Linux Traffic Control (2)

Sumber: http://awarmanf.wordpress.com/2009/12/30/linuxtc2/

Topologi jaringan dan desain htb

Kriteria dalam pembuatan traffic control ini:

  1. Traffic control hanya untuk trafik eggress dari device eth0 (lan)
  2. Trafik dari local area network (lan) ke router dan sebaliknya tidak melalui traffic control.
  3. Trafik dari lan ke internet atau upstream tidak melalui traffic control.
  4. Trafik dari internet ke lan atau downstream akan melalui traffic control, kecuali trafik dari port 80 (www) yang mempunyai tanda TOS 0×30 atau DSCP 12 (cache hit).
  5. Setiap pc atau anggota lan akan memiliki class dan qdisc sendiri-sendiri.
  6. Ada class default untuk handle traffic untuk object yang tidak didefinisikan atau unclassified traffic

Catatan: trafik ke internet port 80 akan melalui server proxy remote secara transparent.

Topologi network

Network LAN : 192.168.41.0/24
IP Router   : 192.168.41.1
IP Client   : 192.168.41.2 - 192.168.41.14
Device LAN  : eth0
Device WAN  : eth1

Alokasi bandwidth internet (downstream)

Root
  - Ceiling  : 384kbps
  - Rate     : 384kbps
Client
  - Ceiling  : 384kbps
  - Rate     : 16kbps
Unclassified
  - Ceiling  : 128kbps
  - Rate     : 16kbps

Source Code tc-2.sh

#!/bin/sh

# File: tc-2.sh
# Deskripsi: Trafik control simple dengan htb
# Kriteria:
# 1. Traffic control hanya untuk trafik eggress dari device eth0 (lan)
# 2. Trafik dari local area network (lan) ke router dan sebaliknya tidak melalui traffic control.
# 3. Trafik dari lan ke internet atau upstream tidak melalui traffic control.
# 4. Trafik dari internet ke lan atau downstream akan melalui traffic control, kecuali trafik
#     dari port 80 (www) yang mempunyai tanda TOS 0×30 atau DSCP 12 (cache hit).
# 5. Setiap pc atau anggota lan akan memiliki class dan qdisc sendiri-sendiri.
# 6. Ada class default untuk handle traffic untuk object yang tidak didefinisikan.
#
# Created by Arief Yudhawarman (2009)
# Email: awarmanff at yahoo.com
#

IPTABLES="/usr/sbin/iptables"
TC="/sbin/tc"

# parameter
LAN="eth0"
WAN="eth1"

# Bandwidth
# (kbps)
# ROOT CLASS
RATE=384
CEIL=384
#
# SUB CLASS
RATESUB=16
CEILSUB=384
#
# UNCLASSIFIED TRAFFIC
RATEUN=16
CEILUN=128

#
# IPTABLES
# PACKET MANGLE
#

# PREROUTING
#
# Flush table
$IPTABLES -F -t mangle

#
# cache hit set mark to 5
$IPTABLES -A PREROUTING -t mangle -i $WAN -p tcp -m dscp --dscp 12 -j MARK --set-mark 5
$IPTABLES -A PREROUTING -t mangle -i $WAN -p tcp -m dscp --dscp 12 -j RETURN
#
# all traffic trough device wan set mark to 6
$IPTABLES -A PREROUTING -t mangle -i $WAN -j MARK --set-mark 6

#
# FORWARD
#
# cache hit with mark 5 set mark again to 0x212
iptables -A FORWARD -t mangle -p tcp -m mark --mark 5 -j MARK --set-mark 0x212
#
# mark packet based on destination ip
for i in `seq 2 14`
do
  j=$((i+10))
  iptables -A FORWARD -t mangle -d 192.168.41.$i -m mark --mark 6 -j MARK --set-mark $j
done
# unclassified traffic to lan set mark to 255
iptables -A FORWARD -t mangle -d 192.168.41.0/24 -m mark --mark 6 -j MARK --set-mark 255

#
# TRAFFIC CONTROL
#

#
# Create qdisc dev LAN
tc qdisc del dev $LAN root
#tc qdisc add dev $LAN root handle 1:0 htb default 255
tc qdisc add dev $LAN root handle 1:0 htb
#
# create class
tc class add dev $LAN parent 1:0 classid 1:2 htb rate ${RATE}kbit ceil ${CEIL}kbit quantum 1500 prio 6
tc class add dev $LAN parent 1:0 classid 1:255 htb rate ${RATEUN}kbit ceil ${CEILUN}kbit quantum 1500 prio 8

#
# Sub class of parent 1:2
for i in `seq 2 14`
do
  j=$((i+10))
  # create class per ip address
  tc class add dev $LAN parent 1:2 classid 1:$j htb rate ${RATESUB}kbit 
     ceil ${CEILSUB}kbit quantum 1500 prio 6
  # attach qdisc
  tc qdisc add dev $LAN parent 1:$j handle $j sfq perturb 10
done
# Sub class of 1:255 or default or unclassified traffic
# attach qdisc
tc qdisc add dev $LAN parent 1:255 handle 255 sfq perturb 10

#
# Filter traffic
#
# Sub class of parent 1:2
offset=10
for i in `seq 2 14`
do
  j=$((i+10))
  # Attach filter to flowid with specified handle (packet mark)
  tc filter add dev $LAN protocol ip parent 1:0 prio 6 handle $j fw flowid 1:$j
done
#
# Sub class of 1:255 or default or unclassified traffic
tc filter add dev eth0 protocol ip parent 1:0 prio 8 handle 255 fw flowid 1:255

Penjelasan:

  • Baris 51: menandai trafik cache hit (dscp 12) yang masuk ke device wan dengan packet mark 5
  • Baris 52: -j RETURN agar trafik cache hit tidak akan masuk ke rule lain dibawahnya.
  • Baris 55: tandai semua trafik yang masuk ke device wan dengan packet mark 6.
  • Baris 61: packet mark 5 (cache hit) yang masuk ke chain FORWARD di-mark kembali dengan 212.
  • Keterangan untuk baris-baris selanjutnya terdapat di baris komentar.

Analisa paket mangle dan traffic control
Perhatikan baris-baris yang tercetak tebal.

    • tc -s -d qdisc show dev eth0
qdisc htb 1: r2q 10 default 0 direct_packets_stat 794 ver 3.17
 Sent 16722535 bytes 17532 pkts (dropped 0, overlimits 45)

qdisc sfq 12: parent 1:12 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 16116818 bytes 16712 pkts (dropped 0, overlimits 0)
qdisc sfq 13: parent 1:13 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 1910 bytes 12 pkts (dropped 0, overlimits 0)
qdisc sfq 14: parent 1:14 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 345 bytes 4 pkts (dropped 0, overlimits 0)
qdisc sfq 15: parent 1:15 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 16: parent 1:16 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 17: parent 1:17 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 1854 bytes 10 pkts (dropped 0, overlimits 0)
qdisc sfq 18: parent 1:18 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 19: parent 1:19 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 20: parent 1:20 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 21: parent 1:21 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 22: parent 1:22 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 23: parent 1:23 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 24: parent 1:24 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc tbf 255: parent 1:255 rate 16000bit burst 2Kb/8 mpu 0b lat 85.5ms
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    • iptables -L -t mangle -nv
Chain PREROUTING (policy ACCEPT 2695K packets, 631M bytes)
 pkts bytes target     prot opt in     out     source               destination
  664  574K MARK       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 DSCP match 0x0c MARK set 0x5
  664  574K RETURN     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 DSCP match 0x0c
83980   19M MARK       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           MARK set 0x6 

Chain INPUT (policy ACCEPT 1696K packets, 96M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1000K packets, 535M bytes)
 pkts bytes target     prot opt in     out     source               destination
  664  574K MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x5 MARK set 0x212
16834   16M MARK       all  --  *      *       0.0.0.0/0            192.168.41.2        MARK match 0x6 MARK set 0xc 
   12  1742 MARK       all  --  *      *       0.0.0.0/0            192.168.41.3        MARK match 0x6 MARK set 0xd

    4   289 MARK       all  --  *      *       0.0.0.0/0            192.168.41.4        MARK match 0x6 MARK set 0xe
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.5        MARK match 0x6 MARK set 0xf
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.6        MARK match 0x6 MARK set 0x10
   10  1714 MARK       all  --  *      *       0.0.0.0/0            192.168.41.7        MARK match 0x6 MARK set 0x11
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.8        MARK match 0x6 MARK set 0x12
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.9        MARK match 0x6 MARK set 0x13
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.10       MARK match 0x6 MARK set 0x14
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.11       MARK match 0x6 MARK set 0x15
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.12       MARK match 0x6 MARK set 0x16
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.13       MARK match 0x6 MARK set 0x17
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.14       MARK match 0x6 MARK set 0x18
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.0/24     MARK match 0x6 MARK set 0xff 

Chain OUTPUT (policy ACCEPT 1678K packets, 285M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2651K packets, 819M bytes)
 pkts bytes target     prot opt in     out     source               destination

Last update: 2009-12-30 10:46 +07:00

Tinggalkan Balasan