Re: [LARTC] limit number of connections per ip

2006-02-02 Thread Rasmus Melgaard 
Well, only TCP has connections, UDP has non it is only a stream of packets.

So for each user (IP) you could make a class for TCP and one for UDP.

IP
  /\
TCP UDP

The TCP class you already know how to limit, the UDP class I would limit with 
pfifo with a suitable packet limit setting (in pratice this would lead to det 
same effect as the TCP conn. limiting). Although not a hard limit.

Extra:
I would make a seperate high prio class for ICMP to communicate error, 
connection failures back and forth.

NB! P2P normally used TCP (I know the bittorent does)

BR
Rasmus Melgaard



On Thursday 02 February 2006 21:58, Jan Tomak wrote:
>   Hello!
>
>   I've read a lot of mail archives, but can't find solutions for my
> problem. I have router with about 700 users. I'm using HTB with SFQ leaf
> qdiscs for every user (client ip). So, different IP can have its own rate
> limit. This scheme ir working fine for a long time. But how can I limit
> number of connections (sessions) from one host? I see from ip_conntrack
> that some of users have more than 1000 active connections (mostly P2P udp).
> As I know there is connlimit patch for iptables, but it capable to limit
> only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth
> more fairly, but inside one class. In my case every user have its own class
> and I'm not able to control how many connections simultaneously they do
> implementy ESFQ! Also I don't understand how to deal with it from iptables
> side - connlimit will not help with UDP.
>
>   What can be done in my case?
>
>
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Shared ADSL SHAPER

2006-01-30 Thread Rasmus Melgaard 
Hi,

I'm trying to make a shaper / firewall to improve sharing of bandwidth on a 
ADSL (3mbit down / ½ mbit up)

Since the ADSL is very asymmetric, down is unimportant, I make a ingress rate 
limit shaper to ensure, all shaping is at the Shaper, and not on the Router 
or the ISP.

The Idea is then to make one HTB hierarchy and have each client (IP) filtererd 
and put in a child-HTB queue. This is the main idea, I have added prio to 
each HTB-child to keep priorities for each client.

I currently use a reduced setup with total-uplink limited to 160kbit, and i 
run first the firewall script (first) and then the Shaper script, below.

The problem is know that if a take Azureus, bittorrent client, and let it go 
(no uplink limitation), it now kills its own downlink speed. If I limit the 
uplink speed in Azureus the downlink will grow again, it is quiet obvious. 

I've tried adding some trick from the net, to especially improve ACK 
performance, but it hasn't helped.
 

Setup:

Clients (1-32)---Switch---Linux(shaper+firewall)---Cisco Soho 78---ISP

BR 
Rasmus Melgaard


FIREWALL: Firewall script:
#First we flush our current rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Copy and paste these examples ...
export LAN=eth0
export WAN=eth1

export LAN_SCOPE="10.0.0.0/24"

#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

#(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d ${LAN_SCOPE} -j DROP
iptables -A FORWARD -i ${LAN} -s ${LAN_SCOPE} -j ACCEPT
iptables -A FORWARD -i ${WAN} -d ${LAN_SCOPE} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

#MTU Clamp
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu

-
SHAPER: Shaping script:
#Copy and paste these examples ...
export LAN=eth0
export WAN=eth1

#delete previous
tc qdisc del dev ${WAN} root
tc qdisc del dev ${LAN} root

function command() {
echo "Command -> $*"
if ! $($*)
then
exit 0
fi
}

CEILDOWNRATE="3000mbit"
CEILRATE="160kbit"
CLIENTRATE="20kbit"

LAN_SCOPE="10.0.0.0/24"

LAN_SCOPE_PRE="10.0.0."
LAN_SCOPE_POST="/32"
LEAF_QDISC="prio"
HTB_MAIN_OPT="quantum 36000 burst 32000 cburst 16000"
HTB_LEAF_OPT="quantum 5000 burst 2000 cburst 1000"
MAX_IP_LIMIT=33

#General egress Wan port
command "tc qdisc add dev ${WAN} root handle 1: htb default 10"
command "tc class add dev ${WAN} parent 1: classid 1:1 htb rate ${CEILRATE} 
ceil ${CEILRATE} ${HTB_MAIN_OPT}"

#Fix general tos - new chain tosfix
command "iptables -t mangle -N tosfix"
command "iptables -t mangle -A tosfix -p tcp -m length --length 0:512 -j 
RETURN"
command "iptables -t mangle -A tosfix -m limit --limit 2/s --limit-burst 10 -j 
RETURN"
command "iptables -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput"
command "iptables -t mangle -A tosfix -j RETURN"


#Fix Ack being - new chain ack 
command "iptables -t mangle -N ack"
command "iptables -t mangle -A ack -m tos ! --tos Normal-Service -j RETURN"
command "iptables -t mangle -A ack -p tcp -m length --length 0:128 -j TOS 
--set-tos Minimize-Delay"
command "iptables -t mangle -A ack -p tcp -m length --length 128: -j TOS 
--set-tos Maximize-Throughput"
command "iptables -t mangle -A ack -j RETURN"


#Add rules
command "iptables -t mangle -A POSTROUTING -p tcp -m tos --tos Minimize-Delay 
-j tosfix"
command "ptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags" 
SYN,RST,ACK ACK -j ack

#Every ip egress
IP=1
while [ "$IP" -lt  $MAX_IP_LIMIT ]
do
CLASSID=${IP}0
IPADDR=${LAN_SCOPE_PRE}${IP}${LAN_SCOPE_POST}
echo "Class ID: ${CLASSID}"
echo "IP Addrs: ${IPADDR}"
echo "Adding Class"
command "tc class add dev ${WAN} parent 1:1 classid 1:${CLASSID} htb rate 
${CLIENTRATE} ceil ${CEILRATE} ${HTB_LEAF_OPT}"
echo "Adding qdisc"
command "tc qdisc add