Ceci & Tati

Маркиране на BG пространството с IPSet и ограничаване на изходящия трафик.

от на мар..11, 2008, категории Линукс, Мрежата

1. Маркиране на BG пространството:

За целта създавам следните скриптове:

#end rc.firewall
IPTABLES=“/sbin/iptables“
IPSET=“/sbin/ipset“

#Create empty user defined chains
$IPTABLES -N BG_OUT -t mangle

#bgnets – се изтегля от ludost.net
$IPSET -N BG_NETS nethash
for i in `cat /scripts/shaper/bgnets`; do
$IPSET -A BG_NETS $i
done
$IPTABLES -t mangle -I FORWARD 1 -m set –set BG_NETS dst -j BG_OUT
#85.133.83.0 моята мрежа
$IPTABLES -t mangle -A BG_OUT -s 85.133.83.0/24 -j MARK –set-mark 2
$IPTABLES -t mangle -A FORWARD -s 85.133.83.0/24 -j MARK –set-mark 1
$IPTABLES -t mangle -A BG_OUT -j ACCEPT

#локален файлов сървър който не бива да бъде шейпван
$IPTABLES -t mangle -I FORWARD 1 -d 21.121.158.15 -j ACCEPT

#!/bin/sh

#rc.firewall-stop
IPTABLES=“/sbin/iptables“
IPSET=“/sbin/ipset“

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

$IPTABLES -F -t mangle
$IPTABLES -X -t mangle
$IPTABLES -Z -t mangle

$IPSET -F
$IPSET -X

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT


2. Начални скриптове за ограничаване на трафика:

#!/bin/sh

#rc.shaper
TC=/sbin/tc
#eth0 моят изходящ интерфейс
r_dev=eth0

#$TC qdisc del dev $r_dev root 2> /dev/null > /dev/null

$TC qdisc add dev $r_dev root handle 1:0 htb

$TC class add dev $r_dev parent 1: classid 1:1 htb rate 10Mbit
$TC class add dev $r_dev parent 1: classid 1:2 htb rate 50Mbit
$TC filter add dev $r_dev parent 1: protocol ip pref 1 handle 1 fw classid 1:1
$TC filter add dev $r_dev parent 1: protocol ip pref 2 handle 2 fw classid 1:2

/usr/billing/misc/shaper-start-all.pl

#! /bin/bash

#rc-shaper.stop
#eth0 моят изходящ интерфейс
r_dev=eth0
TC=/sbin/tc

$TC qdisc del dev $r_dev root 2> /dev/null > /dev/null

3. PPP примерни скриптове:

#!/usr/bin/perl -w
# ppp
# external script for traffic shapping

#linkupdown up INTERFACE USER HISADDR
#linkupdown down INTERFACE USER HISADDR

#$user->{UID},$speed_out1,$speed_out2 – тези променливи ги вземам от една таблица в MySQL;

use strict;

my $TC=’/sbin/tc’;
my $tc_log=’/var/log/ppp/tc.log’;

# Arguments
my ($ACTION, $INTERFACE, $USER, $HISADDR);

$ACTION=$ARGV[0];
$INTERFACE=$ARGV[1];
$USER=$ARGV[2];
$HISADDR=$ARGV[3];

# START

# Up fw shaper rules
if ($ACTION eq ‘up’) {
my $speed_out1;
my $speed_out2;

my $r_dev = „eth0“;

my $UID = $user->{UID} ;
my $r_class = $UID + 100;
my $r_class2 = $UID + 5100;

if ($main::speed_out1) {

#$int_r_dev mark 1
system „$TC filter del dev $r_dev parent 1:1 protocol ip pref 1 u32 classid 1:$r_class 2> /dev/null > /dev/null“;
system „$TC class del dev $r_dev parent 1:1 classid 1:$r_class 2> /dev/null > /dev/null“;

system „$TC class add dev $r_dev parent 1:1 classid 1:$r_class htb rate „.$main::speed_out1.“kbit“;
system „$TC filter add dev $r_dev parent 1:1 protocol ip pref 1 u32 match ip src $HISADDR classid 1:$r_class“;
system „$TC qdisc add dev $r_dev parent 1:$r_class sfq“;

}

if ($main::speed_out2) {
#$bg_r_dev mark 2
system „$TC filter del dev $r_dev parent 1:2 protocol ip pref 2 u32 classid 1:$r_class2 2> /dev/null > /dev/null“;
system „$TC class del dev $r_dev parent 1:2 classid 1:$r_class2 2> /dev/null > /dev/null“;

system „$TC class add dev $r_dev parent 1:2 classid 1:$r_class2 htb rate „.$main::speed_out2.“kbit“;
system „$TC filter add dev $r_dev parent 1:2 protocol ip pref 2 u32 match ip src $HISADDR classid 1:$r_class2“;
system „$TC qdisc add dev $r_dev parent 1:$r_class2 sfq“;

}
# STOP

if ($ACTION eq ‘down’) {
my $speed_out1;
my $speed_out2;

my $r_dev = „eth0“;

my $UID = $user->{UID} ;
my $r_class = $UID + 100;
my $r_class2 = $UID + 5100;

if ($main::speed_out1) {
#$int_r_dev mark 1
system „$TC filter del dev $r_dev parent 1:1 protocol ip pref 1 u32 classid 1:$r_class 2> /dev/null > /dev/null“;
system „$TC class del dev $r_dev parent 1:1 classid 1:$r_class 2> /dev/null > /dev/null“;
}

if ($main::speed_out2) {
#$bg_r_dev mark 2
system „$TC filter del dev $r_dev parent 1:2 protocol ip pref 2 u32 classid 1:$r_class2 2> /dev/null > /dev/null“;
system „$TC class del dev $r_dev parent 1:2 classid 1:$r_class2 2> /dev/null > /dev/null“;
}

}

#!/bin/sh

#ip-up
# This script is run by pppd after the link is established.
# It executes all the scripts available in /etc/ppp/ip-up.d directory,
# with the following parameters:
# $1 = interface name (e.g. ppp0)
# $2 = tty device
# $3 = speed
# $4 = local IP address
# $5 = remote IP address
# $6 = ipparam (user specified parameter, see man pppd)

/etc/ppp/linkupdown up $1 $PEERNAME $5

#!/bin/sh

#ip-down
# This script is run by pppd after the link is established.
# It executes all the scripts available in /etc/ppp/ip-down.d directory,
# with the following parameters:
# $1 = interface name (e.g. ppp0)
# $2 = tty device
# $3 = speed
# $4 = local IP address
# $5 = remote IP address
# $6 = ipparam (user specified parameter, see man pppd)

/etc/ppp/linkupdown down $1 $PEERNAME $5

Предполагам, че бях много подробен и ясен :), в кръга на майтапа. Само едно нещо искам да кажа за финал, скриптовете са примерни и непълни, аз искам да дам идеята, а всеки сам да си реши точно как да го направи.


Вашият коментар

*
За да докажете че не сте бот, въведете този код
Anti-Spam Image

Нещто не намирате ли?

Потърси в блога ми:

Моля Ви не прекалявайте с информацията!