Solved

Reserve bandwidth for mail and www.

Posted on 2002-05-07
22
599 Views
Last Modified: 2012-08-13

I have a Linux firewall with ipchains.

Looking like:

               internet
                  |
  Private------- FW----------DMZ

The connection is a bit to slow so I like to reserve some bandwith for mail and www that goes to DMZ.

(What I realy want to do is to give trafic to my mail and www server higest priority. As it is now it is awful slow to visit the www-server and to read mail from outside if someone on the Private Net is downloading a lot from internet.

I don't like to switch to 2.4 kernel because it seems like I cannot set the Masquerading Timeout like I can do with ipchains.
(ipchains -M -S 72000 10 60)


Can someone help me out how to implement this?

0
Comment
Question by:wqclatre
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
22 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 6994400
Traffic shaping. Kind of a heavy subject. Check out www.lartc.org
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6999883
Indeed - I've done this a couple times in 2.2, but it's been a while...  Grab the iproute2 tools and start playing around with tc - the docs out there are few, far between, and often conflicting - mostly you just have to play with 'tc' until you can get it to do what you want.

Also, don't foget ssh in your list of protocols of which to give guaranteed bandwidth - you think mail and http are slow when your pipe is full, try using an interactive shell - not gonna happen.

Cheers,
-Jon

0
 
LVL 2

Author Comment

by:wqclatre
ID: 7000574
The-Captain.

You can't give me some small example so I can get any idea of how it works ?

Do I need anything more than iproute2 ?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Expert Comment

by:The--Captain
ID: 7000924
OK, ok...  This should count as my good deed for the year - I found a script that I wrote and had thought was lost forever.  Hope you can make sense of it....

Cheers,
-Jon

#!/bin/bash

#
# tcstart (see also: tcstop, tcconf)
#
# A basic traffic shaping script - bandwidth parameters are entered via the
# environment variables listed below.  The basic idea is that connection A is
# a high-priority connection which is guaranteed a certain amount of bandwidth
# and can borrow bandwidth above and beyond that specification from the
# other source, connection B.  Connection B is a low-priority connection from
# which connection A may borrow bandwidth until B's bandwidth is exhausted
# (This should indicate a saturation of the line with traffic on connection A)
#
# Obviously, B may never borrow bandwidth from A
#
# For the whole thing to work properly, the administrator *must* mark *all*
# traffic with either a 1 or a 2 (fwmark).  Unmarked traffic will attempt to
# contend with the shaped traffic, and all bets are then off.  Mark traffic
# for connection A as 1, and traffic for connection B as 2.  If you're having
# problems determining what traffic needs to be included in which connection,
# might I suggest a liberal application of tcpdump?  In any case, every rule
# that does not end up in a DENY or REJECT final state should have an
# Obviously, B may never borrow bandwidth from A
#
# For the whole thing to work properly, the administrator *must* mark *all*
# traffic with either a 1 or a 2 (fwmark).  Unmarked traffic will attempt to
# contend with the shaped traffic, and all bets are then off.  Mark traffic
# for connection A as 1, and traffic for connection B as 2.  If you're having
# problems determining what traffic needs to be included in which connection,
# might I suggest a liberal application of tcpdump?  In any case, every rule
# that does not end up in a DENY or REJECT final state should have an
# appropriate fwmark argument.  Also, rulesets that only consist of a default
# policy of ACCEPT should have a trivial rule that matches all traffic and
# assigns the appropriate fwmark.
#
# Also, since this only affects traffic that is *output* from each interface,
# the performance will suffer significantly if the box on which this script is
# run actually hosts services, rather than only routing traffic.  More work is
# needed here to work around this limitation - supposedly it *can* be worked
# around, according to anecdotal reports...



# These numbers may need tweaking - they are based upon rather limited testing.
# Further experimentation is clearly needed.
# BTW, if MAXBAND != ABAND+BBAND, there had better be a good reason...
MAXBAND=10Mbit
ABAND=9Mbit
BBAND=128Kbit
INDEV=eth0
OUTDEV=eth1
# (Be sure to use units that 'tc' can understand in the above)

tc qdisc add dev $INDEV root handle 30: cbq bandwidth $MAXBAND avpkt 1000
tc class add dev $INDEV parent 30:0 classid 30:1 cbq bandwidth $MAXBAND rate $MAXBAND allot 1514 weight $MAXBAND prio 8 maxburst 20
avpkt 1000 bounded
tc class add dev $INDEV parent 30:1 classid 30:100 cbq bandwidth $MAXBAND rate $ABAND allot 1514 weight $ABAND prio 5 maxburst 20 av
pkt 1000 isolated
tc class add dev $INDEV parent 30:1 classid 30:200 cbq bandwidth $MAXBAND rate $BBAND allot 1514 weight $BBAND prio 5 maxburst 20 av
pkt 1000 bounded
tc qdisc add dev $INDEV parent 30:100 sfq quantum 1514b perturb 15
tc qdisc add dev $INDEV parent 30:200 sfq quantum 1514b perturb 15
tc filter add dev $INDEV protocol ip parent 30:0 prio 1 handle 1 fw classid 30:100
tc filter add dev $INDEV protocol ip parent 30:0 prio 1 handle 2 fw classid 30:200

# That should handle the input traffic - now for the output traffic

tc qdisc add dev $OUTDEV root handle 20: cbq bandwidth $MAXBAND avpkt 1000
tc class add dev $OUTDEV parent 20:0 classid 20:1 cbq bandwidth $MAXBAND rate $MAXBAND allot 1514 weight $MAXBAND prio 8 maxburst 20
 avpkt 1000 bounded
tc class add dev $OUTDEV parent 20:1 classid 20:100 cbq bandwidth $MAXBAND rate $ABAND allot 1514 weight $ABAND prio 5 maxburst 20 a
vpkt 1000 isolated
tc class add dev $OUTDEV parent 20:1 classid 20:200 cbq bandwidth $MAXBAND rate $BBAND allot 1514 weight $BBAND prio 5 maxburst 20 a
vpkt 1000 bounded
tc qdisc add dev $OUTDEV parent 20:100 sfq quantum 1514b perturb 15
tc qdisc add dev $OUTDEV parent 20:200 sfq quantum 1514b perturb 15
tc filter add dev $OUTDEV protocol ip parent 20:0 prio 1 handle 1 fw classid 20:100
tc filter add dev $OUTDEV protocol ip parent 20:0 prio 1 handle 2 fw classid 20:200

# Eyes bleeding yet?  Be thankful that RED support is not yet a part of the
# config...  In any case, please send the author of 'tc' to my house so I can
# strangle him (or at least smack him around with the 'frontend' clue-by-four).
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7000928
arrggh - looks like I had some pasting problem up there - I think you can still get the general drift...

-Jon

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7002884
So, did that script help at all?

I can possibly clarify some things if you need it...

Cheers,
-Jon

0
 
LVL 2

Author Comment

by:wqclatre
ID: 7003542
Well i have not have had time to look into this so much but after a short look at this it seems like I have problem to understand anything. (and more problem to figure out how to set this up in my case)
0
 

Expert Comment

by:jonsanderson
ID: 7086248
Had exactly this problem last month so I downloaded this.

http://info.iet.unipi.it/~luigi/ip_dummynet/

20 minutes later I had a full solution. Could not be easier

there are some errors in the descriptions of how to start the bridge eg sysctl -w net.link.ether.bridge: 1 should read  = 1 but this bootlable floppy image works pefectly and allows weighted queues of all types of traffic.

Suggest the best method is to produce a queue of weight 5 and a pipe representing your bandwidth then play until you get the results you want.  NB it works with rtl 8029 or 8039 cards. I had a few problems with dlink and Kingston.

0
 
LVL 2

Author Comment

by:wqclatre
ID: 7086279
I don't want to mess up my current firewall that I still need so I can not boot some floppy
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7091064
Indeed - that would be the issue I would have as well...

What did you think of my script - how can I clarify it further?

Cheers,
-Jon

0
 
LVL 2

Author Comment

by:wqclatre
ID: 7091930
Sorry The-Captain. I have been buried in a lot of work so I have not have enogh time to investigate it. You don't have any pointer to some documentation about the comands that are used in this script?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7093972
The problem with the docs are that they are sparese, and are mainly comprised of less-than-clear examples (if I might pat myself on the back a bit, the above script does show a bit more due to the abstraction of certain variables).  If you want a complete solution (all cmdlines directly illustrated), then I can probably come up w/ something in a few days (I'll squeeze it in between my real work)...  If that would help, please say so, and I will look into it.

Cheers,
-Jon
0
 
LVL 2

Author Comment

by:wqclatre
ID: 7181231
Sorry for my late comment. I have been at vacation.

It would be great if you could help me out with a complete solution because i have problem to understand this.
(i will increes the points to 500)

there is just the www trafic to one ip in dmz, ssh to one ip in the dmz and https to one ip in the dmz that I like to give the higest priority.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 7181695
You should give ssh the highest priority, since it consumes minimal bandwidth but suffers the most from latency issues - if you let https cut in on ssh users, the ssh users will complain loudly...  I will post an adjusted config soon that fits your needs (assuming you are OK with my ssh re-prioritization)...  I will attempt to explain how to assign bandwidth given the following conditions (listed in order of bandwidth priority):

1) ssh [port 22] needs a small but prioritized amount of bandwidth

2) https [port 443] has the rest of the bandwidth available to it...

3) http [port 80] also has the rest of the bandwidth available to it, but cannot superscede https bandwidth allocations...

If this is not the correct way to proceed, please let me know before I dive too deeply into my iptables configs....

Cheers,
-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7181702
Sigh - sometimes, when replying to such questions, I feel I am the only person that uses linux who cares about QoS issues (although I guess the kernel developers must think it's cool to even provide it in the 1st place) - please, Jim and Vijay (M Rich and Jon Anderson - feel free as well), prove me wrong...

Cheers,
-Jon
0
 
LVL 2

Author Comment

by:wqclatre
ID: 7181746
Yes I think it sounds like the way to proceed.
(this will meen that people behind the firewall that are surfing on the wer will not slow down my www and https server. right?

As I said before, I use kernel 2.2 and ipchains. Hope that would not be any problem.
0
 
LVL 2

Author Comment

by:wqclatre
ID: 7181747
One more thing... i have a 256k line...
0
 
LVL 5

Expert Comment

by:shaic
ID: 8584058
I'd recommend trying out the Wonder Shaper, http://lartc.org/wondershaper/
When the connection in one direction is saturated, ACK's don't get through, and so it slows everything down. This solves the problem, and I found it to be the most simple to use. it requires kernel >= 2.4. I don't know if there's a way to do it with 2.2 .
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 8586240
>it requires kernel >= 2.4.

Why?  I know the author says so, but it's just a script, and from what I saw when I examined it, it requires nothing specific to 2.2 - I'm guessing if you compiled the most recent iproute2 tools under a 2.2 kernel then this script would work for you - it is somewhat less confusing than my own script (although only slightly hehe).

Cheers,
-Jon


0
 

Expert Comment

by:CleanupPing
ID: 9078495
wqclatre:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 12

Expert Comment

by:paullamhkg
ID: 10004221
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: The--Captain {http:#7181695}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

paullamhkg
EE Cleanup Volunteer
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question