Solved

Reserve bandwidth for mail and www.

Posted on 2002-05-07
22
582 Views
Last Modified: 2012-08-13

I have a Linux firewall with ipchains.

Looking like:

               internet
                  |
  Private------- FW----------DMZ

The connection is a bit to slow so I like to reserve some bandwith for mail and www that goes to DMZ.

(What I realy want to do is to give trafic to my mail and www server higest priority. As it is now it is awful slow to visit the www-server and to read mail from outside if someone on the Private Net is downloading a lot from internet.

I don't like to switch to 2.4 kernel because it seems like I cannot set the Masquerading Timeout like I can do with ipchains.
(ipchains -M -S 72000 10 60)


Can someone help me out how to implement this?

0
Comment
Question by:wqclatre
22 Comments
 
LVL 4

Expert Comment

by:MFCRich
Comment Utility
Traffic shaping. Kind of a heavy subject. Check out www.lartc.org
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Indeed - I've done this a couple times in 2.2, but it's been a while...  Grab the iproute2 tools and start playing around with tc - the docs out there are few, far between, and often conflicting - mostly you just have to play with 'tc' until you can get it to do what you want.

Also, don't foget ssh in your list of protocols of which to give guaranteed bandwidth - you think mail and http are slow when your pipe is full, try using an interactive shell - not gonna happen.

Cheers,
-Jon

0
 
LVL 2

Author Comment

by:wqclatre
Comment Utility
The-Captain.

You can't give me some small example so I can get any idea of how it works ?

Do I need anything more than iproute2 ?
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
OK, ok...  This should count as my good deed for the year - I found a script that I wrote and had thought was lost forever.  Hope you can make sense of it....

Cheers,
-Jon

#!/bin/bash

#
# tcstart (see also: tcstop, tcconf)
#
# A basic traffic shaping script - bandwidth parameters are entered via the
# environment variables listed below.  The basic idea is that connection A is
# a high-priority connection which is guaranteed a certain amount of bandwidth
# and can borrow bandwidth above and beyond that specification from the
# other source, connection B.  Connection B is a low-priority connection from
# which connection A may borrow bandwidth until B's bandwidth is exhausted
# (This should indicate a saturation of the line with traffic on connection A)
#
# Obviously, B may never borrow bandwidth from A
#
# For the whole thing to work properly, the administrator *must* mark *all*
# traffic with either a 1 or a 2 (fwmark).  Unmarked traffic will attempt to
# contend with the shaped traffic, and all bets are then off.  Mark traffic
# for connection A as 1, and traffic for connection B as 2.  If you're having
# problems determining what traffic needs to be included in which connection,
# might I suggest a liberal application of tcpdump?  In any case, every rule
# that does not end up in a DENY or REJECT final state should have an
# Obviously, B may never borrow bandwidth from A
#
# For the whole thing to work properly, the administrator *must* mark *all*
# traffic with either a 1 or a 2 (fwmark).  Unmarked traffic will attempt to
# contend with the shaped traffic, and all bets are then off.  Mark traffic
# for connection A as 1, and traffic for connection B as 2.  If you're having
# problems determining what traffic needs to be included in which connection,
# might I suggest a liberal application of tcpdump?  In any case, every rule
# that does not end up in a DENY or REJECT final state should have an
# appropriate fwmark argument.  Also, rulesets that only consist of a default
# policy of ACCEPT should have a trivial rule that matches all traffic and
# assigns the appropriate fwmark.
#
# Also, since this only affects traffic that is *output* from each interface,
# the performance will suffer significantly if the box on which this script is
# run actually hosts services, rather than only routing traffic.  More work is
# needed here to work around this limitation - supposedly it *can* be worked
# around, according to anecdotal reports...



# These numbers may need tweaking - they are based upon rather limited testing.
# Further experimentation is clearly needed.
# BTW, if MAXBAND != ABAND+BBAND, there had better be a good reason...
MAXBAND=10Mbit
ABAND=9Mbit
BBAND=128Kbit
INDEV=eth0
OUTDEV=eth1
# (Be sure to use units that 'tc' can understand in the above)

tc qdisc add dev $INDEV root handle 30: cbq bandwidth $MAXBAND avpkt 1000
tc class add dev $INDEV parent 30:0 classid 30:1 cbq bandwidth $MAXBAND rate $MAXBAND allot 1514 weight $MAXBAND prio 8 maxburst 20
avpkt 1000 bounded
tc class add dev $INDEV parent 30:1 classid 30:100 cbq bandwidth $MAXBAND rate $ABAND allot 1514 weight $ABAND prio 5 maxburst 20 av
pkt 1000 isolated
tc class add dev $INDEV parent 30:1 classid 30:200 cbq bandwidth $MAXBAND rate $BBAND allot 1514 weight $BBAND prio 5 maxburst 20 av
pkt 1000 bounded
tc qdisc add dev $INDEV parent 30:100 sfq quantum 1514b perturb 15
tc qdisc add dev $INDEV parent 30:200 sfq quantum 1514b perturb 15
tc filter add dev $INDEV protocol ip parent 30:0 prio 1 handle 1 fw classid 30:100
tc filter add dev $INDEV protocol ip parent 30:0 prio 1 handle 2 fw classid 30:200

# That should handle the input traffic - now for the output traffic

tc qdisc add dev $OUTDEV root handle 20: cbq bandwidth $MAXBAND avpkt 1000
tc class add dev $OUTDEV parent 20:0 classid 20:1 cbq bandwidth $MAXBAND rate $MAXBAND allot 1514 weight $MAXBAND prio 8 maxburst 20
 avpkt 1000 bounded
tc class add dev $OUTDEV parent 20:1 classid 20:100 cbq bandwidth $MAXBAND rate $ABAND allot 1514 weight $ABAND prio 5 maxburst 20 a
vpkt 1000 isolated
tc class add dev $OUTDEV parent 20:1 classid 20:200 cbq bandwidth $MAXBAND rate $BBAND allot 1514 weight $BBAND prio 5 maxburst 20 a
vpkt 1000 bounded
tc qdisc add dev $OUTDEV parent 20:100 sfq quantum 1514b perturb 15
tc qdisc add dev $OUTDEV parent 20:200 sfq quantum 1514b perturb 15
tc filter add dev $OUTDEV protocol ip parent 20:0 prio 1 handle 1 fw classid 20:100
tc filter add dev $OUTDEV protocol ip parent 20:0 prio 1 handle 2 fw classid 20:200

# Eyes bleeding yet?  Be thankful that RED support is not yet a part of the
# config...  In any case, please send the author of 'tc' to my house so I can
# strangle him (or at least smack him around with the 'frontend' clue-by-four).
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
arrggh - looks like I had some pasting problem up there - I think you can still get the general drift...

-Jon

0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
So, did that script help at all?

I can possibly clarify some things if you need it...

Cheers,
-Jon

0
 
LVL 2

Author Comment

by:wqclatre
Comment Utility
Well i have not have had time to look into this so much but after a short look at this it seems like I have problem to understand anything. (and more problem to figure out how to set this up in my case)
0
 

Expert Comment

by:jonsanderson
Comment Utility
Had exactly this problem last month so I downloaded this.

http://info.iet.unipi.it/~luigi/ip_dummynet/

20 minutes later I had a full solution. Could not be easier

there are some errors in the descriptions of how to start the bridge eg sysctl -w net.link.ether.bridge: 1 should read  = 1 but this bootlable floppy image works pefectly and allows weighted queues of all types of traffic.

Suggest the best method is to produce a queue of weight 5 and a pipe representing your bandwidth then play until you get the results you want.  NB it works with rtl 8029 or 8039 cards. I had a few problems with dlink and Kingston.

0
 
LVL 2

Author Comment

by:wqclatre
Comment Utility
I don't want to mess up my current firewall that I still need so I can not boot some floppy
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Indeed - that would be the issue I would have as well...

What did you think of my script - how can I clarify it further?

Cheers,
-Jon

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Author Comment

by:wqclatre
Comment Utility
Sorry The-Captain. I have been buried in a lot of work so I have not have enogh time to investigate it. You don't have any pointer to some documentation about the comands that are used in this script?
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
The problem with the docs are that they are sparese, and are mainly comprised of less-than-clear examples (if I might pat myself on the back a bit, the above script does show a bit more due to the abstraction of certain variables).  If you want a complete solution (all cmdlines directly illustrated), then I can probably come up w/ something in a few days (I'll squeeze it in between my real work)...  If that would help, please say so, and I will look into it.

Cheers,
-Jon
0
 
LVL 2

Author Comment

by:wqclatre
Comment Utility
Sorry for my late comment. I have been at vacation.

It would be great if you could help me out with a complete solution because i have problem to understand this.
(i will increes the points to 500)

there is just the www trafic to one ip in dmz, ssh to one ip in the dmz and https to one ip in the dmz that I like to give the higest priority.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
Comment Utility
You should give ssh the highest priority, since it consumes minimal bandwidth but suffers the most from latency issues - if you let https cut in on ssh users, the ssh users will complain loudly...  I will post an adjusted config soon that fits your needs (assuming you are OK with my ssh re-prioritization)...  I will attempt to explain how to assign bandwidth given the following conditions (listed in order of bandwidth priority):

1) ssh [port 22] needs a small but prioritized amount of bandwidth

2) https [port 443] has the rest of the bandwidth available to it...

3) http [port 80] also has the rest of the bandwidth available to it, but cannot superscede https bandwidth allocations...

If this is not the correct way to proceed, please let me know before I dive too deeply into my iptables configs....

Cheers,
-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Sigh - sometimes, when replying to such questions, I feel I am the only person that uses linux who cares about QoS issues (although I guess the kernel developers must think it's cool to even provide it in the 1st place) - please, Jim and Vijay (M Rich and Jon Anderson - feel free as well), prove me wrong...

Cheers,
-Jon
0
 
LVL 2

Author Comment

by:wqclatre
Comment Utility
Yes I think it sounds like the way to proceed.
(this will meen that people behind the firewall that are surfing on the wer will not slow down my www and https server. right?

As I said before, I use kernel 2.2 and ipchains. Hope that would not be any problem.
0
 
LVL 2

Author Comment

by:wqclatre
Comment Utility
One more thing... i have a 256k line...
0
 
LVL 5

Expert Comment

by:shaic
Comment Utility
I'd recommend trying out the Wonder Shaper, http://lartc.org/wondershaper/
When the connection in one direction is saturated, ACK's don't get through, and so it slows everything down. This solves the problem, and I found it to be the most simple to use. it requires kernel >= 2.4. I don't know if there's a way to do it with 2.2 .
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
>it requires kernel >= 2.4.

Why?  I know the author says so, but it's just a script, and from what I saw when I examined it, it requires nothing specific to 2.2 - I'm guessing if you compiled the most recent iproute2 tools under a 2.2 kernel then this script would work for you - it is somewhat less confusing than my own script (although only slightly hehe).

Cheers,
-Jon


0
 

Expert Comment

by:CleanupPing
Comment Utility
wqclatre:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 12

Expert Comment

by:paullamhkg
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: The--Captain {http:#7181695}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

paullamhkg
EE Cleanup Volunteer
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now