Маркиране на BG пространството с IPSet и ограничаване на изходящия трафик.
от Илия Няголов на мар..11, 2008, категории Линукс, Мрежата
1. Маркиране на BG пространството:
За целта създавам следните скриптове:
#end rc.firewall
IPTABLES=“/sbin/iptables“
IPSET=“/sbin/ipset“#Create empty user defined chains
$IPTABLES -N BG_OUT -t mangle#bgnets – се изтегля от ludost.net
$IPSET -N BG_NETS nethash
for i in `cat /scripts/shaper/bgnets`; do
$IPSET -A BG_NETS $i
done
$IPTABLES -t mangle -I FORWARD 1 -m set –set BG_NETS dst -j BG_OUT
#85.133.83.0 моята мрежа
$IPTABLES -t mangle -A BG_OUT -s 85.133.83.0/24 -j MARK –set-mark 2
$IPTABLES -t mangle -A FORWARD -s 85.133.83.0/24 -j MARK –set-mark 1
$IPTABLES -t mangle -A BG_OUT -j ACCEPT#локален файлов сървър който не бива да бъде шейпван
$IPTABLES -t mangle -I FORWARD 1 -d 21.121.158.15 -j ACCEPT
#!/bin/sh
#rc.firewall-stop
IPTABLES=“/sbin/iptables“
IPSET=“/sbin/ipset“$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z$IPTABLES -F -t mangle
$IPTABLES -X -t mangle
$IPTABLES -Z -t mangle$IPSET -F
$IPSET -X$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
2. Начални скриптове за ограничаване на трафика:
#!/bin/sh
#rc.shaper
TC=/sbin/tc
#eth0 моят изходящ интерфейс
r_dev=eth0#$TC qdisc del dev $r_dev root 2> /dev/null > /dev/null
$TC qdisc add dev $r_dev root handle 1:0 htb
$TC class add dev $r_dev parent 1: classid 1:1 htb rate 10Mbit
$TC class add dev $r_dev parent 1: classid 1:2 htb rate 50Mbit
$TC filter add dev $r_dev parent 1: protocol ip pref 1 handle 1 fw classid 1:1
$TC filter add dev $r_dev parent 1: protocol ip pref 2 handle 2 fw classid 1:2/usr/billing/misc/shaper-start-all.pl
#! /bin/bash
#rc-shaper.stop
#eth0 моят изходящ интерфейс
r_dev=eth0
TC=/sbin/tc$TC qdisc del dev $r_dev root 2> /dev/null > /dev/null
3. PPP примерни скриптове:
#!/usr/bin/perl -w
# ppp
# external script for traffic shapping#linkupdown up INTERFACE USER HISADDR
#linkupdown down INTERFACE USER HISADDR#$user->{UID},$speed_out1,$speed_out2 – тези променливи ги вземам от една таблица в MySQL;
use strict;
my $TC=’/sbin/tc’;
my $tc_log=’/var/log/ppp/tc.log’;# Arguments
my ($ACTION, $INTERFACE, $USER, $HISADDR);$ACTION=$ARGV[0];
$INTERFACE=$ARGV[1];
$USER=$ARGV[2];
$HISADDR=$ARGV[3];# START
# Up fw shaper rules
if ($ACTION eq ‘up’) {
my $speed_out1;
my $speed_out2;my $r_dev = „eth0“;
my $UID = $user->{UID} ;
my $r_class = $UID + 100;
my $r_class2 = $UID + 5100;if ($main::speed_out1) {
#$int_r_dev mark 1
system „$TC filter del dev $r_dev parent 1:1 protocol ip pref 1 u32 classid 1:$r_class 2> /dev/null > /dev/null“;
system „$TC class del dev $r_dev parent 1:1 classid 1:$r_class 2> /dev/null > /dev/null“;system „$TC class add dev $r_dev parent 1:1 classid 1:$r_class htb rate „.$main::speed_out1.“kbit“;
system „$TC filter add dev $r_dev parent 1:1 protocol ip pref 1 u32 match ip src $HISADDR classid 1:$r_class“;
system „$TC qdisc add dev $r_dev parent 1:$r_class sfq“;}
if ($main::speed_out2) {
#$bg_r_dev mark 2
system „$TC filter del dev $r_dev parent 1:2 protocol ip pref 2 u32 classid 1:$r_class2 2> /dev/null > /dev/null“;
system „$TC class del dev $r_dev parent 1:2 classid 1:$r_class2 2> /dev/null > /dev/null“;system „$TC class add dev $r_dev parent 1:2 classid 1:$r_class2 htb rate „.$main::speed_out2.“kbit“;
system „$TC filter add dev $r_dev parent 1:2 protocol ip pref 2 u32 match ip src $HISADDR classid 1:$r_class2“;
system „$TC qdisc add dev $r_dev parent 1:$r_class2 sfq“;}
# STOPif ($ACTION eq ‘down’) {
my $speed_out1;
my $speed_out2;my $r_dev = „eth0“;
my $UID = $user->{UID} ;
my $r_class = $UID + 100;
my $r_class2 = $UID + 5100;if ($main::speed_out1) {
#$int_r_dev mark 1
system „$TC filter del dev $r_dev parent 1:1 protocol ip pref 1 u32 classid 1:$r_class 2> /dev/null > /dev/null“;
system „$TC class del dev $r_dev parent 1:1 classid 1:$r_class 2> /dev/null > /dev/null“;
}if ($main::speed_out2) {
#$bg_r_dev mark 2
system „$TC filter del dev $r_dev parent 1:2 protocol ip pref 2 u32 classid 1:$r_class2 2> /dev/null > /dev/null“;
system „$TC class del dev $r_dev parent 1:2 classid 1:$r_class2 2> /dev/null > /dev/null“;
}}
#!/bin/sh
#ip-up
# This script is run by pppd after the link is established.
# It executes all the scripts available in /etc/ppp/ip-up.d directory,
# with the following parameters:
# $1 = interface name (e.g. ppp0)
# $2 = tty device
# $3 = speed
# $4 = local IP address
# $5 = remote IP address
# $6 = ipparam (user specified parameter, see man pppd)/etc/ppp/linkupdown up $1 $PEERNAME $5
#!/bin/sh
#ip-down
# This script is run by pppd after the link is established.
# It executes all the scripts available in /etc/ppp/ip-down.d directory,
# with the following parameters:
# $1 = interface name (e.g. ppp0)
# $2 = tty device
# $3 = speed
# $4 = local IP address
# $5 = remote IP address
# $6 = ipparam (user specified parameter, see man pppd)/etc/ppp/linkupdown down $1 $PEERNAME $5
Предполагам, че бях много подробен и ясен :), в кръга на майтапа. Само едно нещо искам да кажа за финал, скриптовете са примерни и непълни, аз искам да дам идеята, а всеки сам да си реши точно как да го направи.