Re: tor bandwith ratio

[gabrix]

Kelly Byrd wrote:
I have had this exact same question for my server. It's running on an
ADSL line, 443 on the OR port, 80 for the Dir port (iptables redirects to
9001 and 9030) and I notice MUCH more bandwidth usage when I turn on the
dir port. Without the dir port, I barely notice tor slowing down my
regular usage. With it, I often want to turn off tor to do anything
interesting on the net.
I've been using the burst and mac bandwidth settings, but I think
prioritizing might be the better way to go. Any good simple references
for ip tables?

Another thought I had: Does opening up port 80 create problems all by
itself?  I'm imagining non-tor users simply going to 80 and doing GET /
and slurping the results from my tor server, but not really wanting it.



  
As also the /etc/tor/torrc file says you can advertise a privileged port 
, clients see you listening on that port but in facts binding to an 
unprivileged one and  the syn packet get redirected by iptables to 
it.What confused me was an iptables i gave at the end of all rules ,a 
catch all ulog jump and i saw 'some' syn packets hitting the advertising 
port passing through all chains and not being redirected to the port 
where tor was really binding and than get dropped by my iptables,so in 
some way , some times,also the advertised port get involved ?Anyway this 
is a script i googled around that i modified it and using it.It's just 
from a little i'm into the 'mangle'  ,looks like  it works i will update 
you soon and wait eventual corrections some parts are a bit obscures to 
me ....

#
UPLINK_SPEED=688
#UPLINK_SPEED=688
INET_DEV=eth0
DOWNLINK_THROTTLE=Y        # Set to 'Y' if you want to anable downlink 
throttle
DOWNLINK_SPEED=3000

if [ "$1" = "status" ]
then
    tc -s qdisc ls dev $INET_DEV
    tc -s class ls dev $INET_DEV
    exit
fi

# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev $INET_DEV root    2> /dev/null > /dev/null
tc qdisc del dev $INET_DEV ingress 2> /dev/null > /dev/null
iptables -F -t mangle

if [ "$1" = "stop" ]
then
    exit
fi

#################################################################################################
# qdiscs, classes and filters

# add HTB root qdisc
tc qdisc add dev $INET_DEV root handle 1: htb default 14

tc class add dev $INET_DEV parent 1: classid 1:1 htb rate 
${UPLINK_SPEED}kbit ceil ${UPLINK_SPEED}kbit

tc class add dev $INET_DEV parent 1:1 classid 1:10 htb rate 
$[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 0
tc class add dev $INET_DEV parent 1:1 classid 1:11 htb rate 
$[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 1
tc class add dev $INET_DEV parent 1:1 classid 1:12 htb rate 
$[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 2
tc class add dev $INET_DEV parent 1:1 classid 1:13 htb rate 
$[$UPLINK_SPEED/100*30]kbit ceil $[$UPLINK_SPEED]kbit prio 4
tc class add dev $INET_DEV parent 1:1 classid 1:14 htb rate 
$[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 5

tc qdisc add dev $INET_DEV parent 1:10 handle 100: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:11 handle 110: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:12 handle 120: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:13 handle 130: sfq perturb 10
tc qdisc add dev $INET_DEV parent 1:14 handle 140: sfq perturb 10

# filters
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 1 handle 1 fw 
classid 1:10
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 2 handle 2 fw 
classid 1:11
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 3 handle 3 fw 
classid 1:12
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 4 handle 4 fw 
classid 1:13
tc filter add dev $INET_DEV parent 1:0 protocol ip prio 5 handle 5 fw 
classid 1:14

#################################################################################################
#
 #classid 1:10 htb rate $[$UPLINK_SPEED/5]kbit ceil 
$[$UPLINK_SPEED]kbit prio 0 [mark 1]
#    This is the higher priority class. The packets in this class will 
have the lowest delay
#    and would get the excess of bandwith first so it's a good idea to 
limit the ceil rate to
#    this class. We will send through this class the following packets 
that benefit from low
#    delay, such as interactive traffic: ssh, telnet, dns, quake3, 
irc, and packets with the
#    SYN flag.
#
# classid 1:11 htb rate $[$UPLINK_SPEED/5]kbit ceil 
$[$UPLINK_SPEED]kbit prio 1 [mark 2]
#    Here we have the first class in which we can start to put bulk 
traffic. In my example I have
#    traffic from the local web server and requests for web pages: 
source port 80, and destination
#    port 80 respectively.  ????
#
# classid 1:12 htb rate $[$UPLINK_SPEED/5]kbit ceil 
$[9*$UPLINK_SPEED/10]kbit prio 2 [mark 3]
#    In this class I will put traffic with Maximize-Throughput TOS bit 
set and the rest of the
#    traffic that goes from local processes on the router to the 
Internet. So the following
#    classes will only have traffic that is "routed through" the box.
#
# classid 1:13 htb rate $[$UPLINK_SPEED/5]kbit ceil 
$[7*$UPLINK_SPEED/10]kbit prio 3 [mark 4]
#    Here goes mail traffic (SMTP,pop3...) and packets with 
Minimize-Cost TOS bit set.
#
# classid 1:14 htb rate $[$UPLINK_SPEED/5]kbit ceil 
$[8*$UPLINK_SPEED/10]kbit prio 4 [mark 5]
#    And finally here we have bulk traffic from the NATed machines 
behind the router. All kazaa,
#    edonkey, and others will go here, in order to not interfere with 
other services.
#
#################################################################################################
# Packets from internal LAN - rule order does matter !
# Use --dport if you connect TO that port on a server on the internet 
(the only option that makes
# sense in the PREROUTING chain).

# priority hosts
iptables -t mangle -A PREROUTING -d 192.168.1.4/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 192.168.1.4/32 -j RETURN
iptables -t mangle -A PREROUTING -d 192.168.1.6/32 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 192.168.1.6/32 -j RETURN

# SYN packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK 
SYN -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK 
SYN -j RETURN



# TOR packets
#iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j MARK 
--set-mark 2
#iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j RETURN
#iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j MARK 
--set-mark 2
#iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j RETURN

# POP and SMTP packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j MARK 
--set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j MARK 
--set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j RETURN


# HTTP packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK 
--set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j MARK 
--set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j RETURN

# TOS rules
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK 
--set-mark 2
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK 
--set-mark 3
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j 
MARK --set-mark 3
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j 
RETURN

# All other packets get low priority
iptables -t mangle -A PREROUTING -j MARK --set-mark 4

# Tor the lowest
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j MARK 
--set-mark 5
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j MARK 
--set-mark 5
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j RETURN

#################################################################################################
# Packets originating from localhost - rule order does matter !
# Use --dport if you connect TO that port on a server on the internet
# Use --sport to mark packets emmenating from this computer at 
specified port (for services
# running on this computer).
#
# Example :
# If I connect to a remote computer with SSH, the DESTINATION port 
will be port 22
# The packets that leave this computer have source port xxx and 
destination port 22
#
# If someone connects to this computer with SSH the SOURCE port will be 22
# The packets that leave this computer will have source port 22 and 
destination port xxxx
(it is the opposite way isn'it ?)
# priority hosts
#iptables -t mangle -A OUTPUT -d 192.168.0.2/32 -j MARK --set-mark 1
#iptables -t mangle -A OUTPUT -d 192.168.0.2/32 -j RETURN
iptables -t mangle -A OUTPUT -d my_isp1_dns/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d my_isp2_dns/32 -j RETURN
iptables -t mangle -A OUTPUT -d 87.37.17.11/32 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d 87.37.17.11/32 -j RETURN

# SYN packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN 
-j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN 
-j RETURN

# ICMP packets
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -p icmp -j RETURN    

# HTTP packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 -j MARK 
--set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 -j RETURN

# POP and SMTP packets
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j MARK 
--set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j RETURN

# TOS rules
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j MARK 
--set-mark 2
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j MARK 
--set-mark 3
iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK 
--set-mark 3
iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j RETURN

# packets owned by a specific UID
iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j MARK 
--set-mark 1
iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j 
RETURN    

# All other packets (Tor etc.)
iptables -t mangle -A OUTPUT -j MARK --set-mark 5


if [ $DOWNLINK_THROTTLE = "N" ]
then
    exit
fi

########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:

tc qdisc add dev $INET_DEV handle ffff: ingress

# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:

tc filter add dev $INET_DEV parent ffff: protocol ip prio 50 u32 match 
ip src \
   0.0.0.0/0 police rate ${DOWNLINK_SPEED}kbit burst 10k drop flowid :1