Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
— |
script_qos.sh [2010/08/06 12:57] (Version actuelle) |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | <code> | ||
+ | # Constantes | ||
+ | LOCALNET="x.x.x.x/255.255.255.255" | ||
+ | MARKPRIO1="1" | ||
+ | MARKPRIO2="2" | ||
+ | MARKPRIO3="3" | ||
+ | MARKPRIO4="4" | ||
+ | ##definitiondesconstantespourTC | ||
+ | |||
+ | IFACE=eth0 | ||
+ | |||
+ | #Taux | ||
+ | |||
+ | UPRATE="20mbit" | ||
+ | PRIORATE1="10mbit" | ||
+ | PRIORATE2="10mbit" | ||
+ | PRIORATE3="7mbit" | ||
+ | PRIORATE4="2mbit" | ||
+ | |||
+ | # Quanta Les quanta decrivent comment la bande passante est repartie entre #qdiscs. | ||
+ | |||
+ | QUANTUM1="12187" | ||
+ | QUANTUM2="8625" | ||
+ | QUANTUM3="5062" | ||
+ | QUANTUM4="1500" | ||
+ | |||
+ | ## #Burst | ||
+ | ## bursts determinent de combien de octets un qdsic peut depasser le taux avant d etre #arrete | ||
+ | |||
+ | BURST1="1000k" | ||
+ | BURST2="400k" | ||
+ | BURST3="200k" | ||
+ | BURST4="10k" | ||
+ | |||
+ | ## Le cburst sert a savoir de combien on a le droit de continuer avant que la connexion ne #stop. | ||
+ | |||
+ | CBURST1="3000k" | ||
+ | CBURST2="2000k" | ||
+ | CBURST3="100k" | ||
+ | CBURST4="10k" | ||
+ | |||
+ | # politique de base. iptables #! | ||
+ | |||
+ | iptables -P INPUT ACCEPT | ||
+ | iptables -P OUTPUT ACCEPT | ||
+ | iptables -P FORWARD ACCEPT | ||
+ | |||
+ | # Purger toutes les #tables | ||
+ | |||
+ | iptables -F INPUT | ||
+ | iptables -F OUTPUT | ||
+ | iptables -F FORWARD | ||
+ | iptables -t mangle -F OUTPUT | ||
+ | iptables -t mangle -F FORWARD | ||
+ | |||
+ | # Definition des #priorites | ||
+ | |||
+ | # Prio 1, les services #prioritaires. | ||
+ | # icmp | ||
+ | |||
+ | iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1 | ||
+ | iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1 | ||
+ | iptables -t mangle -A INPUT -p icmp -j MARK --set-mark $MARKPRIO1 | ||
+ | |||
+ | # ssh (afin de ne pas laguer sur le ssh en #input) | ||
+ | |||
+ | iptables -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1 | ||
+ | iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1 | ||
+ | iptables -t mangle -A INPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1 | ||
+ | |||
+ | # non tcp (pour ne pas avoir de soucis avec la resolution #dns) | ||
+ | |||
+ | iptables -t mangle -A INPUT -p ! tcp -j MARK --set-mark $MARKPRIO1 | ||
+ | iptables -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1 | ||
+ | iptables -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1 | ||
+ | |||
+ | # Prio #2 | ||
+ | |||
+ | # #smtp | ||
+ | iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3 | ||
+ | iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3 | ||
+ | |||
+ | # Prio #3 | ||
+ | |||
+ | # http | appriori pas besoin de brider l #input | ||
+ | |||
+ | iptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3 | ||
+ | iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3 | ||
+ | |||
+ | # #https | ||
+ | |||
+ | iptables -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3 | ||
+ | iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3 | ||
+ | |||
+ | # ftp # pas besoin de brider l #input. | ||
+ | |||
+ | iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set-mark $MARKPRIO3 | ||
+ | iptables -t mangle -A OUTPUT -p tcp --dport 21 -j MARK --set-mark $MARKPRIO3 | ||
+ | |||
+ | # Prio #4 | ||
+ | # packets > 1024 bytes | ||
+ | |||
+ | iptables -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4 | ||
+ | |||
+ | |||
+ | |||
+ | ## definition des regles de traffic #shaping. | ||
+ | |||
+ | ## longueur de la queue pour #eth0 | ||
+ | ifconfig $IFACE txqueuelen 128 | ||
+ | |||
+ | ## on defini la class root ! et sa file d #attente | ||
+ | |||
+ | tc qdisc add dev $IFACE root handle 1:0 htb default 103 r2q 1 | ||
+ | tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE burst $BURST1 cburst $CBURST1 | ||
+ | |||
+ | |||
+ | ## les sous #classes | ||
+ | |||
+ | tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0 | ||
+ | tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1 | ||
+ | tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2 | ||
+ | tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $P2PRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3 | ||
+ | |||
+ | ## filtrage des packets marke grace a #iptables. | ||
+ | |||
+ | tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101 | ||
+ | tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102 | ||
+ | tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103 | ||
+ | tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104 | ||
+ | |||
+ | ## regles de file de #attente | ||
+ | |||
+ | tc qdisc add dev $IFACE parent 1:101 sfq perturb 16 quantum $QUANTUM1 | ||
+ | tc qdisc add dev $IFACE parent 1:102 sfq perturb 16 quantum $QUANTUM2 | ||
+ | tc qdisc add dev $IFACE parent 1:103 sfq perturb 16 quantum $QUANTUM3 | ||
+ | tc qdisc add dev $IFACE parent 1:104 sfq perturb 16 quantum $QUANTUM4 | ||
+ | |||
+ | </code> |