在coyote中用笨方法来限制P2P
装了coyote硬盘版后,网络确实比以前用TP-R402M的时候稳定多了。单位里有15台办公电脑,还有教师宿舍里近20台个人电脑都连在同一局域网里,共享电信光纤接入10M带宽。后来,用pplive、ppstream看电影的人多了,导致其他人无法浏览网页。办公电脑都装上了还原精灵,很好管理,可教师宿舍里的电脑就没法管理了,只好用tc和iptables限制带宽。刚开始还行,后来一段时间后又出现无法浏览网页了。查看带宽使用情况,远远没有达到爆满的水平。出现这种情况,应该是连接数太多了——带宽限制也管不了了。下载了一个mimifw的ipt_connlimit.o,但是coyote加载不了,可能内核不支持吧。
不想把coyote换成minifw,太麻烦了。苦思了几天后,终于解决了问题:给每台电脑分配上传带宽和下载带宽,上传优先权很低,然后专门为http、dns、smtp、pop3开辟一个公共的上传通道,优先权为0。这样,用
户用P2P时,用他们的低优先权上传通道,浏览网页时用高优先权的公共上传通道,下载时都用自己的下载通道。
qos脚本
# 清除 eth1 所有队列规则tc qdisc del dev eth1 root 2>/dev/null
# 定义最顶层(根)队列规则,并指定 default 类别编号
tc qdisc add dev eth1 root handle 10: htb default 50
# 定义第一层的 10:1 类别 (总频宽)
tc class add dev eth1 parent 10: classid 10:1 htb rate 128kbps ceil 128kbps
# 定义第二层叶类别
# rate 保证频宽,ceil 最大频宽,prio 优先权
tc class add dev eth1 parent 10:1 classid 10:10 htb rate 8kbps ceil 40kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:11 htb rate 8kbps ceil 40kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:12 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:15 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:16 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:17 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:18 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:20 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:22 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:24 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:30 htb rate 4kbps ceil 12kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:50 htb rate 8kbps ceil 16kbps prio 2
tc class add dev eth1 parent 10:1 classid 10:61 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:62 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:63 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:64 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:65 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:66 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:67 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:68 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:69 htb rate 2kbps ceil 4kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:70 htb rate 2kbps ceil 4kbps prio 3
#下面一行是为浏览网页开辟一条高优先权的上传通道
tc class add dev eth1 parent 10:1 classid 10:40 htb rate 8kbps ceil 40kbps prio 0
# 定义各叶类别的队列规则
# parent 类别编号,handle 叶类别队列规则编号
# 由于采用 fw 过滤器,所以此处使用 pfifo 的队列规则即可
tc qdisc add dev eth1 parent 10:10 handle 100: pfifo
tc qdisc add dev eth1 parent 10:11 handle 101: pfifo
tc qdisc add dev eth1 parent 10:12 handle 102: pfifo
tc qdisc add dev eth1 parent 10:15 handle 105: pfifo
tc qdisc add dev eth1 parent 10:16 handle 106: pfifo
tc qdisc add dev eth1 parent 10:17 handle 107: pfifo
tc qdisc add dev eth1 parent 10:18 handle 108: pfifo
tc qdisc add dev eth1 parent 10:20 handle 110: pfifo
tc qdisc add dev eth1 parent 10:22 handle 112: pfifo
tc qdisc add dev eth1 parent 10:24 handle 114: pfifo
tc qdisc add dev eth1 parent 10:30 handle 120: pfifo
tc qdisc add dev eth1 parent 10:50 handle 150: pfifo
tc qdisc add dev eth1 parent 10:61 handle 161: pfifo
tc qdisc add dev eth1 parent 10:62 handle 162: pfifo
tc qdisc add dev eth1 parent 10:63 handle 163: pfifo
tc qdisc add dev eth1 parent 10:64 handle 164: pfifo
tc qdisc add dev eth1 parent 10:65 handle 165: pfifo
tc qdisc add dev eth1 parent 10:66 handle 166: pfifo
tc qdisc add dev eth1 parent 10:67 handle 167: pfifo
tc qdisc add dev eth1 parent 10:68 handle 168: pfifo
tc qdisc add dev eth1 parent 10:69 handle 169: pfifo
tc qdisc add dev eth1 parent 10:70 handle 170: pfifo
tc qdisc add dev eth1 parent 10:40 handle 140: pfifo
# 设定过滤器
# 指定贴有 10 标签 (handle) 的封包,归类到 10:10 类别,以此类推
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 11 fw classid 10:11
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 12 fw classid 10:12
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 15 fw classid 10:15
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 16 fw classid 10:16
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 17 fw classid 10:17
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 18 fw classid 10:18
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 22 fw classid 10:22
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 24 fw classid 10:24
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 61 fw classid 10:61
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 62 fw classid 10:62
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 63 fw classid 10:63
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 64 fw classid 10:64
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 65 fw classid 10:65
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 66 fw classid 10:66
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 67 fw classid 10:67
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 68 fw classid 10:68
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 69 fw classid 10:69
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 70 fw classid 10:70
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
# QoS eth0下载方面
#
# 清除 eth0所有队列规则
tc qdisc del dev eth0 root 2>/dev/null
# 定义最顶层(根)队列规则,并指定 default 类别编号
tc qdisc add dev eth0 root handle 10: htb default 50
# 定义第一层的 10:1 类别 (总频宽)
tc class add dev eth0 parent 10: classid 10:1 htb rate 1280kbps ceil 1280kbps
# 定义第二层叶类别
# rate 保证频宽,ceil 最大频宽,prio 优先权
tc class add dev eth0 parent 10:1 classid 10:10 htb rate 30kbps ceil 300kbps prio 0
tc class add dev eth0 parent 10:1 classid 10:11 htb rate 30kbps ceil 150kbps prio 0
tc class add dev eth0 parent 10:1 classid 10:12 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:15 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:16 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:17 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:18 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:20 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:22 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:24 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:30 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:50 htb rate 20kbps ceil 150kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:61 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:62 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:63 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:64 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:65 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:66 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:67 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:68 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:69 htb rate 10kbps ceil 90kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:70 htb rate 10kbps ceil 90kbps prio 1
# 定义各叶类别的队列规则
# parent 类别编号,handle 叶类别队列规则编号
tc qdisc add dev eth0 parent 10:10 handle 100: pfifo
tc qdisc add dev eth0 parent 10:11 handle 101: pfifo
tc qdisc add dev eth0 parent 10:12 handle 102: pfifo
tc qdisc add dev eth0 parent 10:15 handle 105: pfifo
tc qdisc add dev eth0 parent 10:16 handle 106: pfifo
tc qdisc add dev eth0 parent 10:17 handle 107: pfifo
tc qdisc add dev eth0 parent 10:18 handle 108: pfifo
tc qdisc add dev eth0 parent 10:20 handle 110: pfifo
tc qdisc add dev eth0 parent 10:22 handle 112: pfifo
tc qdisc add dev eth0 parent 10:24 handle 114: pfifo
tc qdisc add dev eth0 parent 10:30 handle 120: pfifo
tc qdisc add dev eth0 parent 10:50 handle 150: pfifo
tc qdisc add dev eth0 parent 10:61 handle 161: pfifo
tc qdisc add dev eth0 parent 10:62 handle 162: pfifo
tc qdisc add dev eth0 parent 10:63 handle 163: pfifo
tc qdisc add dev eth0 parent 10:64 handle 164: pfifo
tc qdisc add dev eth0 parent 10:65 handle 165: pfifo
tc qdisc add dev eth0 parent 10:66 handle 166: pfifo
tc qdisc add dev eth0 parent 10:67 handle 167: pfifo
tc qdisc add dev eth0 parent 10:68 handle 168: pfifo
tc qdisc add dev eth0 parent 10:69 handle 169: pfifo
tc qdisc add dev eth0 parent 10:70 handle 170: pfifo
# 设定过滤器
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 11 fw classid 10:11
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 12 fw classid 10:12
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 15 fw classid 10:15
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 16 fw classid 10:16
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 17 fw classid 10:17
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 18 fw classid 10:18
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 22 fw classid 10:22
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 24 fw classid 10:24
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 61 fw classid 10:61
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 62 fw classid 10:62
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 63 fw classid 10:63
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 64 fw classid 10:64
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 65 fw classid 10:65
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 66 fw classid 10:66
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 67 fw classid 10:67
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 68 fw classid 10:68
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 69 fw classid 10:69
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 70 fw classid 10:70
[ 本帖最后由 bfrader 于 2007-6-22 08:50 编辑 ]
iptables脚本
#web请求加速,上传带宽8-40k,优先权:0iptables -t mangle -A PREROUTING-m layer7 --l7proto http -j MARK --set-mark 40
iptables -t mangle -A PREROUTING-m layer7 --l7proto dns -j MARK --set-mark 40
iptables -t mangle -A PREROUTING-m layer7 --l7proto pop3 -j MARK --set-mark 40
iptables -t mangle -A PREROUTING-m layer7 --l7proto smtp -j MARK --set-mark 40
#DHCP机,每2台分配带宽:下载10K-90K,优先权:1上传2-4k,优先权:3
iptables -t mangle -A PREROUTING -s 172.18.196.61 -j MARK --set-mark 61
iptables -t mangle -A POSTROUTING -d 172.18.196.61 -j MARK --set-mark 61
iptables -t mangle -A PREROUTING -s 172.18.196.62 -j MARK --set-mark 61
iptables -t mangle -A POSTROUTING -d 172.18.196.62 -j MARK --set-mark 61
iptables -t mangle -A PREROUTING -s 172.18.196.63 -j MARK --set-mark 62
iptables -t mangle -A POSTROUTING -d 172.18.196.63 -j MARK --set-mark 62
iptables -t mangle -A PREROUTING -s 172.18.196.64 -j MARK --set-mark 62
iptables -t mangle -A POSTROUTING -d 172.18.196.64 -j MARK --set-mark 62
iptables -t mangle -A PREROUTING -s 172.18.196.65 -j MARK --set-mark 63
iptables -t mangle -A POSTROUTING -d 172.18.196.65 -j MARK --set-mark 63
iptables -t mangle -A PREROUTING -s 172.18.196.66 -j MARK --set-mark 63
iptables -t mangle -A POSTROUTING -d 172.18.196.66 -j MARK --set-mark 63
iptables -t mangle -A PREROUTING -s 172.18.196.67 -j MARK --set-mark 64
iptables -t mangle -A POSTROUTING -d 172.18.196.67 -j MARK --set-mark 64
iptables -t mangle -A PREROUTING -s 172.18.196.68 -j MARK --set-mark 64
iptables -t mangle -A POSTROUTING -d 172.18.196.68 -j MARK --set-mark 64
iptables -t mangle -A PREROUTING -s 172.18.196.69 -j MARK --set-mark 65
iptables -t mangle -A POSTROUTING -d 172.18.196.69 -j MARK --set-mark 65
iptables -t mangle -A PREROUTING -s 172.18.196.70 -j MARK --set-mark 65
iptables -t mangle -A POSTROUTING -d 172.18.196.70 -j MARK --set-mark 65
iptables -t mangle -A PREROUTING -s 172.18.196.71 -j MARK --set-mark 66
iptables -t mangle -A POSTROUTING -d 172.18.196.71 -j MARK --set-mark 66
iptables -t mangle -A PREROUTING -s 172.18.196.72 -j MARK --set-mark 66
iptables -t mangle -A POSTROUTING -d 172.18.196.72 -j MARK --set-mark 66
iptables -t mangle -A PREROUTING -s 172.18.196.73 -j MARK --set-mark 67
iptables -t mangle -A POSTROUTING -d 172.18.196.73 -j MARK --set-mark 67
iptables -t mangle -A PREROUTING -s 172.18.196.74 -j MARK --set-mark 67
iptables -t mangle -A POSTROUTING -d 172.18.196.74 -j MARK --set-mark 67
iptables -t mangle -A PREROUTING -s 172.18.196.75 -j MARK --set-mark 68
iptables -t mangle -A POSTROUTING -d 172.18.196.75 -j MARK --set-mark 68
iptables -t mangle -A PREROUTING -s 172.18.196.76 -j MARK --set-mark 68
iptables -t mangle -A POSTROUTING -d 172.18.196.76 -j MARK --set-mark 68
iptables -t mangle -A PREROUTING -s 172.18.196.128 -j MARK --set-mark 69
iptables -t mangle -A POSTROUTING -d 172.18.196.128 -j MARK --set-mark 69
iptables -t mangle -A PREROUTING -s 172.18.196.101 -j MARK --set-mark 69
iptables -t mangle -A POSTROUTING -d 172.18.196.101 -j MARK --set-mark 69
iptables -t mangle -A PREROUTING -s 172.18.196.196 -j MARK --set-mark 70
iptables -t mangle -A POSTROUTING -d 172.18.196.196 -j MARK --set-mark 70
iptables -t mangle -A PREROUTING -s 172.18.196.130 -j MARK --set-mark 70
iptables -t mangle -A POSTROUTING -d 172.18.196.130 -j MARK --set-mark 70
#办公电脑10台,每2台分配下载带宽:10K-90K,优先权:1上传4-12k,优先权:2
iptables -t mangle -A PREROUTING -s 172.18.196.117 -j MARK --set-mark 12
iptables -t mangle -A POSTROUTING -d 172.18.196.117 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -s 172.18.196.118 -j MARK --set-mark 12
iptables -t mangle -A POSTROUTING -d 172.18.196.118 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -s 172.18.196.119 -j MARK --set-mark 15
iptables -t mangle -A POSTROUTING -d 172.18.196.119 -j MARK --set-mark 15
iptables -t mangle -A PREROUTING -s 172.18.196.120 -j MARK --set-mark 15
iptables -t mangle -A POSTROUTING -d 172.18.196.120 -j MARK --set-mark 15
iptables -t mangle -A PREROUTING -s 172.18.196.121 -j MARK --set-mark 16
iptables -t mangle -A POSTROUTING -d 172.18.196.121 -j MARK --set-mark 16
iptables -t mangle -A PREROUTING -s 172.18.196.123 -j MARK --set-mark 17
iptables -t mangle -A POSTROUTING -d 172.18.196.123 -j MARK --set-mark 17
iptables -t mangle -A PREROUTING -s 172.18.196.124 -j MARK --set-mark 18
iptables -t mangle -A POSTROUTING -d 172.18.196.124 -j MARK --set-mark 18
iptables -t mangle -A PREROUTING -s 172.18.196.154 -j MARK --set-mark 18
iptables -t mangle -A POSTROUTING -d 172.18.196.154 -j MARK --set-mark 18
iptables -t mangle -A PREROUTING -s 172.18.196.195 -j MARK --set-mark 20
iptables -t mangle -A POSTROUTING -d 172.18.196.195 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -s 172.18.196.197 -j MARK --set-mark 20
iptables -t mangle -A POSTROUTING -d 172.18.196.197 -j MARK --set-mark 20
#其他有固定IP的电脑,每2台分配下载带宽:10K-90K,优先权:1上传4-12k,优先权:2
iptables -t mangle -A PREROUTING -s 172.18.196.109 -j MARK --set-mark 22
iptables -t mangle -A POSTROUTING -d 172.18.196.109 -j MARK --set-mark 22
iptables -t mangle -A PREROUTING -s 172.18.196.163 -j MARK --set-mark 22
iptables -t mangle -A POSTROUTING -d 172.18.196.163 -j MARK --set-mark 22
iptables -t mangle -A PREROUTING -s 172.18.196.35 -j MARK --set-mark 24
iptables -t mangle -A POSTROUTING -d 172.18.196.35 -j MARK --set-mark 24
iptables -t mangle -A PREROUTING -s 172.18.196.185 -j MARK --set-mark 30
iptables -t mangle -A POSTROUTING -d 172.18.196.185 -j MARK --set-mark 30
iptables -t mangle -A PREROUTING -s 172.18.196.115 -j MARK --set-mark 30
iptables -t mangle -A POSTROUTING -d 172.18.196.115 -j MARK --set-mark 30
#服务器,分配下载带宽:30K-150K,优先权:0上传8-40k,优先权:1
iptables -t mangle -A PREROUTING -s 172.18.196.100 -j MARK --set-mark 10
iptables -t mangle -A POSTROUTING -d 172.18.196.100 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -s 172.18.196.122 -j MARK --set-mark 10
iptables -t mangle -A POSTROUTING -d 172.18.196.122 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -s 172.18.196.46 -j MARK --set-mark 10
iptables -t mangle -A POSTROUTING -d 172.18.196.46 -j MARK --set-mark 10
#特殊用途,分配带宽:30K-300K,优先权:0上传8-40k,优先权:1
iptables -t mangle -A PREROUTING -s 172.18.196.11 -j MARK --set-mark 11
iptables -t mangle -A POSTROUTING -d 172.18.196.11 -j MARK --set-mark 11
#剩余电脑使用下载带宽:20K-150K,优先权:1上传8-16k,优先权:2
coyote中诊断工具页:激活防火墙规则 - mangle
Chain PREROUTING (policy ACCEPT)target prot opt source destination
MARK all--172.18.196.61 0.0.0.0/0 MARK set 0x3d
MARK all--172.18.196.62 0.0.0.0/0 MARK set 0x3d
MARK all--172.18.196.63 0.0.0.0/0 MARK set 0x3e
MARK all--172.18.196.64 0.0.0.0/0 MARK set 0x3e
MARK all--172.18.196.65 0.0.0.0/0 MARK set 0x3f
MARK all--172.18.196.66 0.0.0.0/0 MARK set 0x3f
MARK all--172.18.196.67 0.0.0.0/0 MARK set 0x40
MARK all--172.18.196.68 0.0.0.0/0 MARK set 0x40
MARK all--172.18.196.69 0.0.0.0/0 MARK set 0x41
MARK all--172.18.196.70 0.0.0.0/0 MARK set 0x41
MARK all--172.18.196.71 0.0.0.0/0 MARK set 0x42
MARK all--172.18.196.72 0.0.0.0/0 MARK set 0x42
MARK all--172.18.196.73 0.0.0.0/0 MARK set 0x43
MARK all--172.18.196.74 0.0.0.0/0 MARK set 0x43
MARK all--172.18.196.75 0.0.0.0/0 MARK set 0x44
MARK all--172.18.196.76 0.0.0.0/0 MARK set 0x44
MARK all--172.18.196.128 0.0.0.0/0 MARK set 0x45
MARK all--172.18.196.101 0.0.0.0/0 MARK set 0x45
MARK all--172.18.196.196 0.0.0.0/0 MARK set 0x46
MARK all--172.18.196.130 0.0.0.0/0 MARK set 0x46
MARK all--172.18.196.117 0.0.0.0/0 MARK set 0xc
MARK all--172.18.196.118 0.0.0.0/0 MARK set 0xc
MARK all--172.18.196.119 0.0.0.0/0 MARK set 0xf
MARK all--172.18.196.120 0.0.0.0/0 MARK set 0xf
MARK all--172.18.196.121 0.0.0.0/0 MARK set 0x10
MARK all--172.18.196.123 0.0.0.0/0 MARK set 0x11
MARK all--172.18.196.124 0.0.0.0/0 MARK set 0x12
MARK all--172.18.196.154 0.0.0.0/0 MARK set 0x12
MARK all--172.18.196.195 0.0.0.0/0 MARK set 0x14
MARK all--172.18.196.197 0.0.0.0/0 MARK set 0x14
MARK all--172.18.196.109 0.0.0.0/0 MARK set 0x16
MARK all--172.18.196.163 0.0.0.0/0 MARK set 0x16
MARK all--172.18.196.35 0.0.0.0/0 MARK set 0x18
MARK all--172.18.196.185 0.0.0.0/0 MARK set 0x1e
MARK all--172.18.196.115 0.0.0.0/0 MARK set 0x1e
MARK all--172.18.196.100 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.122 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.46 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.11 0.0.0.0/0 MARK set 0xb
MARK all--172.18.196.61 0.0.0.0/0 MARK set 0x3d
MARK all--172.18.196.62 0.0.0.0/0 MARK set 0x3d
MARK all--172.18.196.63 0.0.0.0/0 MARK set 0x3e
MARK all--172.18.196.64 0.0.0.0/0 MARK set 0x3e
MARK all--172.18.196.65 0.0.0.0/0 MARK set 0x3f
MARK all--172.18.196.66 0.0.0.0/0 MARK set 0x3f
MARK all--172.18.196.67 0.0.0.0/0 MARK set 0x40
MARK all--172.18.196.68 0.0.0.0/0 MARK set 0x40
MARK all--172.18.196.69 0.0.0.0/0 MARK set 0x41
MARK all--172.18.196.70 0.0.0.0/0 MARK set 0x41
MARK all--172.18.196.71 0.0.0.0/0 MARK set 0x42
MARK all--172.18.196.72 0.0.0.0/0 MARK set 0x42
MARK all--172.18.196.73 0.0.0.0/0 MARK set 0x43
MARK all--172.18.196.74 0.0.0.0/0 MARK set 0x43
MARK all--172.18.196.75 0.0.0.0/0 MARK set 0x44
MARK all--172.18.196.76 0.0.0.0/0 MARK set 0x44
MARK all--172.18.196.128 0.0.0.0/0 MARK set 0x45
MARK all--172.18.196.101 0.0.0.0/0 MARK set 0x45
MARK all--172.18.196.196 0.0.0.0/0 MARK set 0x46
MARK all--172.18.196.130 0.0.0.0/0 MARK set 0x46
MARK all--172.18.196.117 0.0.0.0/0 MARK set 0xc
MARK all--172.18.196.118 0.0.0.0/0 MARK set 0xc
MARK all--172.18.196.119 0.0.0.0/0 MARK set 0xf
MARK all--172.18.196.120 0.0.0.0/0 MARK set 0xf
MARK all--172.18.196.121 0.0.0.0/0 MARK set 0x10
MARK all--172.18.196.123 0.0.0.0/0 MARK set 0x11
MARK all--172.18.196.124 0.0.0.0/0 MARK set 0x12
MARK all--172.18.196.154 0.0.0.0/0 MARK set 0x12
MARK all--172.18.196.195 0.0.0.0/0 MARK set 0x14
MARK all--172.18.196.197 0.0.0.0/0 MARK set 0x14
MARK all--172.18.196.109 0.0.0.0/0 MARK set 0x16
MARK all--172.18.196.163 0.0.0.0/0 MARK set 0x16
MARK all--172.18.196.35 0.0.0.0/0 MARK set 0x18
MARK all--172.18.196.185 0.0.0.0/0 MARK set 0x1e
MARK all--172.18.196.115 0.0.0.0/0 MARK set 0x1e
MARK all--172.18.196.100 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.122 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.46 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.11 0.0.0.0/0 MARK set 0xb
MARK all--0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http MARK set 0x28
MARK all--0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto dns MARK set 0x28
MARK all--172.18.196.61 0.0.0.0/0 MARK set 0x3d
MARK all--172.18.196.62 0.0.0.0/0 MARK set 0x3d
MARK all--172.18.196.63 0.0.0.0/0 MARK set 0x3e
MARK all--172.18.196.64 0.0.0.0/0 MARK set 0x3e
MARK all--172.18.196.65 0.0.0.0/0 MARK set 0x3f
MARK all--172.18.196.66 0.0.0.0/0 MARK set 0x3f
MARK all--172.18.196.67 0.0.0.0/0 MARK set 0x40
MARK all--172.18.196.68 0.0.0.0/0 MARK set 0x40
MARK all--172.18.196.69 0.0.0.0/0 MARK set 0x41
MARK all--172.18.196.70 0.0.0.0/0 MARK set 0x41
MARK all--172.18.196.71 0.0.0.0/0 MARK set 0x42
MARK all--172.18.196.72 0.0.0.0/0 MARK set 0x42
MARK all--172.18.196.73 0.0.0.0/0 MARK set 0x43
MARK all--172.18.196.74 0.0.0.0/0 MARK set 0x43
MARK all--172.18.196.75 0.0.0.0/0 MARK set 0x44
MARK all--172.18.196.76 0.0.0.0/0 MARK set 0x44
MARK all--172.18.196.128 0.0.0.0/0 MARK set 0x45
MARK all--172.18.196.101 0.0.0.0/0 MARK set 0x45
MARK all--172.18.196.196 0.0.0.0/0 MARK set 0x46
MARK all--172.18.196.130 0.0.0.0/0 MARK set 0x46
MARK all--172.18.196.117 0.0.0.0/0 MARK set 0xc
MARK all--172.18.196.118 0.0.0.0/0 MARK set 0xc
MARK all--172.18.196.119 0.0.0.0/0 MARK set 0xf
MARK all--172.18.196.120 0.0.0.0/0 MARK set 0xf
MARK all--172.18.196.121 0.0.0.0/0 MARK set 0x10
MARK all--172.18.196.123 0.0.0.0/0 MARK set 0x11
MARK all--172.18.196.124 0.0.0.0/0 MARK set 0x12
MARK all--172.18.196.154 0.0.0.0/0 MARK set 0x12
MARK all--172.18.196.195 0.0.0.0/0 MARK set 0x14
MARK all--172.18.196.197 0.0.0.0/0 MARK set 0x14
MARK all--172.18.196.109 0.0.0.0/0 MARK set 0x16
MARK all--172.18.196.163 0.0.0.0/0 MARK set 0x16
MARK all--172.18.196.35 0.0.0.0/0 MARK set 0x18
MARK all--172.18.196.185 0.0.0.0/0 MARK set 0x1e
MARK all--172.18.196.115 0.0.0.0/0 MARK set 0x1e
MARK all--172.18.196.100 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.122 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.46 0.0.0.0/0 MARK set 0xa
MARK all--172.18.196.11 0.0.0.0/0 MARK set 0xb
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MARK all--0.0.0.0/0 172.18.196.61 MARK set 0x3d
MARK all--0.0.0.0/0 172.18.196.62 MARK set 0x3d
MARK all--0.0.0.0/0 172.18.196.63 MARK set 0x3e
MARK all--0.0.0.0/0 172.18.196.64 MARK set 0x3e
MARK all--0.0.0.0/0 172.18.196.65 MARK set 0x3f
MARK all--0.0.0.0/0 172.18.196.66 MARK set 0x3f
MARK all--0.0.0.0/0 172.18.196.67 MARK set 0x40
MARK all--0.0.0.0/0 172.18.196.68 MARK set 0x40
MARK all--0.0.0.0/0 172.18.196.69 MARK set 0x41
MARK all--0.0.0.0/0 172.18.196.70 MARK set 0x41
MARK all--0.0.0.0/0 172.18.196.71 MARK set 0x42
MARK all--0.0.0.0/0 172.18.196.72 MARK set 0x42
MARK all--0.0.0.0/0 172.18.196.73 MARK set 0x43
MARK all--0.0.0.0/0 172.18.196.74 MARK set 0x43
MARK all--0.0.0.0/0 172.18.196.75 MARK set 0x44
MARK all--0.0.0.0/0 172.18.196.76 MARK set 0x44
MARK all--0.0.0.0/0 172.18.196.128 MARK set 0x45
MARK all--0.0.0.0/0 172.18.196.101 MARK set 0x45
MARK all--0.0.0.0/0 172.18.196.196 MARK set 0x46
MARK all--0.0.0.0/0 172.18.196.130 MARK set 0x46
MARK all--0.0.0.0/0 172.18.196.117 MARK set 0xc
MARK all--0.0.0.0/0 172.18.196.118 MARK set 0xc
MARK all--0.0.0.0/0 172.18.196.119 MARK set 0xf
MARK all--0.0.0.0/0 172.18.196.120 MARK set 0xf
MARK all--0.0.0.0/0 172.18.196.121 MARK set 0x10
MARK all--0.0.0.0/0 172.18.196.123 MARK set 0x11
MARK all--0.0.0.0/0 172.18.196.124 MARK set 0x12
MARK all--0.0.0.0/0 172.18.196.154 MARK set 0x12
MARK all--0.0.0.0/0 172.18.196.195 MARK set 0x14
MARK all--0.0.0.0/0 172.18.196.197 MARK set 0x14
MARK all--0.0.0.0/0 172.18.196.109 MARK set 0x16
MARK all--0.0.0.0/0 172.18.196.163 MARK set 0x16
MARK all--0.0.0.0/0 172.18.196.35 MARK set 0x18
MARK all--0.0.0.0/0 172.18.196.185 MARK set 0x1e
MARK all--0.0.0.0/0 172.18.196.115 MARK set 0x1e
MARK all--0.0.0.0/0 172.18.196.100 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.122 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.46 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.11 MARK set 0xb
MARK all--0.0.0.0/0 172.18.196.61 MARK set 0x3d
MARK all--0.0.0.0/0 172.18.196.62 MARK set 0x3d
MARK all--0.0.0.0/0 172.18.196.63 MARK set 0x3e
MARK all--0.0.0.0/0 172.18.196.64 MARK set 0x3e
MARK all--0.0.0.0/0 172.18.196.65 MARK set 0x3f
MARK all--0.0.0.0/0 172.18.196.66 MARK set 0x3f
MARK all--0.0.0.0/0 172.18.196.67 MARK set 0x40
MARK all--0.0.0.0/0 172.18.196.68 MARK set 0x40
MARK all--0.0.0.0/0 172.18.196.69 MARK set 0x41
MARK all--0.0.0.0/0 172.18.196.70 MARK set 0x41
MARK all--0.0.0.0/0 172.18.196.71 MARK set 0x42
MARK all--0.0.0.0/0 172.18.196.72 MARK set 0x42
MARK all--0.0.0.0/0 172.18.196.73 MARK set 0x43
MARK all--0.0.0.0/0 172.18.196.74 MARK set 0x43
MARK all--0.0.0.0/0 172.18.196.75 MARK set 0x44
MARK all--0.0.0.0/0 172.18.196.76 MARK set 0x44
MARK all--0.0.0.0/0 172.18.196.128 MARK set 0x45
MARK all--0.0.0.0/0 172.18.196.101 MARK set 0x45
MARK all--0.0.0.0/0 172.18.196.196 MARK set 0x46
MARK all--0.0.0.0/0 172.18.196.130 MARK set 0x46
MARK all--0.0.0.0/0 172.18.196.117 MARK set 0xc
MARK all--0.0.0.0/0 172.18.196.118 MARK set 0xc
MARK all--0.0.0.0/0 172.18.196.119 MARK set 0xf
MARK all--0.0.0.0/0 172.18.196.120 MARK set 0xf
MARK all--0.0.0.0/0 172.18.196.121 MARK set 0x10
MARK all--0.0.0.0/0 172.18.196.123 MARK set 0x11
MARK all--0.0.0.0/0 172.18.196.124 MARK set 0x12
MARK all--0.0.0.0/0 172.18.196.154 MARK set 0x12
MARK all--0.0.0.0/0 172.18.196.195 MARK set 0x14
MARK all--0.0.0.0/0 172.18.196.197 MARK set 0x14
MARK all--0.0.0.0/0 172.18.196.109 MARK set 0x16
MARK all--0.0.0.0/0 172.18.196.163 MARK set 0x16
MARK all--0.0.0.0/0 172.18.196.35 MARK set 0x18
MARK all--0.0.0.0/0 172.18.196.185 MARK set 0x1e
MARK all--0.0.0.0/0 172.18.196.115 MARK set 0x1e
MARK all--0.0.0.0/0 172.18.196.100 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.122 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.46 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.11 MARK set 0xb
MARK all--0.0.0.0/0 172.18.196.61 MARK set 0x3d
MARK all--0.0.0.0/0 172.18.196.62 MARK set 0x3d
MARK all--0.0.0.0/0 172.18.196.63 MARK set 0x3e
MARK all--0.0.0.0/0 172.18.196.64 MARK set 0x3e
MARK all--0.0.0.0/0 172.18.196.65 MARK set 0x3f
MARK all--0.0.0.0/0 172.18.196.66 MARK set 0x3f
MARK all--0.0.0.0/0 172.18.196.67 MARK set 0x40
MARK all--0.0.0.0/0 172.18.196.68 MARK set 0x40
MARK all--0.0.0.0/0 172.18.196.69 MARK set 0x41
MARK all--0.0.0.0/0 172.18.196.70 MARK set 0x41
MARK all--0.0.0.0/0 172.18.196.71 MARK set 0x42
MARK all--0.0.0.0/0 172.18.196.72 MARK set 0x42
MARK all--0.0.0.0/0 172.18.196.73 MARK set 0x43
MARK all--0.0.0.0/0 172.18.196.74 MARK set 0x43
MARK all--0.0.0.0/0 172.18.196.75 MARK set 0x44
MARK all--0.0.0.0/0 172.18.196.76 MARK set 0x44
MARK all--0.0.0.0/0 172.18.196.128 MARK set 0x45
MARK all--0.0.0.0/0 172.18.196.101 MARK set 0x45
MARK all--0.0.0.0/0 172.18.196.196 MARK set 0x46
MARK all--0.0.0.0/0 172.18.196.130 MARK set 0x46
MARK all--0.0.0.0/0 172.18.196.117 MARK set 0xc
MARK all--0.0.0.0/0 172.18.196.118 MARK set 0xc
MARK all--0.0.0.0/0 172.18.196.119 MARK set 0xf
MARK all--0.0.0.0/0 172.18.196.120 MARK set 0xf
MARK all--0.0.0.0/0 172.18.196.121 MARK set 0x10
MARK all--0.0.0.0/0 172.18.196.123 MARK set 0x11
MARK all--0.0.0.0/0 172.18.196.124 MARK set 0x12
MARK all--0.0.0.0/0 172.18.196.154 MARK set 0x12
MARK all--0.0.0.0/0 172.18.196.195 MARK set 0x14
MARK all--0.0.0.0/0 172.18.196.197 MARK set 0x14
MARK all--0.0.0.0/0 172.18.196.109 MARK set 0x16
MARK all--0.0.0.0/0 172.18.196.163 MARK set 0x16
MARK all--0.0.0.0/0 172.18.196.35 MARK set 0x18
MARK all--0.0.0.0/0 172.18.196.185 MARK set 0x1e
MARK all--0.0.0.0/0 172.18.196.115 MARK set 0x1e
MARK all--0.0.0.0/0 172.18.196.100 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.122 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.46 MARK set 0xa
MARK all--0.0.0.0/0 172.18.196.11 MARK set 0xb 这方法很笨,请高手指点,是否有更简便的方法? # 设定上传方面,先利用 iptables 给封包贴标签,再交由 fw 过滤器进行过滤
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -m layer7 --l7proto http -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 554 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -m layer7 --l7proto xunlei -j MARK --set-mark 30
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -m layer7 --l7proto bittorrent -j MARK --set-mark 40
# iptables -t mangle -A PREROUTING -s 192.168.5.0/24 -j MARK --set-mark 50
# 下载方面
iptables -t mangle -A POSTROUTING -d 192.168.1.0/24 -m layer7 --l7proto http -j MARK --set-mark 10
iptables -t mangle -A POSTROUTING -d 192.168.1.0/24 -p tcp --sport 554 -j MARK --set-mark 20
iptables -t mangle -A POSTROUTING -d 192.168.1.0/24 -m layer7 --l7proto xunlei -j MARK --set-mark 30
iptables -t mangle -A POSTROUTING -d 192.168.1.0/24 -m layer7 --l7proto bittorrent -j MARK --set-mark 40
# iptables -t mangle -A POSTROUTING -d 192.168.5.0/24 -j MARK --set-mark 50
然后在自定义防火墙设置
# 管制下载部分
# 清除 eth0 所有队列规则
tc qdisc del dev eth0 root 2>/dev/null
# 定义最顶层(根)队列规则,并指定 default 类别编号
tc qdisc add dev eth0 root handle 10: htb default 90
# 定义第一层的 10:1 类别 (下载总频宽)
tc class add dev eth0 parent 10: classid 10:1 htb rate 3200kbps ceil 3200kbps
# 定义第二层叶类别 rate 保证频宽,ceil 最大频宽,prio 优先权
tc class add dev eth0 parent 10:1 classid 10:10 htb rate 200kbps ceil 2300kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:20 htb rate 400kbps ceil 2500kbps prio 3
tc class add dev eth0 parent 10:1 classid 10:30 htb rate 100kbps ceil 2200kbps prio 6
tc class add dev eth0 parent 10:1 classid 10:40 htb rate 100kbps ceil 2200kbps prio 4
# tc class add dev eth0 parent 10:1 classid 10:50 htb rate 100kbps ceil 2200kbps prio 5
tc class add dev eth0 parent 10:1 classid 10:90 htb rate 200bps ceil 2300kbps prio 2
# 定义各叶类别的队列规则,parent 类别编号,handle 叶类别队列规则编号,由于采用 fw 过滤器,所以此处使用 pfifo 的队列规则即可
tc qdisc add dev eth0 parent 10:10 handle 101: pfifo
tc qdisc add dev eth0 parent 10:20 handle 102: pfifo
tc qdisc add dev eth0 parent 10:30 handle 103: pfifo
tc qdisc add dev eth0 parent 10:40 handle 104: pfifo
# tc qdisc add dev eth0 parent 10:50 handle 105: pfifo
tc qdisc add dev eth0 parent 10:90 handle 109: pfifo
# 设定过滤器,指定贴有 10 标签 (handle) 的封包,归类到 10:10 类别,以此类推
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
# tc filter add dev eth0 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 90 fw classid 10:90 对eth0实施管制的意义好象不是很大,主要是管制好上传(eth1)。带宽管制也不太有效,要想办法管制连接数,所以只好从优先权考虑了。
芝麻的方法我试过,效果不太好。可能P2P的优先权不够低吧 在自定义防火墙设置还有管制上传方面的,篇幅关系我删除了,你都补充上去看看,我的限制效果还比较好. 上传使用芝麻的方法,下载用每ip限制不变,正在测试中…… 楼上的兄弟,我是对每种协议的优先级排序,优先响应http和rtsp,我没有对每一IP来限制(因为我这是同一网段,都是192.168.1.x),拖几个网段还没试过.还有bfrader,你这么多规则不怕拖慢系统速度? 回芝麻:系统速度没有变慢,内存使用倒是多了一些,不过没有超过50%,cpu使用也没有超过3(在web管理页面中看,一般都是0.1左右)。不知道这个数字是不是百分比:比如3就表示3%?
我的coyote机器用的是P120 cpu,40M内存。
本来我还是想用笨方法的,但迅雷没法控制(好象会从http通道经过),用l7的xunlei过滤,效果也不太好。 其实设置QOS最主要的还是保证HTTP等业务的正常带宽,你可以把HTTP带宽增大,把迅雷带宽减少,或者用iptraf查一下到底谁在用迅雷,然后再对该用户弄个规则限制其带宽.迅雷是否影响上网我没有什么感觉,因为我那样设置了之后不管有没有人在用迅雷下东西,网页都打开飞快了(出口10M光纤). 回芝麻:我试验过的,迅雷比其他的P2P更消耗带宽。现在用了你的方法,已经试用了两天,确实比以前稳定了。要好好感谢你一下:handshake 。 我是新手iptables脚本从哪里添加呀
页:
[1]
2