3.22.2010

Linux Traffic Control (3)

Topologi jaringan dan desain htb
topologi jaringan dan desain htb
Kriteria dalam pembuatan traffic control ini:
  1. Traffic control hanya untuk trafik eggress dari device lan (eth0) dan wan (eth1).
  2. Trafik dari local area network (lan) ke router dan sebaliknya tidak melalui traffic control.
  3. Trafik dari internet ke lan (downstream) akan melalui traffic control, kecuali trafik dari port 80 (www) yang mempunyai tanda TOS 0×30 atau DSCP 12 (cache hit).
  4. Setiap pc atau anggota lan akan memiliki class dan qdisc sendiri-sendiri.
  5. Tidak ada class default untuk handle traffic untuk object yang tidak didefinisikan atau unclassified traffic.
Catatan: trafik ke internet port 80 akan melalui server proxy remote secara transparent.

Topologi network
Network LAN : 192.168.41.0/24
IP Router   : 192.168.41.1
IP Client   : 192.168.41.2 - 192.168.41.14
Device LAN  : eth0
Device WAN  : eth1

Alokasi bandwidth internet downstream
Root
  - Ceiling  : 384kbps
  - Rate     : 384kbps
Client
  - Ceiling  : 384kbps
  - Rate     : 16kbps

Alokasi bandwidth internet upstream
Root
  - Ceiling  : 128kbps
  - Rate     : 128kbps
Client
  - Ceiling  : 128kbps
  - Rate     : 16kbps

Source Code tc-3.sh
001#!/bin/sh
002 
003# File: tc-3.sh
004#
005# Deskripsi: Trafik control untuk membatasi downstream dan upstream dengan htb
006#
007# Kriteria:
008#   1. Traffic control hanya untuk trafik eggress dari device lan (eth0) dan wan (eth1).
009#   2. Trafik dari local area network (lan) ke router dan sebaliknya tidak melalui traffic control.
010#   3. Trafik dari internet ke lan atau downstream akan melalui traffic control, kecuali trafik
011#      dari port 80 (www) yang mempunyai tanda TOS 0×30 atau DSCP 12 (cache hit).
012#   4. Setiap pc atau anggota lan akan memiliki class dan qdisc sendiri-sendiri.
013#   5. Tidak ada class default untuk handle traffic untuk object yang tidak didefinisikan atau unclassified traffic.
014#
015# Created by Arief Yudhawarman (2009)
016# Email: awarmanff at yahoo.com
017#
018 
019IPTABLES="/usr/sbin/iptables"
020TC="/sbin/tc"
021 
022# parameter
023LAN="eth0"
024WAN="eth1"
025 
026# Bandwidth
027# (kbps)
028# ROOT CLASS
029# Downstream
030RATEDW=384
031CEILDW=384
032# Upstream
033RATEUP=128
034CEILUP=128
035#
036# SUB CLASS
037# Downstream
038RATESUBDW=16
039CEILSUBDW=384
040# Upstream
041RATESUBUP=16
042CEILSUBUP=128
043 
044# parameter
045LAN="eth0"
046WAN="eth1"
047 
048#
049# IPTABLES
050# PACKET MANGLE
051#
052 
053#
054# FLUSH table
055#
056$IPTABLES -F -t mangle
057 
058#
059# PREROUTING
060#
061# Incoming traffic to WAN
062#
063# packets cache hit with dscp 12 (tos 30) set mark to 5
064iptables -A PREROUTING -t mangle -i $WAN -p tcp --sport 80 -m dscp --dscp 12 -j MARK --set-mark 5
065iptables -A PREROUTING -t mangle -i $WAN -p tcp --sport 80 -m dscp --dscp 12 -j RETURN
066# others set mark to 6
067iptables -A PREROUTING -t mangle -i $WAN -j MARK --set-mark 6
068#
069# Incoming traffic to LAN
070#
071# mark packets to 7
072iptables -A PREROUTING -t mangle -i $LAN -j MARK --set-mark 7
073 
074#
075# FORWARD
076#
077# Incoming traffic from outside (wan) forwarded to inside (lan)
078#
079# catch cache hit with fwmark 5 and set mark to 0x212
080iptables -A FORWARD -t mangle -p tcp -m mark --mark 5 -j MARK --set-mark 0x212
081#
082# mark packets based on destination ip
083for i in `seq 2 14`
084do
085  j=$((i+10))
086  iptables -A FORWARD -t mangle -d 192.168.41.$i -m mark --mark 6 -j MARK --set-mark $j
087done
088#
089# Incoming traffic from inside (lan) forwarded to outside (wan)
090#
091# catch fwmark 7 and set mark according to source ip
092for i in `seq 2 14`
093do
094  j=$((i+20))
095  iptables -A FORWARD -t mangle -s 192.168.41.$i -m mark --mark 7 -j MARK --set-mark $j
096done
097 
098#
099# TRAFFIC CONTROL
100#
101 
102#
103# DOWNSTREAM
104#
105# Create qdisc & class
106tc qdisc del dev $LAN root
107tc qdisc add dev $LAN root handle 1:0 htb
108tc class add dev $LAN parent 1:0 classid 1:2 htb rate ${RATEDW}kbit ceil ${CEILDW}kbit quantum 1500 prio 6
109 
110#
111# Sub class of parent 1:2
112#
113# IP Clients 192.168.41.2 - 192.168.41.14
114for i in `seq 2 14`
115do
116  j=$((i+10))
117  # create class per ip address
118  tc class add dev $LAN parent 1:2 classid 1:$j htb rate ${RATESUBDW}kbit \
119     ceil ${CEILSUBDW}kbit quantum 1500 prio 6
120  # attach qdisc
121  tc qdisc add dev $LAN parent 1:$j handle $j sfq perturb 10
122done
123 
124#
125# Filter traffic
126#
127# IP Clients 192.168.41.2 - 192.168.41.14
128for i in `seq 2 14`
129do
130  j=$((i+10))
131  # Attach filter to flowid with specified handle (packet mark)
132  tc filter add dev $LAN protocol ip parent 1:0 prio 6 handle $j fw flowid 1:$j
133done
134 
135#
136# UPSTREAM
137#
138# Create qdisc & class
139tc qdisc del dev $WAN root
140tc qdisc add dev $WAN root handle 1:0 htb
141tc class add dev $WAN parent 1:0 classid 1:2 htb rate ${RATEUP}kbit ceil ${CEILUP}kbit quantum 1500 prio 6
142 
143#
144# Sub class of parent 1:2
145#
146# IP Clients 192.168.41.2 - 192.168.41.14
147for i in `seq 2 14`
148do
149  j=$((i+20))
150  # create class per ip address
151  tc class add dev $WAN parent 1:2 classid 1:$j htb rate ${RATESUBUP}kbit \
152     ceil ${CEILSUBUP}kbit quantum 1500 prio 6
153  # attach qdisc
154  tc qdisc add dev $WAN parent 1:$j handle $j sfq perturb 10
155done
156 
157#
158# Filter traffic
159#
160# IP Clients 192.168.41.2 - 192.168.41.14
161for i in `seq 2 14`
162do
163  j=$((i+20))
164  # Attach filter to flowid with specified handle (packet mark)
165  tc filter add dev $WAN protocol ip parent 1:0 prio 6 handle $j fw flowid 1:$j
166done
Untuk memahami aliran paket atau traffic flow dalam router silahkan simak gambar di bawah:
traffic flow on router
Sumber: Manual mikrotik refman2.9.pdf.

Analisa paket mangle dan traffic control untuk trafik downstream
Perhatikan baris-baris yang tercetak tebal.
  • tc -s -d qdisc show dev eth0; iptables -L FORWARD -t mangle -nv| head -n 16
  • qdisc htb 1: r2q 10 default 0 direct_packets_stat 6144 ver 3.17
     Sent 31783127 bytes 49709 pkts (dropped 0, overlimits 5839)
    qdisc sfq 12: parent 1:12 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 5118517 bytes 15858 pkts (dropped 0, overlimits 0) 
    qdisc sfq 13: parent 1:13 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 81859 bytes 206 pkts (dropped 0, overlimits 0)
    qdisc sfq 14: parent 1:14 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 6626893 bytes 6817 pkts (dropped 0, overlimits 0)
    qdisc sfq 15: parent 1:15 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 16: parent 1:16 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 17: parent 1:17 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 11525 bytes 45 pkts (dropped 0, overlimits 0)
    qdisc sfq 18: parent 1:18 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 8475558 bytes 11965 pkts (dropped 0, overlimits 0)
    qdisc sfq 19: parent 1:19 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 3277886 bytes 4621 pkts (dropped 0, overlimits 0) 
    qdisc sfq 20: parent 1:20 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 21: parent 1:21 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 4558 bytes 23 pkts (dropped 0, overlimits 0)
    qdisc sfq 22: parent 1:22 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 23: parent 1:23 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 24: parent 1:24 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 3012356 bytes 4030 pkts (dropped 0, overlimits 0)
    Chain FORWARD (policy ACCEPT 1676K packets, 904M bytes)
     pkts bytes target     prot opt in     out     source               destination
     4921 4911K MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x5 MARK set 0x212
    15858 4897K MARK       all  --  *      *       0.0.0.0/0            192.168.41.2        MARK match 0x6 MARK set 0xc 
      206 78975 MARK       all  --  *      *       0.0.0.0/0            192.168.41.3        MARK match 0x6 MARK set 0xd
     6817 6531K MARK       all  --  *      *       0.0.0.0/0            192.168.41.4        MARK match 0x6 MARK set 0xe
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.5        MARK match 0x6 MARK set 0xf
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.6        MARK match 0x6 MARK set 0x10
       45 10895 MARK       all  --  *      *       0.0.0.0/0            192.168.41.7        MARK match 0x6 MARK set 0x11
    11966 8308K MARK       all  --  *      *       0.0.0.0/0            192.168.41.8        MARK match 0x6 MARK set 0x12
     4621 3213K MARK       all  --  *      *       0.0.0.0/0            192.168.41.9        MARK match 0x6 MARK set 0x13
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.10       MARK match 0x6 MARK set 0x14
       23  4236 MARK       all  --  *      *       0.0.0.0/0            192.168.41.11       MARK match 0x6 MARK set 0x15
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.12       MARK match 0x6 MARK set 0x16
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.13       MARK match 0x6 MARK set 0x17
     4030 2956K MARK       all  --  *      *       0.0.0.0/0            192.168.41.14       MARK match 0x6 MARK set 0x18

Analisa paket mangle dan traffic control untuk trafik upstream
Perhatikan baris-baris yang tercetak tebal.
  • tc -s -d qdisc show dev eth1; iptables -L FORWARD -t mangle -nv
  • qdisc htb 1: r2q 10 default 0 direct_packets_stat 191743 ver 3.17
     Sent 45055014 bytes 244485 pkts (dropped 0, overlimits 4314)
    qdisc sfq 22: parent 1:22 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 3539507 bytes 16353 pkts (dropped 0, overlimits 0) 
    qdisc sfq 23: parent 1:23 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 55439 bytes 324 pkts (dropped 0, overlimits 0)
    qdisc sfq 24: parent 1:24 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 1213280 bytes 6968 pkts (dropped 0, overlimits 0)
    qdisc sfq 25: parent 1:25 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 26: parent 1:26 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 27: parent 1:27 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 9806 bytes 56 pkts (dropped 0, overlimits 0)
    qdisc sfq 28: parent 1:28 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 2949492 bytes 15990 pkts (dropped 0, overlimits 0)
    qdisc sfq 29: parent 1:29 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 1039116 bytes 6678 pkts (dropped 0, overlimits 0)
    qdisc sfq 30: parent 1:30 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 31: parent 1:31 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 5156 bytes 39 pkts (dropped 0, overlimits 0)
    qdisc sfq 32: parent 1:32 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 33: parent 1:33 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 34: parent 1:34 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 1071110 bytes 6334 pkts (dropped 0, overlimits 0)
    Chain FORWARD (policy ACCEPT 1693K packets, 912M bytes)
     pkts bytes target     prot opt in     out     source               destination
    ......
    16471 3316K MARK       all  --  *      *       192.168.41.2         0.0.0.0/0           MARK match 0x7 MARK set 0x16
      331 51239 MARK       all  --  *      *       192.168.41.3         0.0.0.0/0           MARK match 0x7 MARK set 0x17
     7154 1125K MARK       all  --  *      *       192.168.41.4         0.0.0.0/0           MARK match 0x7 MARK set 0x18
        0     0 MARK       all  --  *      *       192.168.41.5         0.0.0.0/0           MARK match 0x7 MARK set 0x19
        1    40 MARK       all  --  *      *       192.168.41.6         0.0.0.0/0           MARK match 0x7 MARK set 0x1a
       56  9022 MARK       all  --  *      *       192.168.41.7         0.0.0.0/0           MARK match 0x7 MARK set 0x1b
    17496 2811K MARK       all  --  *      *       192.168.41.8         0.0.0.0/0           MARK match 0x7 MARK set 0x1c
     7498  986K MARK       all  --  *      *       192.168.41.9         0.0.0.0/0           MARK match 0x7 MARK set 0x1d
        0     0 MARK       all  --  *      *       192.168.41.10        0.0.0.0/0           MARK match 0x7 MARK set 0x1e
       39  4610 MARK       all  --  *      *       192.168.41.11        0.0.0.0/0           MARK match 0x7 MARK set 0x1f 
        0     0 MARK       all  --  *      *       192.168.41.12        0.0.0.0/0           MARK match 0x7 MARK set 0x20
        0     0 MARK       all  --  *      *       192.168.41.13        0.0.0.0/0           MARK match 0x7 MARK set 0x21
     6913 1019K MARK       all  --  *      *       192.168.41.14        0.0.0.0/0           MARK match 0x7 MARK set 0x22

Hal yang menarik di sini adalah
  1. Semua paket yang lewat chain FORWARD table mangle dengan tujuan lan mempunyai jumlah paket yang sama dengan yang tercatat di qdisc dev eth0 (lan).
  2. Semua paket yang lewat chain FORWARD table mangle dengan tujuan wan mempunyai jumlah paket yang senantiasa sama atau lebih besar dengan yang tercatat di qdisc dev eth1 (wan). Hal ini karena ada beberapa paket yang di-DROP di chain FORWARD table default. Terlihat pada gambar trafik flow di atas, setelah paket melewati chain FORWARD table mangle selanjutnya akan masuk chain FORWARD table filter.
  3. Jika ingin membatasi trafik upstream dari lan tanpa melewati chain FORWARD, maka ini bisa dilakukan di chain PREROUTING table mangle.

Linux Traffic Control (2)

Topologi jaringan dan desain htb

topologi jaringan dan desain htb
Kriteria dalam pembuatan traffic control ini:
  1. Traffic control hanya untuk trafik eggress dari device eth0 (lan)
  2. Trafik dari local area network (lan) ke router dan sebaliknya tidak melalui traffic control.
  3. Trafik dari lan ke internet atau upstream tidak melalui traffic control.
  4. Trafik dari internet ke lan atau downstream akan melalui traffic control, kecuali trafik dari port 80 (www) yang mempunyai tanda TOS 0×30 atau DSCP 12 (cache hit).
  5. Setiap pc atau anggota lan akan memiliki class dan qdisc sendiri-sendiri.
  6. Ada class default untuk handle traffic untuk object yang tidak didefinisikan atau unclassified traffic
Catatan: trafik ke internet port 80 akan melalui server proxy remote secara transparent.

Topologi network
Network LAN : 192.168.41.0/24
IP Router   : 192.168.41.1
IP Client   : 192.168.41.2 - 192.168.41.14
Device LAN  : eth0
Device WAN  : eth1

Alokasi bandwidth internet (downstream)
Root
  - Ceiling  : 384kbps
  - Rate     : 384kbps
Client
  - Ceiling  : 384kbps
  - Rate     : 16kbps
Unclassified
  - Ceiling  : 128kbps
  - Rate     : 16kbps

Source Code tc-2.sh
001#!/bin/sh
002 
003# File: tc-2.sh
004# Deskripsi: Trafik control simple dengan htb
005# Kriteria:
006# 1. Traffic control hanya untuk trafik eggress dari device eth0 (lan)
007# 2. Trafik dari local area network (lan) ke router dan sebaliknya tidak melalui traffic control.
008# 3. Trafik dari lan ke internet atau upstream tidak melalui traffic control.
009# 4. Trafik dari internet ke lan atau downstream akan melalui traffic control, kecuali trafik
010#     dari port 80 (www) yang mempunyai tanda TOS 0×30 atau DSCP 12 (cache hit).
011# 5. Setiap pc atau anggota lan akan memiliki class dan qdisc sendiri-sendiri.
012# 6. Ada class default untuk handle traffic untuk object yang tidak didefinisikan.
013#
014# Created by Arief Yudhawarman (2009)
015# Email: awarmanff at yahoo.com
016#
017 
018IPTABLES="/usr/sbin/iptables"
019TC="/sbin/tc"
020 
021# parameter
022LAN="eth0"
023WAN="eth1"
024 
025# Bandwidth
026# (kbps)
027# ROOT CLASS
028RATE=384
029CEIL=384
030#
031# SUB CLASS
032RATESUB=16
033CEILSUB=384
034#
035# UNCLASSIFIED TRAFFIC
036RATEUN=16
037CEILUN=128
038 
039#
040# IPTABLES
041# PACKET MANGLE
042#
043 
044# PREROUTING
045#
046# Flush table
047$IPTABLES -F -t mangle
048 
049#
050# cache hit set mark to 5
051$IPTABLES -A PREROUTING -t mangle -i $WAN -p tcp -m dscp --dscp 12 -j MARK --set-mark 5
052$IPTABLES -A PREROUTING -t mangle -i $WAN -p tcp -m dscp --dscp 12 -j RETURN
053#
054# all traffic trough device wan set mark to 6
055$IPTABLES -A PREROUTING -t mangle -i $WAN -j MARK --set-mark 6
056 
057#
058# FORWARD
059#
060# cache hit with mark 5 set mark again to 0x212
061iptables -A FORWARD -t mangle -p tcp -m mark --mark 5 -j MARK --set-mark 0x212
062#
063# mark packet based on destination ip
064for i in `seq 2 14`
065do
066  j=$((i+10))
067  iptables -A FORWARD -t mangle -d 192.168.41.$i -m mark --mark 6 -j MARK --set-mark $j
068done
069# unclassified traffic to lan set mark to 255
070iptables -A FORWARD -t mangle -d 192.168.41.0/24 -m mark --mark 6 -j MARK --set-mark 255
071 
072#
073# TRAFFIC CONTROL
074#
075 
076#
077# Create qdisc dev LAN
078tc qdisc del dev $LAN root
079#tc qdisc add dev $LAN root handle 1:0 htb default 255
080tc qdisc add dev $LAN root handle 1:0 htb
081#
082# create class
083tc class add dev $LAN parent 1:0 classid 1:2 htb rate ${RATE}kbit ceil ${CEIL}kbit quantum 1500 prio 6
084tc class add dev $LAN parent 1:0 classid 1:255 htb rate ${RATEUN}kbit ceil ${CEILUN}kbit quantum 1500 prio 8
085 
086#
087# Sub class of parent 1:2
088for i in `seq 2 14`
089do
090  j=$((i+10))
091  # create class per ip address
092  tc class add dev $LAN parent 1:2 classid 1:$j htb rate ${RATESUB}kbit \
093     ceil ${CEILSUB}kbit quantum 1500 prio 6
094  # attach qdisc
095  tc qdisc add dev $LAN parent 1:$j handle $j sfq perturb 10
096done
097# Sub class of 1:255 or default or unclassified traffic
098# attach qdisc
099tc qdisc add dev $LAN parent 1:255 handle 255 sfq perturb 10
100 
101#
102# Filter traffic
103#
104# Sub class of parent 1:2
105offset=10
106for i in `seq 2 14`
107do
108  j=$((i+10))
109  # Attach filter to flowid with specified handle (packet mark)
110  tc filter add dev $LAN protocol ip parent 1:0 prio 6 handle $j fw flowid 1:$j
111done
112#
113# Sub class of 1:255 or default or unclassified traffic
114tc filter add dev eth0 protocol ip parent 1:0 prio 8 handle 255 fw flowid 1:255
Penjelasan:
  • Baris 51: menandai trafik cache hit (dscp 12) yang masuk ke device wan dengan packet mark 5
  • Baris 52: -j RETURN agar trafik cache hit tidak akan masuk ke rule lain dibawahnya.
  • Baris 55: tandai semua trafik yang masuk ke device wan dengan packet mark 6.
  • Baris 61: packet mark 5 (cache hit) yang masuk ke chain FORWARD di-mark kembali dengan 212.
  • Keterangan untuk baris-baris selanjutnya terdapat di baris komentar.
Analisa paket mangle dan traffic control
Perhatikan baris-baris yang tercetak tebal.
  • tc -s -d qdisc show dev eth0
  • qdisc htb 1: r2q 10 default 0 direct_packets_stat 794 ver 3.17
     Sent 16722535 bytes 17532 pkts (dropped 0, overlimits 45)
    qdisc sfq 12: parent 1:12 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 16116818 bytes 16712 pkts (dropped 0, overlimits 0)
    qdisc sfq 13: parent 1:13 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 1910 bytes 12 pkts (dropped 0, overlimits 0)
    qdisc sfq 14: parent 1:14 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 345 bytes 4 pkts (dropped 0, overlimits 0)
    qdisc sfq 15: parent 1:15 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 16: parent 1:16 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 17: parent 1:17 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 1854 bytes 10 pkts (dropped 0, overlimits 0)
    qdisc sfq 18: parent 1:18 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 19: parent 1:19 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 20: parent 1:20 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 21: parent 1:21 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 22: parent 1:22 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 23: parent 1:23 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc sfq 24: parent 1:24 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
    qdisc tbf 255: parent 1:255 rate 16000bit burst 2Kb/8 mpu 0b lat 85.5ms
     Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  • iptables -L -t mangle -nv
  • Chain PREROUTING (policy ACCEPT 2695K packets, 631M bytes)
     pkts bytes target     prot opt in     out     source               destination
      664  574K MARK       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 DSCP match 0x0c MARK set 0x5
      664  574K RETURN     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 DSCP match 0x0c
    83980   19M MARK       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           MARK set 0x6 
    
    Chain INPUT (policy ACCEPT 1696K packets, 96M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 1000K packets, 535M bytes)
     pkts bytes target     prot opt in     out     source               destination
      664  574K MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x5 MARK set 0x212
    16834   16M MARK       all  --  *      *       0.0.0.0/0            192.168.41.2        MARK match 0x6 MARK set 0xc 
       12  1742 MARK       all  --  *      *       0.0.0.0/0            192.168.41.3        MARK match 0x6 MARK set 0xd
        4   289 MARK       all  --  *      *       0.0.0.0/0            192.168.41.4        MARK match 0x6 MARK set 0xe
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.5        MARK match 0x6 MARK set 0xf
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.6        MARK match 0x6 MARK set 0x10
       10  1714 MARK       all  --  *      *       0.0.0.0/0            192.168.41.7        MARK match 0x6 MARK set 0x11
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.8        MARK match 0x6 MARK set 0x12
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.9        MARK match 0x6 MARK set 0x13
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.10       MARK match 0x6 MARK set 0x14
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.11       MARK match 0x6 MARK set 0x15
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.12       MARK match 0x6 MARK set 0x16
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.13       MARK match 0x6 MARK set 0x17
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.14       MARK match 0x6 MARK set 0x18
        0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.41.0/24     MARK match 0x6 MARK set 0xff 
    
    Chain OUTPUT (policy ACCEPT 1678K packets, 285M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain POSTROUTING (policy ACCEPT 2651K packets, 819M bytes)
     pkts bytes target     prot opt in     out     source               destination

Linux Traffic Control (1)

Topologi jaringan dan desain htb
topologi jaringan dan desain htb
Kriteria dalam pembuatan traffic control ini
  1. Traffic control hanya untuk trafik eggress dari device eth0 (lan)
  2. Trafik dari local area network (lan) ke router dan sebaliknya tidak melalui traffic control.
  3. Trafik dari lan ke internet atau upstream tidak melalui traffic control.
  4. Trafik dari internet ke lan atau downstream akan melalui traffic control, kecuali trafik dari port 80 (www) yang mempunyai tanda TOS 0×30 atau DSCP 12 (cache hit).
Catatan: trafik ke internet port 80 akan melalui server proxy remote secara transparent.

Source Code
01#!/bin/sh
02 
03# File: tc-1.sh
04# Deskripsi: Trafik control simple dengan htb
05# Kriteria:
06# 1. Trafik dari local area network (lan) ke router dan sebaliknya tidak melalui traffic control.
07# 2. Trafik dari lan ke internet atau upstream tidak melalui traffic control.
08# 3. Trafik dari internet ke lan atau downstream akan melalui traffic control, kecuali trafik
09#     dari port 80 (www) yang mempunyai tanda TOS 0×30 atau DSCP 12 (cache hit).
10#
11# Created by Arief Yudhawarman (2009)
12# Email: awarmanff at yahoo.com
13#
14 
15IPTABLES="/usr/sbin/iptables"
16TC="/sbin/tc"
17 
18# parameter
19LAN="eth0"
20WAN="eth1"
21 
22# Bandwidth
23# (kbps)
24RATE=384
25CEIL=384
26 
27#
28# IPTABLES
29# PACKET MANGLE
30#
31 
32# PREROUTING
33#
34# Flush table
35$IPTABLES -F -t mangle
36#
37# Mangle packet cache hit
38$IPTABLES -A PREROUTING -t mangle -i $WAN -p tcp -m dscp --dscp 12 -j MARK --set-mark 0x212
39$IPTABLES -A PREROUTING -t mangle -i $WAN -p tcp -m dscp --dscp 12 -j RETURN
40#
41# Mangle all trafic
42$IPTABLES -A PREROUTING -t mangle -i $WAN -j MARK --set-mark 6
43 
44#
45# TRAFFIC CONTROL
46#
47 
48# Create qdisc dev LAN
49$TC qdisc del dev $LAN root
50$TC qdisc add dev $LAN root handle 1:0 htb
51#
52# create class
53$TC class add dev $LAN parent 1:0 classid 1:2 htb rate ${RATE}kbit ceil ${CEIL}kbit quantum 1500 prio 8
54#
55# Attach qdisc
56$TC qdisc add dev $LAN parent 1:2 handle 2: sfq perturb 10
57#
58# Filter traffic with packet mark 6
59$TC filter add dev eth0 protocol ip parent 1:0 prio 1 handle 6 fw flowid 1:2
Penjelasan:
  • Baris 38: menandai trafik cache hit (dscp 12) yang masuk ke device wan dengan packet mark 212.
  • Baris 39: -j RETURN agar trafik cache hit tidak akan masuk ke rule lain dibawahnya.
  • Baris 42: menandai semua trafik yang masuk ke device wan dengan packet mark 6.
  • Baris 59: filter semua trafik dengan packet mark 6 ke class handler 1:2
Untuk analisa paket mangle dan traffic control gunakan perintah:
  • iptables -L PREROUTING -t mangle -nv
  • Chain PREROUTING (policy ACCEPT 2580K packets, 606M bytes)
     pkts bytes target     prot opt in     out     source               destination
       20 22316 MARK       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           DSCP match 0x0c MARK set 0x212
       20 22316 RETURN     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           DSCP match 0x0c
    20391 1247K MARK       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           MARK set 0x6
  • tc -s -d qdisc show dev eth0
  • qdisc htb 1: r2q 10 default 0 direct_packets_stat 0 ver 3.17
     Sent 7500 bytes 52 pkts (dropped 0, overlimits 0)
    qdisc sfq 2: parent 1:2 limit 128p quantum 1514b flows 128/1024 perturb 10sec
     Sent 7500 bytes 52 pkts (dropped 0, overlimits 0)
  • tc -s -d class show dev eth0
  • class htb 1:2 root leaf 2: prio 7 quantum 1500 rate 384000bit ceil 384000bit burst 2079b/8 mpu 0b overhead 0b cburst 2079b/8 mpu 0b overhead 0b level 0
     Sent 168952 bytes 1120 pkts (dropped 0, overlimits 0)
     rate 4104bit 3pps
     lended: 1120 borrowed: 0 giants: 0
     tokens: 16933 ctokens: 16933
  • tc -s -d filter show dev eth0
  • filter parent 1: protocol ip pref 1 fw
    filter parent 1: protocol ip pref 1 fw handle 0x6 classid 1:2

Referensi
  1. Linux Advanced Routing & Traffic Control HOWTO
  2. Manual iptables
  3. Referensi berbahasa indonesia mengenai traffic control di Penjelasan Traffic Shaping
source : http://awarmanf.wordpress.com/2009/12/29/linuxtc1/

Mikrotik policy routing implementation example

Sumber: http://blog.butchevans.com/2008/09/mikrotik-policy-routing-implementation-example/

Mikrotik policy routing implementation example
In “normal” routing, you have a set of routes that tell the router about how to reach certain networks. Policy routing is a way to do the same thing, but have different “paths” or routes for various types of traffic. In this article, we will explore the requirements for setting up policy routing and explain some of the concepts involved.
Policy routing is implemented in 3 parts. The first part is to define the routes and which policies will use those routes. The second part is the routing rules, which will define how the policies apply to certain traffic. The third is to define the actual policies. We’ll look at each of these individually.
The network below is the one we will use for this example.
routing policy

We will assume that you already have the IP addresses set up on your router.
First, we must define our routes. We will add three “default” routes. These are below:
/ip route
add gateway=10.10.11.1 routing-mark=ISP2
add gateway=10.10.10.1 routing-mark=ISP1
add gateway=10.10.10.1
The first 2 routes will be used by our policies. The third route will be used by any traffic that does not have a policy defined and by traffic from the router itself.
Next, we need to define our routing rules. There are many ways to accomplish this, but what I will show here is the cleanest way I have found to implement a working policy.
/ip route rule
add dst-address=192.168.0.0/24 action=lookup table=main
add dst-address=192.168.1.0/24 action=lookup table=main
add dst-address=10.10.10.0/30 action=lookup table=main
add dst-address=10.10.11.0/30 action=lookup table=main
add src-address=10.10.10.0/30 action=lookup table=ISP1
add src-address=10.10.11.0/30 action=lookup table=ISP2
add routing-mark=ISP1 action=lookup table=ISP1
add routing-mark=ISP2 action=lookup table=ISP2
The first 3 rules tell the router to ignore routing marks for all packets destined for the “connected” networks. The next 2 rules that tell the router to use ISP1 and ISP2 for the traffic FROM the router on those particular interfaces. These rules will allow us to manage the router remotely from either of the 2 “public” interfaces. Finally, there are 2 rules that use the ISP1 and ISP2 tables for traffic that we will “mark” for those tables.
Finally, we need to define the policies. A policy basically says, “use this routing table for this type of traffic”. Policies are implemented in the firewall using Mangle. We will use a couple of examples. In our first example, we will use the following policy:
All traffic from the 192.168.0.0/24 network will use ISP1 and all traffic from the 192.168.1.0/24 network will use ISP2

Here is the implementation:
/ip firewall mangle
add chain=prerouting src-address=192.168.0.0/24 action=mark-routing \
new-routing-mark=ISP1 passthrough=no

add chain=prerouting src-address=192.168.1.0/24 action=mark-routing \
new-routing-mark=ISP2 passthrough=no
The above 2 rules are all that are needed. Note that the “new-routing-mark” matches the “routing-mark” entry in the route statements we added earlier.
A common policy is to route certain traffic (by type) over certain networks. For example, we could implement a policy like the following:
Route all http, smtp, dns and pop3 traffic over our ISP1 circuit and all other traffic over the ISP2 circuit.
/ip firewall mangle
add chain=prerouting dst-port=80 protocol=tcp action=mark-routing \
new-routing-mark=ISP1 passthrough=no

add chain=prerouting dst-port=25 protocol=tcp action=mark-routing \
new-routing-mark=ISP1 passthrough=no

add chain=prerouting dst-port=110 protocol=tcp action=mark-routing \
new-routing-mark=ISP1 passthrough=no

add chain=prerouting dst-port=53 protocol=udp action=mark-routing \
new-routing-mark=ISP1 passthrough=no

add chain=prerouting action=mark-routing \
new-routing-mark=ISP2 passthrough=no
The above 4 rules will implement the policy requirement I stated. NOTE: In this policy, Peer-to-peer traffic will use ISP2, unless the peer-to-peer traffic tries to use one of the ports defined by the policy.
Peer-to-peer traffic requires more than one packet to identify, so if you want to implement a policy that applies to this traffic, you have to define OTHER traffic first, and let the peer to peer traffic follow the “default” action, as I did above.
This is not a complete description of all the possible implementations for policy routing, but it will give you a head start in implementing policy routing. I hope you find this article helpful.