MARK
--set-mark 1
     iptables -t mangle -A POSTROUTING -p tcp --dport 1214 -j MARK
--set-mark 2
     iptables -t mangle -A POSTROUTING -p tcp --dport 1863 -j MARK
--set-mark 1
  iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

  iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,ACK,RST SYN
-j MARK --set-mark 3
  iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags
SYN,RST,ACK ACK -j chkack
  iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j MARK
--set-mark 2


Script for QoS attached to eth0
        #!/bin/bash
        DEV=eth0

        tc qdisc add dev ${DEV} handle 1: root htb default 10
        tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit
        
        ######################################
        ## Interactive traffic
        tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
        tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
        tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw
flowid 1:10     

        #######################################
        # Non Interactive Traffic
        tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 50kbit
ceil 200kbit  quantum 1500
        tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
        tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw
flowid 1:20

        ########################################
        ## SYN,ACK Traffic
        tc clas add dev ${DEV} parent 1:1 classid 1:30 htb rate 45kbit
ceil 250kbit quantum 1500
        tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
        tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30

        ########################################
        ## ICMP Traffic
        tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
        tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
        tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40

        ########################################
        ## Web-Server Traffic 
        tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit
ceil 200kbit quantum 1500
        tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst
perturb 10 depth 15
        tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw
flowid 1:50

Script for      QoS attached to eth1
        #!/bin/bash
        DEV=eth1

        tc qdisc add dev ${DEV} handle 1: root htb default 10
        tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit

        ########################################
        ## Interactive Traffic
        tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
        tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
        tc filter add dev ${DEV} protocol ip  parent 1:0 handle 1 fw
flowid 1:10

        #######################################
        # Non Interactive Traffic
        tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit
ceil 200kbit quantum 1500
        tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
        tc filter add dev ${DEV} protocol ip  parent 1:0 handle 2 fw
flowid 1:20

        ########################################
        ## SYN,ACK Traffic
        tc class add dev ${DEV} parent 1:1 classid 1:30 htb rate 50kbit
ceil 250kbit quantum 1500
        tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
        tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30
        #tc filter add dev ${DEV} parent 1:0 protocol ip u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u8 0x34 0xff at 3 match u8
0x10 0xff at 33 flowid 1:30

        ########################################
        ## ICMP Traffic 
        tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
        tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
        tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40


Firewall setup

####################################################
##  Stateful Firewall
##
##
##

        iptables -t filter -N keep_state
        iptables -t filter -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
        iptables -t filter -A keep_state -j RETURN

        iptables -t nat -N keep_state
        iptables -t nat -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
        iptables -t nat -A keep_state -j RETURN

        iptables -t nat -A PREROUTING -j keep_state
        iptables -t nat -A POSTROUTING -j keep_state
        iptables -t nat -A OUTPUT -j keep_state

        iptables -t filter -A INPUT -j keep_state
        iptables -t filter -A OUTPUT -j keep_state
        iptables -t filter -A FORWARD -j keep_state

        iptables -t filter -A FORWARD -p tcp --dport 4661:4662 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 4661:4662 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 1663 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 4665 -j DROP
        iptables -t filter -A FORWARD -p tcp --dport 4665 -j DROP


_______________________________________________
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/