鼓勵此網誌:0
最近因為發現室友在下載某些 "頻寬大量使用的東西" ,
但是我又不能直接把他網路線拔掉,所以只好自己想個
辦法拿自己的 Eeebox 來裝個頻寬管理套件吧。
以下就是我亂玩的設定:
測試環境圖示:
1. 安裝 shaperd 套件
‧apt-get install shaperd
2. 設定頻寬分配規則 shaperd.conf
‧vi /etc/shaperd/shaperd.conf
==========================================================
log level = warning
packet forwarding = ipq
daemon = yes
pidfile = /var/run/shaperd.pid
class A_up {
bandwidth = 128 kbit/s
ipv4 classifier out_if=ppp+ saddr=192.168.100.254
borrow from B_up
queue limits = 0 kb 150 packets
}
class A_down {
bandwidth = 1024 kbit/s
ipv4 classifier inp_if=ppp+ daddr=192.168.100.254
borrow from B_down
queue limits = 0 kb 150 packets
}
class B_up {
bandwidth = 128 kbit/s
ipv4 classifier out_if=ppp+ saddr=192.168.100.253
borrow from A_up
queue limits = 0 kb 150 packets
}
class B_down {
bandwidth = 1024 kbit/s
ipv4 classifier inp_if=ppp+ daddr=192.168.100.253
borrow from A_down
queue limits = 0 kb 150 packets
}
==========================================================
3. 設定 iptables with shaperd
3.1. vi firewall_with_shaperd.sh (script 是依自己需求修改 sample 檔而來)
==========================================================
#!/bin/bash
IPT="/sbin/iptables"
# clean up previous stuff
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -F
$IPT -X SHAPE
# create the "shape" chain
$IPT -N SHAPE
$IPT -I SHAPE -j QUEUE
# system policies & security stuff
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -i ppp0 --dport 22 -j ACCEPT
$IPT -A INPUT -p udp -i ppp0 --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -i ppp0 --dport 443 -j ACCEPT
$IPT -A INPUT -p icmp -i ppp0 -j ACCEPT
# this is a workaround for some broken routers out there
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss \
--mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
# masq'd hosts: A (192.168.100.254), B (192.168.100.253)
$IPT -t nat -A POSTROUTING -s 192.168.100.0/24 -o ppp0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.104.0/24 -o ppp0 -j MASQUERADE
# shape (upstream) the masqueraded hosts (192.168.100.253 & 192.168.100.254)
$IPT -A FORWARD -s 192.168.100.254/32 -i eth1 -o ppp0 -j SHAPE
$IPT -A FORWARD -s 192.168.100.253/32 -i eth1 -o ppp0 -j SHAPE
# shape (downstream) the masqueraded hosts
(192.168.100.253 & 192.168.100.254, "tcp" only)
$IPT -A FORWARD -p tcp -d 192.168.100.254/32 -o eth1 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j SHAPE
$IPT -A FORWARD -p tcp -d 192.168.100.253/32 -o eth1 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j SHAPE
$IPT -A FORWARD -p tcp -d 192.168.0.252/32 -o eth1 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j SHAPE
$IPT -A FORWARD -p tcp -d 192.168.0.251/32 -o eth1 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j SHAPE
# don't shape the rest of the (downstream) traffic (it makes no sense)
$IPT -A FORWARD -d 192.168.100.254/32 -o eth1 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -d 192.168.100.253/32 -o eth1 -i ppp0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# enable ipv4 packet forwarding
echo "1" >/proc/sys/net/ipv4/ip_forward
==========================================================
3.2. chmod u+x firewall_with_shaperd.sh
4. 啟動 shaperd 服務 & 執行 firewall_with_shaperd.sh
‧/etc/init.d/shaperd start
‧./firewall_with_shaperd.sh
5. 後端測試下載檔案
‧於A Box 使用 flashget (分割下載設10) 下載檔案,但下載限速仍未降於1024Kb(128KB) 左右,
此時是因為在 shaperd.conf 有設定 borrow from B_down ( B Box 目前是仍未開機狀態),
所以會造成限速上仍可以使用 B Box 所能用的頻寬。一但我將 borrow from B_down 刪掉,
並且再一次重新下載,此時會發現速度已降於1024Kb(128KB) 左右。
P.S.
在 firewall_with_shaperd.sh 中有一行設定 tcpmss 極為重要,
因為若未加上此設定,那麼後端的 A,B Box 就無法使用 MSN 了。
至於為什麼呢? 下面的 Reference 中有提到此設定。
Reference:
/usr/share/doc/shaperd/README.gz
http://linux.tnc.edu.tw/techdoc/b2dfw_intro/x1057.html
http://bbs.itzero.com/viewthread.php?tid=98076
http://phorum.study-area.org/index.php?action=printpage;topic=9518.0
