linux网关之流量控制(iptables Qos)
2009-03-30 17:59
483 查看
iptables+TC进行流量控制 下面是个linux网关的Qos设置,利用iptables和TC,感觉效果非常好的。
实例1:
流量控制:
防火墙上eth0连接内网,eth1连接外网线路,带宽为2.5M,目标:
1、内网用户下载占用的带宽最多为1000kbit/s 而192.168.37.167主192.168.37.168下载带宽可达到1.5Mbit/s
2、内网中的192.168.37.124和192.168.37.140的上传占用的带宽最多为1.5M,而其他用户最多为150Kbit/s
(这样的流量控制后,内网中即使有人使用bt之类的软件也不怕。因为他的上传最多只能占用150Kbit/s,下载最多1000kbit/s ^-^)
#!/bin/sh
TC="/sbin/tc"
LAN_IFACE="eth0"
INET_IFACE="eth1"
ERP1="192.168.37.167/32"
ERP2="192.168.37.168/32"
INTERNAL_LAN="192.168.37.0/24"
start(){
#################### Qos rule on eth0 ########################
#$TC qdisc add dev eth1 root tbf rate 512kbit lantency 50ms burst 1540
if [ "$LAN_IFACE" != "" ];then
$TC qdisc add dev $LAN_IFACE root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8
$TC class add dev $LAN_IFACE parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 2.5Mbit weight 3Mbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC class add dev $LAN_IFACE parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate 1500kbit weight 2Mbit prio 6 allot 1514 cell 8 maxburst 20 avpkt 1000
$TC class add dev $LAN_IFACE parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate 1000kbit weight 1Mbit prio 7 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC qdisc add dev $LAN_IFACE parent 1:2 handle 20: sfq
$TC qdisc add dev $LAN_IFACE parent 1:3 handle 30: sfq
$TC filter add dev $LAN_IFACE parent 1:0 protocol ip prio 2 u32 match ip dst $ERP1 flowid 1:2
$TC filter add dev $LAN_IFACE parent 1:0 protocol ip prio 2 u32 match ip dst $ERP2 flowid 1:2
$TC filter add dev $LAN_IFACE parent 1:0 protocol ip prio 4 u32 match ip dst $INTERNAL_LAN flowid 1:3
echo ""
echo ""
echo "qos rule on eth0 start ...........ok!"
echo ""
echo ""
fi
#################### Qos rule on eth1 ########################
if [ "$INET_IFACE" != "" ];then
iptables -F -t mangle
iptables -X -t mangle
iptables -Z -t mangle
iptables -A PREROUTING -t mangle -s $ERP1 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -s $ERP2 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -s 192.168.37.124/32 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -s 192.168.37.140/32 -j MARK --set-mark 1
iptables -I PREROUTING -t mangle -s $INTERNAL_LAN -j MARK --set-mark 2
$TC qdisc add dev $INET_IFACE root handle 2:0 cbq bandwidth 100Mbit avpkt 1000 cell 8
$TC class add dev $INET_IFACE parent 2:0 classid 2:1 cbq bandwidth 100Mbit rate 2Mbit weight 1Mbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC class add dev $INET_IFACE parent 2:1 classid 2:2 cbq bandwidth 100Mbit rate 1500kbit weight 150kbit prio 6 allot 1514 cell 8 maxburst 20 avpkt 1000
$TC class add dev $INET_IFACE parent 2:1 classid 2:3 cbq bandwidth 100Mbit rate 150kbit weight 20kbit prio 7 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC qdisc add dev $INET_IFACE parent 2:2 handle 20: sfq
$TC qdisc add dev $INET_IFACE parent 2:3 handle 30: sfq
$TC filter add dev $INET_IFACE parent 2:0 protocol ip prio 1 handle 1 fw classid 2:2
$TC filter add dev $INET_IFACE parent 2:0 protocol ip prio 2 handle 2 fw classid 2:3
echo ""
echo ""
echo "qos rule on eth1 start ...........ok!"
echo ""
echo ""
fi
}
stop(){
if [ "$LAN_IFACE" != "" ];then
$TC qdisc del dev $LAN_IFACE root
fi
if [ "$INET_IFACE" != "" ];then
$TC qdisc del dev $INET_IFACE root
fi
iptables -F -t mangle
iptables -X -t mangle
iptables -Z -t mangle
}
status(){
echo "show qdisc ............ "
echo ""
echo ""
echo ""
$TC -d -s qdisc
echo ""
echo ""
echo "show filter ............ "
echo ""
echo ""
if [ "$LAN_IFACE" != "" ];then
$TC -d -s filter ls dev $LAN_IFACE
fi
echo ""
echo ""
if [ "$INET_IFACE" != "" ];then
$TC -d -s filter ls dev $INET_IFACE
fi
echo ""
echo ""
echo "show class ............ "
echo ""
echo ""
if [ "$LAN_IFACE" != "" ];then
$TC -d -s class ls dev $LAN_IFACE
fi
echo ""
echo ""
if [ "$INET_IFACE" != "" ];then
$TC -d -s class ls dev $INET_IFACE
fi
echo ""
echo ""
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
*)
echo $"Usage:$0 {start|stop|restart|status}"
exit 1
esac
实例1:
流量控制:
防火墙上eth0连接内网,eth1连接外网线路,带宽为2.5M,目标:
1、内网用户下载占用的带宽最多为1000kbit/s 而192.168.37.167主192.168.37.168下载带宽可达到1.5Mbit/s
2、内网中的192.168.37.124和192.168.37.140的上传占用的带宽最多为1.5M,而其他用户最多为150Kbit/s
(这样的流量控制后,内网中即使有人使用bt之类的软件也不怕。因为他的上传最多只能占用150Kbit/s,下载最多1000kbit/s ^-^)
#!/bin/sh
TC="/sbin/tc"
LAN_IFACE="eth0"
INET_IFACE="eth1"
ERP1="192.168.37.167/32"
ERP2="192.168.37.168/32"
INTERNAL_LAN="192.168.37.0/24"
start(){
#################### Qos rule on eth0 ########################
#$TC qdisc add dev eth1 root tbf rate 512kbit lantency 50ms burst 1540
if [ "$LAN_IFACE" != "" ];then
$TC qdisc add dev $LAN_IFACE root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8
$TC class add dev $LAN_IFACE parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 2.5Mbit weight 3Mbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC class add dev $LAN_IFACE parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate 1500kbit weight 2Mbit prio 6 allot 1514 cell 8 maxburst 20 avpkt 1000
$TC class add dev $LAN_IFACE parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate 1000kbit weight 1Mbit prio 7 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC qdisc add dev $LAN_IFACE parent 1:2 handle 20: sfq
$TC qdisc add dev $LAN_IFACE parent 1:3 handle 30: sfq
$TC filter add dev $LAN_IFACE parent 1:0 protocol ip prio 2 u32 match ip dst $ERP1 flowid 1:2
$TC filter add dev $LAN_IFACE parent 1:0 protocol ip prio 2 u32 match ip dst $ERP2 flowid 1:2
$TC filter add dev $LAN_IFACE parent 1:0 protocol ip prio 4 u32 match ip dst $INTERNAL_LAN flowid 1:3
echo ""
echo ""
echo "qos rule on eth0 start ...........ok!"
echo ""
echo ""
fi
#################### Qos rule on eth1 ########################
if [ "$INET_IFACE" != "" ];then
iptables -F -t mangle
iptables -X -t mangle
iptables -Z -t mangle
iptables -A PREROUTING -t mangle -s $ERP1 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -s $ERP2 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -s 192.168.37.124/32 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -s 192.168.37.140/32 -j MARK --set-mark 1
iptables -I PREROUTING -t mangle -s $INTERNAL_LAN -j MARK --set-mark 2
$TC qdisc add dev $INET_IFACE root handle 2:0 cbq bandwidth 100Mbit avpkt 1000 cell 8
$TC class add dev $INET_IFACE parent 2:0 classid 2:1 cbq bandwidth 100Mbit rate 2Mbit weight 1Mbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC class add dev $INET_IFACE parent 2:1 classid 2:2 cbq bandwidth 100Mbit rate 1500kbit weight 150kbit prio 6 allot 1514 cell 8 maxburst 20 avpkt 1000
$TC class add dev $INET_IFACE parent 2:1 classid 2:3 cbq bandwidth 100Mbit rate 150kbit weight 20kbit prio 7 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
$TC qdisc add dev $INET_IFACE parent 2:2 handle 20: sfq
$TC qdisc add dev $INET_IFACE parent 2:3 handle 30: sfq
$TC filter add dev $INET_IFACE parent 2:0 protocol ip prio 1 handle 1 fw classid 2:2
$TC filter add dev $INET_IFACE parent 2:0 protocol ip prio 2 handle 2 fw classid 2:3
echo ""
echo ""
echo "qos rule on eth1 start ...........ok!"
echo ""
echo ""
fi
}
stop(){
if [ "$LAN_IFACE" != "" ];then
$TC qdisc del dev $LAN_IFACE root
fi
if [ "$INET_IFACE" != "" ];then
$TC qdisc del dev $INET_IFACE root
fi
iptables -F -t mangle
iptables -X -t mangle
iptables -Z -t mangle
}
status(){
echo "show qdisc ............ "
echo ""
echo ""
echo ""
$TC -d -s qdisc
echo ""
echo ""
echo "show filter ............ "
echo ""
echo ""
if [ "$LAN_IFACE" != "" ];then
$TC -d -s filter ls dev $LAN_IFACE
fi
echo ""
echo ""
if [ "$INET_IFACE" != "" ];then
$TC -d -s filter ls dev $INET_IFACE
fi
echo ""
echo ""
echo "show class ............ "
echo ""
echo ""
if [ "$LAN_IFACE" != "" ];then
$TC -d -s class ls dev $LAN_IFACE
fi
echo ""
echo ""
if [ "$INET_IFACE" != "" ];then
$TC -d -s class ls dev $INET_IFACE
fi
echo ""
echo ""
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
*)
echo $"Usage:$0 {start|stop|restart|status}"
exit 1
esac
相关文章推荐
- linux网关之流量控制(Qos)
- LINUX网关上的流量控制
- 日记 [2007年04月24日]QoS LINUX 下的流量控制
- linux iptables + tc 流量控制
- Linux上的TC流量控制几个例子(80端口流量限制)
- [Linux]使用 linux 下的 TC 进行服务器流量控制
- 在Linux中实现流量控制
- Linux网络流量控制工具—Netem(可用于网络故障注入)
- linux中用TC.来做流量控制 ZT
- 利用TC进行流量控制(Qos)
- [zz]linux下的虚拟机网络流量控制
- iptables网关(linuxBox)和squid(squidBox)不在同一台机器的时候,如何作透明代理?
- Linux系统管理初步(四)系统防火墙控制程序iptables
- Linux网卡流量控制
- Linux网关及安全应用之(5)漏洞检测和远程访问控制
- Linux下的网络输入输出流量的带宽控制(2015-11-23更新)
- linux QOS流量管理实例一
- Linux内核中流量控制(16)