tc流量控制(一)

发表于 作者 admin 
<span><span style="font-family:宋体;"><strong>一、</strong></span><span><span><strong>TC</strong></span></span><span style="font-family:宋体;"><strong>概述</strong></span></span>



<span></span>



<span><span><span>TC</span></span><span style="font-family:宋体;">规则主要涉及到“队列</span><span><span>(QUEUE) </span></span><span style="font-family:宋体;">分类器</span><span><span>(CLASS) </span></span><span style="font-family:宋体;">过滤器(</span><span><span>FILTER</span></span><span style="font-family:宋体;">)”三项。</span><span><span>TC</span></span><span style="font-family:宋体;">除对可以对内网访问外网流量进行管理外,</span><span><span>TC</span></span><span style="font-family:宋体;">还可以配合</span><span><span>filter</span></span><span style="font-family:宋体;">的</span><span><span>set-mark</span></span><span style="font-family:宋体;">功能做流量上传管控。</span><span><span>TC</span></span><span style="font-family:宋体;">具有两种流量管控方式:</span><span><span>HTC</span></span><span style="font-family:宋体;">和</span><span><span>CBQ</span></span><span style="font-family:宋体;">。</span><span><span>HTB</span></span><span style="font-family:宋体;">是</span><span><span>CBQ</span></span><span style="font-family:宋体;">管理方式的优化,本身不需要写太多复杂代码就可以很好的实现</span><span><span>QoS</span></span><span style="font-family:宋体;">的需求,也是平时我们经常会用的方式。</span></span>



<span></span>



<span><span style="font-family:宋体;"><strong>二、网速变慢的原因及</strong></span><span><span><strong>TC</strong></span></span><span style="font-family:宋体;"><strong>的工作原理</strong></span></span>



<span></span>



<span><span><span>1</span></span><span style="font-family:宋体;">、速度变慢的原因</span></span>



<span></span>



<span><span><span>a</span></span><span style="font-family:宋体;">、</span><span><span>tcp/ip </span></span><span style="font-family:宋体;">协议规定每个封包都需要有</span><span><span>ACKNOWLEDGE</span></span><span style="font-family:宋体;">讯息的回传</span><span><span>,</span></span><span style="font-family:宋体;">也就是说</span><span><span>,</span></span><span style="font-family:宋体;">传输的资料需要有一个收到资料的讯息回复</span><span><span>,</span></span><span style="font-family:宋体;">才能决定后面的传输速度</span><span><span>,</span></span><span style="font-family:宋体;">并决定是否重</span><span> </span><span style="font-family:宋体;">新传输遗失的资料</span><span><span>,</span></span><span style="font-family:宋体;">上行的带宽一部分就是用来传输这些</span><span><span>ACK</span></span><span style="font-family:宋体;">资料的。上行带宽占用大的时候</span><span><span>,</span></span><span style="font-family:宋体;">就会影响</span><span><span>ACK</span></span><span style="font-family:宋体;">资料的传送速度</span><span><span>,</span></span><span style="font-family:宋体;">进而影响到下载速度</span><span><span>,</span></span></span>



<span></span>



<span><span><span>b</span></span><span style="font-family:宋体;">、试验证明</span><span><span>,</span></span><span style="font-family:宋体;">当上传满载时</span><span><span>,</span></span><span style="font-family:宋体;">下载速度变为原来速度的</span><span><span>40%,</span></span><span style="font-family:宋体;">甚至更低</span><span><span>,,</span></span><span style="font-family:宋体;">因为上载文件</span><span><span>(</span></span><span style="font-family:宋体;">包括</span><span><span>ftp</span></span><span style="font-family:宋体;">上传</span><span><span>,</span></span><span style="font-family:宋体;">发邮件</span><span><span>SMTP),</span></span><span style="font-family:宋体;">如果较大</span><span><span>,</span></span><span style="font-family:宋体;">一个的通讯量令带宽饱和</span><span><span>,</span></span><span style="font-family:宋体;">那么所有的数据包按照先进先出的原则进行排队和等待</span><span><span>,</span></span><span style="font-family:宋体;">这就可以解释为什么网内其中有人用</span><span><span>ftp</span></span><span style="font-family:宋体;">上载文件或发送大邮件的时候</span><span><span>,</span></span><span style="font-family:宋体;">整个网速变得很慢的原因。</span></span>



<span></span>



<span><span><span>2</span></span><span style="font-family:宋体;">、</span><span><span>TC</span></span><span style="font-family:宋体;">的工作原理</span></span>



<span></span>



<span><span style="font-family:宋体;">为了解决这些速度问题</span><span><span>,</span></span><span style="font-family:宋体;">对经过线路的数据进行了有规则的分流。把本来在宽带上的瓶颈转移到我们的</span><span><span>LINUX</span></span><span style="font-family:宋体;">路由器上</span><span><span>,</span></span><span style="font-family:宋体;">可以把带宽控制的比我们购买的带宽小一点。</span><span> </span><span style="font-family:宋体;">这样</span><span><span>,</span></span><span style="font-family:宋体;">我们就可以方便的用</span><span><span>tc</span></span><span style="font-family:宋体;">技术对经过的数据进行分流与控制。</span></span>



<span></span>



<span><span style="font-family:宋体;">我们的想像就像马路上的车道一样</span><span><span>,</span></span><span style="font-family:宋体;">有高速道</span><span><span>,</span></span><span style="font-family:宋体;">还有小车道</span><span><span>,</span></span><span style="font-family:宋体;">大车道</span><span><span>,</span></span><span style="font-family:宋体;">需要高速的</span><span><span>syn ack icmp ssh</span></span><span style="font-family:宋体;">等走高速道</span><span><span>,</span></span><span style="font-family:宋体;">需要大量传输的</span><span><span>ftp-data,smtp</span></span><span style="font-family:宋体;">等走大车道</span><span><span>,</span></span><span style="font-family:宋体;">不能让它堵塞整条马路</span><span><span>,</span></span><span style="font-family:宋体;">各行其道。</span></span>



<span><span><span>3</span></span><span style="font-family:宋体;">、</span><span><span>tc </span></span><span style="font-family:宋体;">和</span><span><span>iptables</span></span><span style="font-family:宋体;">的配合</span></span>



<span></span>



<span><span style="font-family:宋体;">我们设置过滤器以便用</span><span><span>iptables</span></span><span style="font-family:宋体;">对数据包进行分类</span><span><span>,</span></span><span style="font-family:宋体;">因为</span><span><span>iptables</span></span><span style="font-family:宋体;">更灵活</span><span><span>,</span></span><span style="font-family:宋体;">而且还可以为每个规则设置计数器</span><span><span>,iptables</span></span><span style="font-family:宋体;">用</span><span><span> mangle</span></span><span style="font-family:宋体;">链来</span><span><span>mark</span></span><span style="font-family:宋体;">数据包</span><span><span>,</span></span><span style="font-family:宋体;">告诉了内核</span><span><span>,</span></span><span style="font-family:宋体;">数据包会有一个特定的</span><span><span>FWMARK</span></span><span style="font-family:宋体;">标记值</span><span><span>(handle x fw) </span></span><span style="font-family:宋体;">表明它应该送给那个类</span><span><span>(classid x:x),</span></span><span style="font-family:宋体;">而</span><span><span>prio</span></span><span style="font-family:宋体;">是优先值</span><span><span>,</span></span><span style="font-family:宋体;">表明那些重要数据应该优先通过那个通道</span><span><span>,</span></span><span style="font-family:宋体;">首先选择队列</span><span><span>(</span></span><span style="font-family:宋体;">选择</span><span><span>htb),</span></span></span>



<span></span>



<span><span style="font-family:宋体;">一般系统默认的是</span><span><span>fifo</span></span><span style="font-family:宋体;">的先进先出队列</span><span><span>,</span></span><span style="font-family:宋体;">就是说包是按照先来先处理的原则</span><span><span>,</span></span><span style="font-family:宋体;">如果有一个大的数据包在前面</span><span><span>,</span></span><span style="font-family:宋体;">那么后面的包只能等前面的发完后才能接着发了</span><span><span>,</span></span><span style="font-family:宋体;">这样就算后面既使是一个小小的</span><span><span>ack</span></span><span style="font-family:宋体;">包</span><span><span>,</span></span><span style="font-family:宋体;">也要等待了</span><span><span>,</span></span><span style="font-family:宋体;">这样上传就影响了下载</span><span><span>,</span></span><span style="font-family:宋体;">就算你有很大的下载带宽也无能为力。</span></span>



<span></span>



<span><span><span>HTB(Hierarchical token bucket,</span></span><span style="font-family:宋体;">分层的令牌桶</span><span><span>),</span></span><span style="font-family:宋体;">就像</span><span><span>CBQ</span></span><span style="font-family:宋体;">一样工作</span><span><span>,</span></span><span style="font-family:宋体;">但是并不靠计算闲置时间来整形</span><span><span>,</span></span><span style="font-family:宋体;">它是一个分类的令牌桶过滤器。</span><span><span>,</span></span><span style="font-family:宋体;">它只有很少的参数。</span></span>



<span></span>



<span><span style="font-family:宋体;">结构简图</span><span><span>:<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span>&nbsp;</span>1:</span></span></span>



<span></span>



<span><span style="font-family:宋体;">  </span><span><span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>~~~~~~~~~~~~~~~~`~~~~~</span></span></span>



<span></span>



<span><span style="font-family:宋体;">  </span><span><span>~_________1:1~~~~~~~~~1:2________</span></span></span>



<span></span>



<span><span style="font-family:宋体;">  </span><span><span>|~~~|~~~~|~~~~|~~~~~|~~~~~~~~|~~~~~~~~|~~~~~~~|</span></span></span>



<span></span>



<span><span style="font-family:宋体;">  </span><span><span>1:11~~~1:12~~~~~~~~~~~~1:21~~~1:22~~~1:23~~1:24</span></span></span>



<span></span>



<span><span style="font-family:宋体;">  优先顺序</span><span><span>: 1:11 1:12 1:21 1:22 1:23 1:24</span></span></span>



<span></span>



<span></span>



<span><span style="font-family:宋体;"><strong>三、</strong></span><span><span><strong>TC</strong></span></span><span style="font-family:宋体;"><strong>命令的用法</strong></span><span><span> </span></span></span>



<span></span>



<span><span><span>1</span></span><span style="font-family:宋体;">、创建一个</span><span><span>HTB</span></span><span style="font-family:宋体;">的根,默认类为</span><span><span>1:20(</span></span><span style="font-family:宋体;">后面就需要定义</span><span><span>1:20</span></span><span style="font-family:宋体;">的类</span><span><span>)</span></span></span><span><span><span> </span></span></span>

#tc qdisc add dev eth0 root handle 1: htb default 20
<span>2</span><span style="font-family:宋体;">、创建一个</span><span>HTB</span><span style="font-family:宋体;">的类</span><span>,</span><span style="font-family:宋体;">流量的限制就是在这里限制的</span><span>,</span><span style="font-family:宋体;">并设置突发。</span>

#tc class add dev eth0 parent 1: classid 1:1 htb rate 200kbit ceil 200kbit burst 20k(突发流量)
<span>3</span><span style="font-family:宋体;">、创建一个过滤规则把要限制流量的数据过滤出来</span><span>,</span><span style="font-family:宋体;">并发给上面的类来限制速度。</span>

#tc filter add dev eth0 parent 1: prio 1 protocol ip u32 match ip sport 80 0xfff flowid 1:1 
<span style="font-family:宋体;">参数的说明</span><span>:</span>



<span></span>


 rate  rate allocated to this class (class can still borrow)
 burst    max bytes burst which can be accumulated during idle period {computed}
 mpu      minimum packet size used in rate computations
 overhead per-packet size overhead used in rate computations
 ceil     definite upper class rate (no borrows) {rate}
 cburst   burst but for ceil {computed}
 mtu      max packet size we create rate map for {1600}
 prio     priority of leaf; lower are served first {0}
 quantum  how much bytes to serve from leaf at once {use r2q}

平时我们经常用的只有四个

<span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>burst:</span><span style="font-family:宋体;">突发流量</span>



<span style="font-family:宋体;">  </span><span>rate:</span><span style="font-family:宋体;">是一个类保证得到的带宽值</span><span>,</span><span style="font-family:宋体;">如果有不只一个类</span><span>,</span><span style="font-family:宋体;">请保证所有子类总和是小于或等于父类</span><span>,</span>



<span style="font-family:宋体;">  </span><span>ceil: ceil</span><span style="font-family:宋体;">是一个类最大能得到带宽值。</span>



<span style="font-family:宋体;">  </span><span>prio: </span><span style="font-family:宋体;">是优先权的设置</span><span>,</span><span style="font-family:宋体;">数值越大</span><span>,</span><span style="font-family:宋体;">优先权越小</span><span>,</span><span style="font-family:宋体;">如果是分配剩余带宽</span><span>,</span><span style="font-family:宋体;">就是数值小的会最优先取得剩余的空闲的带宽权。</span>



<span></span>



<span>4</span><span style="font-family:宋体;">、另一个和</span><span>HTB</span><span style="font-family:宋体;">经常配置使用的队列方式——</span><span>SFQ</span>



<span></span>

随机公平队列(SFQ),SFQ的关键词是“会话”(或称作流),主要针对一个TCP会话或者UDP流,流量被分成相当多数量的FIFO队列中,每个队列对应一个会话。数据按照简单轮转的方式发送,每个会话都按顺序得到发送机会。这种方式非常公平,保证了每个会话都不会被其它会话所淹没,SFQ之所以被称为“随机”,是因为它并不是真的为每个会话创建一个队列,而是使用一个散列算法,把所有的会话映射到有限的几个队列中去。不被某个连接不停占用带宽,以保证带宽的平均公平使用。 

<span></span>



<span style="font-family:宋体;">  </span><span>#</span><span style="font-family:宋体;">参数</span><span>perturb</span><span style="font-family:宋体;">是多少秒后重新配置一次散列算法,默认为</span><span>10</span><span style="font-family:宋体;">秒。</span> <span style="font-family:宋体;">   </span>

tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 
<span></span>



<span style="font-family:宋体;"> 设置过滤器</span><span>,handle</span><span style="font-family:宋体;">是</span><span>iptables</span><span style="font-family:宋体;">作</span><span>mark</span><span style="font-family:宋体;">的值</span><span>,</span><span style="font-family:宋体;">让被</span><span>iptables</span><span style="font-family:宋体;">在</span><span>mangle</span><span style="font-family:宋体;">链做了</span><span>mark</span><span style="font-family:宋体;">的不同的值选择不同的通道</span><span>classid,</span><span style="font-family:宋体;">而</span><span>prio</span><span style="font-family:宋体;">是过滤器的优先级别</span>



<span></span>



<span><span>&nbsp;&nbsp;&nbsp; </span>tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:11</span>



<span></span>



<span style="font-family:宋体;">设置下行的限制例子</span>



<br />

#tc qdisc add dev $DEV handle ffff: ingress
#tc filter add dev $DEV parent ffff: protocol ip prio 50 handle 8 fw police rate ${downlink}kbit burst 10k drop flowid :8

<br />



<br />



<span></span>



<span># </span><span style="font-family:宋体;">设置入队的规则</span><span>,</span><span style="font-family:宋体;">是因为把一些经常会造成下载大文件的端口进行控制</span><span>,</span><span style="font-family:宋体;">不让他们来得太快</span><span>,</span><span style="font-family:宋体;">导致堵塞</span><span>,</span><span style="font-family:宋体;">来得太快</span><span>,</span><span style="font-family:宋体;">就直接</span><span>drop,</span><span style="font-family:宋体;">就不会浪费和占用机器时间和力量去处理了。把下行速率控制在大概</span><span>1000-1500K(</span><span style="font-family:宋体;">大约为带宽的</span><span>50%),</span><span style="font-family:宋体;">因为这个速度已经够用了</span><span>,</span><span style="font-family:宋体;">以便能够得到更多的并发下载连接。</span>

#tc qdisc add dev $DEV handle ffff: ingress
#tc filter add dev $DEV parent ffff: protocol ip prio 50 handle 8 fw police rate ${downlink}kbit burst 10k drop flowid :8 
<span></span>



<span style="font-family:宋体;">如果内部网数据流不是很疯狂的话</span><span>,</span><span style="font-family:宋体;">就不用做下载的限制了</span><span>,</span><span style="font-family:宋体;">用</span><span>#</span><span style="font-family:宋体;">符号屏蔽上面两行既可。</span>



<span style="font-family:宋体;">如果要对任何进来的数据进行限速的话</span><span>,</span><span style="font-family:宋体;">可以用下面这句。</span>



<span></span>



<span style="font-family:宋体;"><strong>四、</strong></span><span><strong>tc</strong></span><span style="font-family:宋体;"><strong>和</strong></span><span><strong>iptable</strong></span><span style="font-family:宋体;"><strong>的混合用法</strong></span>



<span></span>



<span style="font-family:宋体;">开始给数据包打标记</span><span>:</span><span style="font-family:宋体;">把出去的不同类数据包</span><span>(</span><span style="font-family:宋体;">为</span><span>dport)</span><span style="font-family:宋体;">给</span><span>mark</span><span style="font-family:宋体;">上标记</span><span>1---6,</span><span style="font-family:宋体;">让它走不同的通道。把进来的数据包</span><span>(</span><span style="font-family:宋体;">为</span><span>sport)</span><span style="font-family:宋体;">给</span><span>mark</span><span style="font-family:宋体;">上标记</span><span>8,</span><span style="font-family:宋体;">让它受到下行的限制</span><span>,</span><span style="font-family:宋体;">以免速度太快而影响全局。每条规则下跟着</span><span>return</span><span style="font-family:宋体;">的意思是可以通过</span><span>RETURN</span><span style="font-family:宋体;">方法避免遍历所有的规则</span><span>,</span><span style="font-family:宋体;">加快了处理速度。</span>



<span style="font-family:宋体;">设置</span><span>TOS</span><span style="font-family:宋体;">的处理</span><span>:</span>&nbsp;&nbsp;



iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay(最小延时) -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost(最小成本) -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput(最大吞吐量) -j MARK --set-mark 5
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Througput -j RETURN 


##提高TCP初始连接(也就是带有SYN的数据包)的优先权是非常明智的。
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN 


#想ICMP 想ping有良好的反应,放在第一类。
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -P icmp -j RETURN 


#small packets (probably just ACKS)长度小于64的小包通常是需要快些的,一般是用来确认tcp的连接的,让它跟快些的通道吧。


iptables -t mangle -A PREROUTING -p tcp -m length --length :64 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m length --length:64 -j RETURN 


#ftp放第二类,因为一般是小包,ftp-data放在第5类,因为一般是大时数据的传送。


iptables -t mangle -A PREROUTING -p tcp -m tcp --dport ftp -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport ftp -j RETURN
iptables -t mangle -A PRETOUTING -p tcp -m tcp --dport ftp-data -j MARK --set-mark 5
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport ftp -j MARK --set-mark 8
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport ftp -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport ftp-data -j MARK --set-mark 8
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport ftp-data -j RETURN
#提高SSH数据包的优先权:放在第1类,要知道SSH是交互式的和重要的,不容待慢:
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport -j RETURN
#SMTP邮件,放在第4类,因为有时有人发送很大的邮件,为避免它堵塞,让它跑第4道吧
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --st-mark 4
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 25 -j MARK --set-mark 8
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 25 -j RETURN
#name-domain server:放在第1类,这样连接带有域名的连接才能快速找到对应有的地址,提高速度
iptables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -P udp -m udp --dport 53 -j RETURN
#HTTP: 放在第3类,是最常用的,最多人用的
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-mark 8
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN
#pop邮件放在第3类:
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 110 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dprot 110 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 110 -j MARK --set-mark 8
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 110 -j RETURN
#MICSOSOFT-SQL-SERVE:放在第2类,我这里认为较重要,一定保证速度和优先的
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 1433 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 1433 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 1433 -j MARK --set-mark 8
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 1433 -j RETURN
#https:放在第3类
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -p tcpm -m tcp --dport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 443 -j MAKR --set-mark 8
iptables -t mangle -A PREROUTING -P tcp -m tcp --sport 443 -j RETURN
 #voip用,提高,语音要保持高速才不会断续
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 1720 -j MARK--SET-MARK 1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 1720 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 1720 -j MAKR --set-mark 8
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 1720 -j RETURN
#VPN 用作voip的,也要走高速路,才不会断续
iptables -t mangle -A PREROUTING -p udp -m udp --dport 7707 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p udp -m udp --dport 7707 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 7070 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport -j RETURN
#提高ssh和icmp数据包的优先权:放在第1类
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j RETURN
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p icmp -j RETURN
#本地small packet (probably just ACKS)
iptables -t mangle -A OUTPUT -p tcp -m length --length :64 --set-mark 2
iptables -t mangle -A OUTPUT -p tcp -m length --length :64 -j RETURN 


<span></span>



<span></span>



<span></span>



<span></span>&nbsp;



<span># </span><span style="font-family:宋体;">向</span><span>PRETOUTRIN</span><span style="font-family:宋体;">中添加完</span><span>mangle</span><span style="font-family:宋体;">规则后,用这条规则结束</span><span>prerouting</span><span style="font-family:宋体;">表:也就是说前面没有打过标记的数据包就交给</span><span>1:24</span><span style="font-family:宋体;">来处理实际</span> <span style="font-family:宋体;">上是不必要的,因为</span><span>1:24</span><span style="font-family:宋体;">是缺省类</span><span>,</span><span style="font-family:宋体;">但仍然打上标记是为了保持整个设置的协调一致</span><span>,</span><span style="font-family:宋体;">而且这样</span><span>,</span><span style="font-family:宋体;">还能看到规则的数据包计数</span><span>:</span>



<span></span>



<span>iptables -t mangle -A PREROUTING -i $DEV -j MARK --set-mark 6</span>



<span style="font-family:宋体;">对某人限制</span><span>:</span>



<span>iptables -t mangle -I PREROUTING 1 -s 192.168.xx.xx -j MAKR --set-mark 6</span>



<span>iptables -t mangle -I PREROUTING 2 -s 192.168.xx.xx -j RETURN</span>



<span></span>



<span>u32</span><span style="font-family:宋体;">的应用</span><span>:</span>



<span></span>



<span>tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 </span><span style="font-family:宋体;">。。。。。。</span> <span style="font-family:宋体;">这就是所谓的</span><span>u32</span><span style="font-family:宋体;">匹配</span><span>,</span><span style="font-family:宋体;">可以匹配数据包的任意部分。</span>



<span style="font-family:宋体;">根据源</span><span>/</span><span style="font-family:宋体;">目的地址</span><span>(</span><span style="font-family:宋体;">单个</span><span>IP</span><span style="font-family:宋体;">地址可以用</span><span>/32</span><span style="font-family:宋体;">来表示</span><span>):</span>



<span>match ip src 0.0.0.0/0</span><span style="font-family:宋体;">  </span>



<span>match ip dst 1.2.3.0/24</span><span style="font-family:宋体;">  </span>



<span style="font-family:宋体;">根据源</span><span>/</span><span style="font-family:宋体;">目的端口可以这样表示</span><span>:</span>



<span>match ip sport 80 0xffff</span><span style="font-family:宋体;">  </span>



<span>match ip dport 80 0xffff</span>



<span></span>



<span style="font-family:宋体;">根据</span><span>IP</span><span style="font-family:宋体;">协议</span><span>:</span>



<span></span>



<span>match ip protocol (udp tcp icmp gre ipsec)</span>



<span></span>



<span style="font-family:宋体;">比如</span><span>icmp</span><span style="font-family:宋体;">协议是</span><span>1 match ip protocol 1 0xff</span>



<span></span>



<span style="font-family:宋体;">举例</span><span>:</span>



<span>tc filter add dev $DEV parent 1:0 protocol ip prio 1 u32 match ip dst 4.3.2.1/32 flowid 10:1</span>



<span>tc filter add dev $DEV parent 1:0 protocol ip prio 1 u32 match ip src 4.3.2.1/32 match ip sport 80 0xffff flowid 10:1</span>



<span></span>



<span style="font-family:宋体;"></span>&nbsp;


		

		
		

	

		



	



		

		
发表回复 
您的电子邮箱地址不会被公开。 必填项已用*标注