Why is my linux traffic shaping script having limited results?

linux iptables traffic-shaping

I am trying to introduce some traffic rules to my Linux passthrough server that will give a better QoS for the following:

1) Low port traffic out of the box (web traffic and mail, etc). 2) Low port traffic into the box - specifically port web management (80) and SSH (22). 3) Put file sharing priority last. I.e. all other traffic.

I have adapted a shell script to set up some basic rules using tc and htb:

#!/bin/bash

UPLINK=7000
DOWNLINK=500

tc qdisc del dev eth0 root    2> /dev/null > /dev/null
tc qdisc del dev eth1 root    2> /dev/null > /dev/null

ip link set dev eth0 qlen 30 2> /dev/null > /dev/null
ip link set dev eth0 mtu 576 2> /dev/null > /dev/null

# add HTB root qdisc
tc qdisc add dev eth0 root handle 1: htb default 40
tc class add dev eth0 parent 1: classid 1:1 htb rate ${UPLINK}kbit

tc class add dev eth0 parent 1:1 classid 1:5 htb rate $[$UPLINK]kbit ceil ${UPLINK}kbit quantum 1 prio 0
tc class add dev eth0 parent 1:1 classid 1:10 htb rate $[(($UPLINK/8)*3)]kbit ceil ${UPLINK}kbit quantum 1 prio 1
tc class add dev eth0 parent 1:1 classid 1:20 htb rate $[(($UPLINK/8)*3)]kbit ceil ${UPLINK}kbit quantum 1 prio 2
tc class add dev eth0 parent 1:1 classid 1:30 htb rate $[(($UPLINK/8)*1)]kbit ceil ${UPLINK}kbit quantum 1 prio 3
tc class add dev eth0 parent 1:1 classid 1:40 htb rate $[(($UPLINK/8)*1)]kbit ceil ${UPLINK}kbit quantum 1 prio 4

# No SFQ because we should have almost no queue here. Better dropping packets than delay them in VoIP
tc qdisc add dev eth0 parent 1:20 handle 5: pfifo limit 5
tc qdisc add dev eth0 parent 1:10 handle 10: pfifo limit 30
tc qdisc add dev eth0 parent 1:20 handle 20: pfifo limit 30
tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 limit 200
tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10 limit 300

iptables -t mangle -F QOSSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -X QOSSHAPER-OUT 2> /dev/null > /dev/null
iptables -t mangle -D POSTROUTING -o eth0 -j QOSSHAPER-OUT 2> /dev/null > /dev/null

########################################################################################################

iptables -t mangle -N QOSSHAPER-OUT
iptables -t mangle -I POSTROUTING -o eth0 -j QOSSHAPER-OUT

# ensure min delay by TOS field
iptables -t mangle -A QOSSHAPER-OUT -m tos --tos 0x10 -j CLASSIFY --set-class 1:5

iptables -t mangle -A QOSSHAPER-OUT -p icmp -j CLASSIFY --set-class 1:20
iptables -t mangle -A QOSSHAPER-OUT -p udp --dport domain -j CLASSIFY --set-class 1:20
iptables -t mangle -A QOSSHAPER-OUT -p tcp --tcp-flags SYN,RST,ACK SYN,FIN -j CLASSIFY --set-class 1:20
iptables -t mangle -A QOSSHAPER-OUT -p tcp -m length --length 60 -j CLASSIFY --set-class 1:30   #Small packets

########################################################################################################

I have then added some IPTABLES rules to shape the traffic.

-A POSTROUTING -o eth0 -j QOSSHAPER-OUT 
-A QOSSHAPER-OUT -p tcp -m tcp --sport 80 -j CLASSIFY --set-class 0001:0020 
-A QOSSHAPER-OUT -p tcp -m tcp --sport 22 -j CLASSIFY --set-class 0001:0020 
-A QOSSHAPER-OUT -p tcp -m tcp --sport 7080 -j CLASSIFY --set-class 0001:0020 
-A QOSSHAPER-OUT -p tcp -m tcp --sport 9080 -j CLASSIFY --set-class 0001:0020 
-A QOSSHAPER-OUT -p tcp -m tcp --sport 1:1024 -j CLASSIFY --set-class 0001:0030 
-A QOSSHAPER-OUT -p tcp -m tcp --dport 1:1024 -j CLASSIFY --set-class 0001:0030 
-A QOSSHAPER-OUT -m tos --tos 0x10/0xff -j CLASSIFY --set-class 0001:0005 
-A QOSSHAPER-OUT -p icmp -j CLASSIFY --set-class 0001:0020 
-A QOSSHAPER-OUT -p udp -m udp --dport 53 -j CLASSIFY --set-class 0001:0020 
-A QOSSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK FIN,SYN -j CLASSIFY --set-class 0001:0020 
-A QOSSHAPER-OUT -p tcp -m length --length 60 -j CLASSIFY --set-class 0001:0030

In case you are wondering port 7080 and 9080 are used for proxying.

I was hoping that LAN subscribers would be able to have priority on port 80 and that admin users would have WAN access on port 80 and 22 above all incoming traffic - however the rules have made little difference.

Any advice or insight welcome.


Three things to check:

  1. I am not aware of your network topology but are you sure you want to use sport to classify the traffic in iptables? Maybe you intended dport.

  2. Use the iptables logging module. They have nice examples in the man page. Using the logging module, you can easily discern if the packets are being classified as you intended them to be or not.

  3. Use the iperf tool to stress out and test the effectiveness of your new router!

Related

Vista VMWare Release SysPrep/Activation Best Practice?
Change DPI of one user using W2K3 Remote Desktop / Terminal Server
What's the difference between Windows Server 2008 Standard and Web? [duplicate]
Skip new Windows 7 user selection and go to login prompt
How to Transfer a "Premium" Domain to another Registrar
Why getting a permission denied (public key) error for SCP when SSH works
How to display a graph only for business hours with CACTI?
Changing the block state of an existing block
I have 2 pets, do they interact with each other?
How do I transition to Thermal Aquatuners without any oil? (Berry Blossoms dying)
How do I repair the cannon in Ancient Gardens?
Do thrown eggs deal damage?