23/11/2001 : This page is not valid. Plz go to docum.org

Warning

This setup is NOT tested at all. In theory it's working. When I have the time, I will create all the scripts you need and test them. Including the firewall settings.

Setup

I have a linux box with 3 NIC's that I want to use as a firewall. I have eth0 connected to the internet with a 256kbit/s connection. Eth1 is connected to the local LAN (and masquerading) and eth2 is connected to the DMZ-servers. I want to control the available bandwidth to the internet.

The DMZ contains 2 servers. A ftp-server and a web-server. These servers are important and they have a guaranteed bandwidth of 192kbit/s (75% of total link bandwidth). The web-server is more important and he needs a miniumum bandwidth of 128kbit (50% of 256kbit/s and 66.7% of 192kbit/s).

The IT staff has to share the available bandwidth with the users. But the bandwidth is equally shared so they have each minimum 50% of the available bandwidth. The users may bypass the proxyserver, but the proxy server gets allways at least 75% of the bandwidth. The total bandwidth of the users is limited to 50% of the available bandwidth.

Internet
    Network Card: eth0, 10mbit, 1.1.1.10
    Router: 256kbps
    Default GateWay: 1.1.1.100
DMZ
    Network Card: eth1, 10mbit, 1.1.1.10
    FTP-server : 1.1.1.1
    Web-server : 1.1.1.2
LAN
    Network Card: eth2, 10mbit, 10.10.10.254
      Netmask: 255.255.255.0
    Proxy-server : 10.10.10.100
    Managers : 10.10.10.1 and 10.10.10.2
QOS
    Web and ftp : minimun 75% of total bandwidth (= server-bandwidth)
    Web gets minimum 2/3 (66.7%) of server-bandwidth
    Users : Max 32kbps down via Proxy-server
    Manager : minimum 50%

256kbps (downstream) shaping :
    Servers : 192kbps            (75% of 256kbps)
        web : 128kbps                (33% of 192kbps)
        FTP : 64kbps                 (67% of 192kbps)
    LAN : 64kbps                 (25% of 256kbps)
        Users : 32kbps               (50% of 64kbps)
            Users via proxy: 24kbps      (75% of 32kbps)
            Users NOT via proxy: 8kbps   (25% of 32kbps)
        Manager : 32kbps             (50% of 64kbps)

Used filter

To control the LAN, I have to mark the packets with iptables when they enter the firewall on eth2. This marks will survive the masquerading and can be used on eth0 to divide the traffic wth the fw filter and put them in different classes. The traffic of the ftp- and web-server are marked as wel.

I will use these marks:

Proxy-server: 1
Managers: 2
Other traffic: mark 3
ftp-server: mark 4
web-server: mark 5

Firewall settings

It's not my intention to build an entire firewall. I'm just telling what has to be done and the rest is homework.

On the firewall NIC, you have to masquerade the LAN when it leaves. The connections to the web-server and the ftp-server in the DMZ has to be enabled and all other connections are denied. On the LAN, you have to mark the packets when they enter the firewall.

Used script (download)

#!/bin/sh
# Network settings
PROXY=10.10.10.100
MAN1=10.10.10.1
MAN2=10.10.10.2
WEB=1.1.1.1
FTP=1.1.1.2

ip link set eth0 up
ip addr add 1.1.1.10/24     brd + dev eth0 label eth0 # Internet
ip addr add 1.1.1.10/24     brd + dev eth1 label eth1 # DMZ
ip addr add 10.10.10.254/24 brd + dev eth2 label eth2 # LAN

# Routing settings
ip route add $WEB/32 dev eth1
ip route add $FTP/32 dev eth1
ip route add 0/0 via 1.1.1.100 table main dev eth0

# Some firewall settings
modprobe iptable_nat
iptables -F
iptables -F PREROUTING -t mangle
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/255.255.255.0 -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Setting up the internet interface
iptables -A FORWARD -i eth0 -d $WEB_SERVER -j ACCEPT
iptables -A FORWARD -i eth0 -d $FTP_SERVER -j ACCEPT

# Marking the packets on LAN interface
iptables -A PREROUTING -i eth2 -t mangle           -j MARK --set-mark 3
iptables -A PREROUTING -i eth2 -t mangle -s $PROXY -j MARK --set-mark 1
iptables -A PREROUTING -i eth2 -t mangle -s $MAN_1 -j MARK --set-mark 2
iptables -A PREROUTING -i eth2 -t mangle -s $MAN_2 -j MARK --set-mark 2
iptables -A PREROUTING -i eth2 -t mangle -j ACCEPT

# Marking the packets on DMZ interface
iptables -A INPUT -i eth1 -s $FTP   -t mangle -j MARK --set-mark 4
iptables -A INPUT -i eth1 -s $WEB   -t mangle -j MARK --set-mark 5

Script

Used script (download)

#!/bin/sh
RATE_TOT=256kbit        #          32 kbps
  SERVERS=192kbit       #          24 kbps
    WEB=128kbit         # Mark 5   16 kbps
    FTP=64kbit          # Mark 4   8  kbps
  LAN=64kbit            #          8  kbps
    USERS=32kbit        # BOUNDED  4  kbps
       PROXY=24kbit     # Mark 1   3  kbps
       NON_PROXY=8kbit  # Mark 3   1  kbps
    MANAGERS=32kbit     # Mark 2   4  kbps

FTP_IP="1.1.1.1"
WEB_IP="1.1.1.2"

DEV="dev eth0"
OPTION="allot 1514 maxburst 20 avpkt 1000 prio 3"

tc qdisc del $DEV root handle 10:
tc qdisc add $DEV root handle 10: cbq bandwidth 10mbit avpkt 1000
tc class add $DEV parent 10:0 classid 10:2 cbq bandwidth 10mbit rate $RATE_TOT $OPTION bounded
 
tc qdisc add $DEV parent 10:2 handle 20: cbq bandwidth $RATE_TOT allot 1514 avpkt 1000
 
tc class add $DEV       parent 20:   classid 20:10   cbq bandwidth $RATE_TOT rate $SERVERS $OPTION
tc class add $DEV       parent 20:   classid 20:20   cbq bandwidth $RATE_TOT rate $LAN     $OPTION
 
  tc qdisc add $DEV     parent 20:10  handle 210:    cbq bandwidth $SERVERS allot 1514 avpkt 1000
    tc class add $DEV   parent 210:  classid 210:10  cbq bandwidth $SERVERS rate $FTP $OPTION
    tc class add $DEV   parent 210:  classid 210:20  cbq bandwidth $SERVERS rate $WEB $OPTION
 
  tc qdisc add $DEV     parent 20:20  handle 220:    cbq bandwidth $LAN allot 1514 avpkt 1000
    tc class add $DEV   parent 220:  classid 220:10  cbq bandwidth $LAN rate $USERS $OPTION bounded
    tc qdisc add $DEV   parent 220:10 handle 2210:   cbq bandwidth $USERS allot 1514 avpkt 1000
      tc class add $DEV parent 2210: classid 2210:10 cbq bandwidth $USERS rate $PROXY $OPTION
      tc class add $DEV parent 2210: classid 2210:20 cbq bandwidth $USERS rate $NON_PROXY $OPTION
    tc class add $DEV   parent 220:  classid 220:20  cbq bandwidth $LAN rate $MANAGERS $OPTION
 
tc filter add $DEV parent 10: protocol ip prio 3 handle 1 fw classid 10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 3 fw classid 10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 2 fw classid 10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 4 fw classid 10:2
tc filter add $DEV parent 10: protocol ip prio 3 handle 5 fw classid 10:2

tc filter add $DEV parent 20: protocol ip prio 3 handle 1 fw classid 20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 3 fw classid 20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 2 fw classid 20:20
tc filter add $DEV parent 20: protocol ip prio 3 handle 4 fw classid 20:10
tc filter add $DEV parent 20: protocol ip prio 3 handle 5 fw classid 20:10
 
tc filter add $DEV parent 220: protocol ip prio 3 handle 1 fw classid 220:10
tc filter add $DEV parent 220: protocol ip prio 3 handle 3 fw classid 220:10
tc filter add $DEV parent 220: protocol ip prio 3 handle 2 fw classid 220:20
tc filter add $DEV parent 210: protocol ip prio 3 handle 4 fw classid 210:10
tc filter add $DEV parent 210: protocol ip prio 3 handle 5 fw classid 210:20

tc filter add $DEV parent 2210: protocol ip prio 3 handle 1 fw classid 2210:10
tc filter add $DEV parent 2210: protocol ip prio 3 handle 3 fw classid 2210:20

iptables -F
iptables -X
iptables -N acc_0
iptables -N acc_1
iptables -N acc_2
iptables -N acc_3
iptables -N acc_4
iptables -A OUTPUT -t mangle -p tcp --dport 2001 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p tcp --dport 2002 -j MARK --set-mark 2
iptables -A OUTPUT -t mangle -p tcp --dport 2003 -j MARK --set-mark 3
iptables -A OUTPUT -t mangle -p tcp --dport 2004 -j MARK --set-mark 4
iptables -A OUTPUT -t mangle -p tcp --dport 2005 -j MARK --set-mark 5
iptables -A OUTPUT -p tcp --dport 2001 -j acc_0
iptables -A OUTPUT -p tcp --dport 2002 -j acc_1
iptables -A OUTPUT -p tcp --dport 2003 -j acc_2
iptables -A OUTPUT -p tcp --dport 2004 -j acc_3
iptables -A OUTPUT -p tcp --dport 2005 -j acc_4

Tests

Not yet finished. In theory it should work, but I think CBQ is not accuracy enough to do the job.

TODO : new tests with 4 classes

ttcp -t -s kriek -p 2001 : traffic in class 210:10 : WEB ############################## 139.6 KB/s 0.000 KB/s 0.000 KB/s T 139.6 KB/s G 138.8 KB/s 0.00% 0.00% 0.00% 0.00%
ttcp -t -s kriek -p 2001 : traffic in class 210:20 : FTP ############################## 0.000 KB/s 137.1 KB/s 0.000 KB/s T 137.1 KB/s G 138.8 KB/s 0.00% 0.00% 0.00% 0.00%
ttcp -t -s kriek -p 2001 : traffic in class 220:10 : PROXY ############################## 0.000 KB/s 0.000 KB/s 37.70 KB/s T 37.70 KB/s G 40.49 KB/s 0.00% 0.00% 0.00% 0.00%
ttcp -t -s kriek -p 2001 : traffic in class 210:10 : WEB ttcp -t -s kriek -p 2002 : traffic in class 210:20 : FTP ############################# 93.50 KB/s 63.91 KB/s 0.000 KB/s T 139.6 KB/s G 139.4 KB/s 66.98% 33.01% 66.64% 33.35%
Web gets 66.7% of total bandiwidth and FTP gets the rest.
ttcp -t -s kriek -p 2001 : traffic in class 210:10 : WEB ttcp -t -s kriek -p 2003 : traffic in class 220:10 : PROXY ############################# 102.9 KB/s 0.000 KB/s 37.26 KB/s T 140.2 KB/s G 141.5 KB/s 73.42% 0.00% 74.59% 0.00%
Proxy gets only 40 KBps and web the rest.
ttcp -t -s kriek -p 2002 : traffic in class 210:20 : FTP ttcp -t -s kriek -p 2003 : traffic in class 220:10 : PROXY ############################# 0.000 KB/s 104.2 KB/s 37.33 KB/s T 141.5 KB/s G 141.3 KB/s 0.00% 73.62% 0.00% 74.64%
Proxy gets only 40 KBps and ftp the rest.
ttcp -t -s kriek -p 2001 : traffic in class 210:10 : WEB ttcp -t -s kriek -p 2002 : traffic in class 210:20 : FTP ttcp -t -s kriek -p 2003 : traffic in class 220:10 : PROXY ############################69.64 KB/s 36.15 KB/s 38.81 KB/s T 144.6 KB/s G 141.3 KB/s 48.14% 25.00% 49.82% 24.96%
Web and ftp gets together 74.78% ( = 49.82% + 24.96%). 49.82% / 74.78% = 66.62%, so web gets 66.7% of the bandwidth availabe to web and ftp.