服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 基于私有目标IP地址的Linux收入过滤
Intereting Posts
大量失败的RDPlogin尝试 nginx:完全禁用SSL端口的HTTP响应 自动login到XP,但扭曲 根据OID(Oracle Internet Directory)对AIX用户进行身份validation 当计划每天运行一次时,启动会一遍又一遍地开始工作 用于非pipe理员用户的Windows服务控制命令 CherryPy,负载平衡和远程故障转移 cron.hourly脚本执行多次 应用程序请求路由(ARR) 当我得到陈旧的nfs文件句柄时,我如何强行卸载? 如何处理Mercurial中的默认分支? 上传数据时,Google Compute Engine磁​​盘不应该自动resize? DDWRT / iptables – 阻止除80和443之外的所有端口的传出连接 VMWare View连接服务器的高可用性机制 在ssh中使用类似bash的命令replace或者如何从ssh * client *请求数据

基于私有目标IP地址的Linux收入过滤

我试图在我的OpenWRT框中设置一个QoS脚本,以便来自Internet的stream量被分类为低prio类和高prio类。 stream量分类的标准是在家庭networking中的目的IP地址,即私有IP地址。 特别是如果stream量的IP = 192.168.1.22它应该去一个低prio,否则高prio。

为了实现以前我将所有到达我的eth1接口的互联网stream量redirect到一个IFB设备,在那里我实现stream量整形。 不过,我现在面临的问题是,所有的交通都是上高级的。 为了做这个过滤,我使用iptables来设置传入stream量上的标记,我想这是我在做错误的地方。 我在“mangle”表中插入我的过滤规则,在这里我尝试了PREROUTING,FORWARD和POSTROUTING链,但是在任何这些链中都不起作用。

任何帮助表示赞赏。

最好的祝福

丹尼尔

我在这里附上我正在使用的脚本: 

# Variable definition ETH=eth1 IFB=ifb1 IP_LP="192.168.1.22/32" DL_RATE="900kbit" HP_RATE="890kbit" LP_RATE="10kbit" TC="tc" IPTABLES="iptables" # Loading the required modules insmod ifb insmod sch_htb insmod sch_ingress insmod ipt_IMQ insmod act_mirred insmod act_connmark insmod cls_u32 insmod cls_fw insmod em_u32 # Bringing up the $IFB interface, and redirecting all the ingress traffic arriving to the $ETH interface to it $TC qdisc del dev $ETH ingress $TC qdisc add dev $ETH ingress ifconfig $IFB up $TC filter add dev $ETH parent ffff: protocol ip prio 1 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev $IFB # Adding the HTB scheduler to the ingress interface $TC qdisc add dev $IFB root handle 1: htb default 11 # add main rate limit classes $TC class add dev $IFB parent 1: classid 1:1 htb rate $DL_RATE # add leaf classes: set the maximum bandwidth that each priority class can get, and the maximum borrowing they can do $TC class add dev $IFB parent 1:1 classid 1:10 htb rate $LP_RATE ceil $DL_RATE $TC class add dev $IFB parent 1:1 classid 1:11 htb rate $HP_RATE ceil $DL_RATE # filter traffic into classes by fwmark $TC filter add dev $IFB parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10 # packets with MARK 10 go to classid 1:10 $TC filter add dev $IFB parent 1:0 prio 0 protocol ip handle 11 fw flowid 1:11 # packets with MARK 11 go to classid 1:11 # add MYSHAPER-IN chain to the mangle table in iptables $IPTABLES -t mangle -N MYSHAPER-IN # create a user defined chain in the mangle table $IPTABLES -t mangle -I PREROUTING -i $ETH -j MYSHAPER-IN # insert a rule in the PREROUTING chain to jump to our chain # add fwmark entries to classify different types of traffic - Set fwmark according to the priority. $IPTABLES -t mangle -A MYSHAPER-IN -d $IP_LP -j MARK --set-mark 10 # rule to mark packets addressed to the low prio host $IPTABLES -t mangle -A MYSHAPER-IN -m mark --mark 0 -j MARK --set-mark 11 # rule to mark any unmarked packets as high prio

在这里,您可以看到传入的stream量是如何被成功redirect到IFB接口的,但是这一切都进入了高级类(当然,当我使用这个统计信息时,我有低级的主机接收数据): 

 :~# tc -s class show dev ifb1 class htb 1:11 parent 1:1 prio 0 rate 890000bit ceil 900000bit burst 1599b cburst 1599b Sent 71763116 bytes 58364 pkt (dropped 7296, overlimits 0 requeues 0) rate 893208bit 84pps backlog 0b 31p requeues 0 lended: 57510 borrowed: 823 giants: 0 tokens: -50586 ctokens: -189649 class htb 1:10 parent 1:1 prio 0 rate 10000bit ceil 900000bit burst 1600b cburst 1599b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 20000000 ctokens: 222218 class htb 1:1 root rate 900000bit ceil 900000bit burst 1599b cburst 1599b Sent 71720770 bytes 58333 pkt (dropped 0, overlimits 0 requeues 0) rate 891776bit 84pps backlog 0b 0p requeues 0 lended: 823 borrowed: 0 giants: 0 tokens: -189649 ctokens: -189649

我终于可以解决这个问题了,所以我把它logging下来,以防其他人有用。 诀窍是使用IMQ设备而不是IFB设备。 没有问题,然后用iptables分类和使用IMQ。

最好的祝福

丹尼尔

这是工作脚本: 

 #!/bin/sh # This script classifies all the Internet traffic addressed to a given IP in our LAN (IP_LP) as low priority. # All the rest of traffic is classified as high priority. In the absence of high prio the low prio can grab all the bandwidth. # However, when there is high prio traffic the low prio one is limited to 10Kbos. INTERNET="eth1" IMQ="imq1" IP_LP="192.168.1.22/32" DL_RATE="900kbit" HP_RATE="890kbit" LP_RATE="10kbit" TC="tc" IPTABLES="iptables" IFCONFIG="ifconfig" # Loading the required modules insmod ifb insmod sch_htb insmod sch_ingress insmod ipt_IMQ insmod act_mirred insmod act_connmark insmod cls_u32 insmod cls_fw insmod em_u32 # Bringing up the IMQ device $IFCONFIG $IMQ up # Adding the HTB scheduler to the ingress interface $TC qdisc add dev $IMQ root handle 1: htb default 11 # add main rate limit classes $TC class add dev $IMQ parent 1: classid 1:1 htb rate $DL_RATE # add leaf classes: set the maximum bandwidth that each priority class can get, and the maximum borrowing they can do $TC class add dev $IMQ parent 1:1 classid 1:10 htb rate $LP_RATE ceil $DL_RATE $TC class add dev $IMQ parent 1:1 classid 1:11 htb rate $HP_RATE ceil $DL_RATE # Filtering packets according to destination IP address $TC filter add dev $IMQ parent 1: protocol ip prio 1 u32 match ip dst $IP_LP flowid 1:10 # Sending packets after SNAT has been done into the IMQ device $IPTABLES -t mangle -A FORWARD -i $INTERNET -j IMQ --todev 1