Traffic Control - Revision history

87.4.88.15: /* Other Links of Interest */

2013-05-25T04:57:42Z

‎Other Links of Interest

Drobbins: /* SSH */

2011-06-29T04:44:24Z

‎SSH

Drobbins: /* ACKs */

2011-06-29T04:42:20Z

‎ACKs

Drobbins: /* ACKs */

2011-06-29T04:41:39Z

‎ACKs

Drobbins at 03:37, 2 June 2011

2011-06-02T03:37:19Z

Drobbins: /* SSH */

2011-05-26T04:00:26Z

‎SSH

Drobbins at 15:44, 24 May 2011

2011-05-24T15:44:25Z

Drobbins at 08:07, 23 February 2011

2011-02-23T08:07:08Z

Drobbins: /* SSH */

2011-02-19T05:14:30Z

‎SSH

Drobbins: /* SSH */

2011-02-19T05:12:36Z

‎SSH

@@ Line 142: / Line 142: @@
 == Other Links of Interest ==
 * http://manpages.ubuntu.com/manpages/maverick/en/man8/ufw.8.html
 * https://help.ubuntu.com/community/UFW

@@ Line 117: / Line 117: @@
 To use this code, place it ''near the top of the file'', just below the <tt>modemif="eth4"</tt> line, but ''before'' the main <tt>iptables</tt> and <tt>tc</tt> rules. These rules will apply to ''all'' packets about to get queued to any interface, but this is not necessarily a bad thing, since the TCP flags being set are not just specific to our traffic control functionality. To make these rules specific to <tt>modemif</tt>, add "-o $modemif" after "-A POSTROUTING" on the last line, above. As-is, the rules above will set the TCP flags on all packets flowing out of all interfaces, but the the traffic control rules will only take effect for <tt>modemif</tt>, because they are only configured for that interface.
-SSH is a tricky protocol. By default, all SSH traffic is classified as "minimize-delay" traffic, which will cause it to all flow into our high-priority class, even if it is a bulk <tt>scp</tt> transfer running in the background. This code will grab all "minimize-delay" traffic such as SSH and telnet and route it through some special rules. Any individual keystrokes (small packets) will be left as "minimize-delay" packets. For anything else, we will run the <tt>hashlimit</tt> iptables module, which will identify individual flows and allow small bursts of traffic (even big packets) to remain "minimize-delay" packets. These settings have been specifically tuned so that most <tt>GNU screen</tt> screen changes (^A^N) will be fast. Any traffic over these burst limits will be reclassified as "maximize-throughput" and thus will drop to our lower-priority class 1:12.
+SSH is a tricky protocol. By default, all the outgoing SSH traffic is classified as "minimize-delay" traffic, which will cause it to all flow into our high-priority class, even if it is a bulk <tt>scp</tt> transfer running in the background. This code will grab all "minimize-delay" traffic such as SSH and telnet and route it through some special rules. Any individual keystrokes (small packets) will be left as "minimize-delay" packets. For anything else, we will run the <tt>hashlimit</tt> iptables module, which will identify individual outbound flows and allow small bursts of traffic (even big packets) to remain "minimize-delay" packets. These settings have been specifically tuned so that most <tt>GNU screen</tt> screen changes (^A^N) when logging into your server(s) remotely will be fast. Any traffic over these burst limits will be reclassified as "maximize-throughput" and thus will drop to our lower-priority class 1:12. Combined with the traffic control rules, this will allow you to have very responsive SSH sessions into your servers, even if they are doing some kind of bulk outbound copy, like rsync over SSH.
 Code in our main <tt>iptables</tt> rules will ensure that any "minimize-delay" traffic is tagged to be in the high-priority 1:10 class.

@@ Line 137: / Line 137: @@
 To use this code, place it ''near the top of the file, just below the <tt>modemif="eth4"</tt> line, but ''before'' the main <tt>iptables</tt> and <tt>tc</tt> rules.
-ACK optimization is another useful thing to do. If we prioritize small ACKs, it will allow TCP traffic to flow more smoothly without unnecessary delay.  The lines above accomplish this.
+ACK optimization is another useful thing to do. If we prioritize small ACKs heading out to the modem, it will allow TCP traffic to flow more smoothly without unnecessary delay.  The lines above accomplish this.
 This code basically sets the "minimize-delay" flag on small ACKs. Code in our main <tt>iptables</tt> rules will then tag these packets so they enter high-priority traffic class 1:10.

@@ Line 137: / Line 137: @@
 To use this code, place it ''near the top of the file, just below the <tt>modemif="eth4"</tt> line, but ''before'' the main <tt>iptables</tt> and <tt>tc</tt> rules.
-ACK optimization is another useful thing to do. If we prioritize small ACKs, it will allow TCP traffic to flow more smoothly without unnecessary delay.  The following lines accomplish this:
+ACK optimization is another useful thing to do. If we prioritize small ACKs, it will allow TCP traffic to flow more smoothly without unnecessary delay.  The lines above accomplish this.
 This code basically sets the "minimize-delay" flag on small ACKs. Code in our main <tt>iptables</tt> rules will then tag these packets so they enter high-priority traffic class 1:10.

← Older revision		Revision as of 03:37, 2 June 2011
Line 150:		Line 150:
	[[Category:Articles]]		[[Category:Articles]]
	[[Category:Featured]]		[[Category:Featured]]
		+	[[Category:Networking]]

@@ Line 107: / Line 107: @@
 iptables -t mangle -A tosfix -p tcp -m length --length 0:512 -j RETURN
 #allow screen redraws under interactive SSH sessions to be fast:
-iptables -t mangle -A tosfix -m hashlimit --hashlimit 20/sec --hashlimit-burst 20 --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-name minlat -j RETURN
+iptables -t mangle -A tosfix -m hashlimit --hashlimit 20/sec --hashlimit-burst 20 \
 iptables -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput
 iptables -t mangle -A tosfix -j RETURN
@@ Line 114: / Line 115: @@
 </source>
-To use this code, place it ''near the top of the file, just below the <tt>modemif="eth4"</tt> line, but ''before'' the main <tt>iptables</tt> and <tt>tc</tt> rules. These rules will apply to ''all'' packets about to get queued to any interface, but this is not necessarily a bad thing, since the TCP flags being set are not just specific to our traffic control functionality. To make these rules specific to <tt>modemif</tt>, add "-o $modemif" after "-A POSTROUTING" on the last line, above. As-is, the rules above will set the TCP flags on all packets flowing out of all interfaces, but the the traffic control rules will only take effect for <tt>modemif</tt>, because they are only configured for that interface.
+To use this code, place it ''near the top of the file'', just below the <tt>modemif="eth4"</tt> line, but ''before'' the main <tt>iptables</tt> and <tt>tc</tt> rules. These rules will apply to ''all'' packets about to get queued to any interface, but this is not necessarily a bad thing, since the TCP flags being set are not just specific to our traffic control functionality. To make these rules specific to <tt>modemif</tt>, add "-o $modemif" after "-A POSTROUTING" on the last line, above. As-is, the rules above will set the TCP flags on all packets flowing out of all interfaces, but the the traffic control rules will only take effect for <tt>modemif</tt>, because they are only configured for that interface.
 SSH is a tricky protocol. By default, all SSH traffic is classified as "minimize-delay" traffic, which will cause it to all flow into our high-priority class, even if it is a bulk <tt>scp</tt> transfer running in the background. This code will grab all "minimize-delay" traffic such as SSH and telnet and route it through some special rules. Any individual keystrokes (small packets) will be left as "minimize-delay" packets. For anything else, we will run the <tt>hashlimit</tt> iptables module, which will identify individual flows and allow small bursts of traffic (even big packets) to remain "minimize-delay" packets. These settings have been specifically tuned so that most <tt>GNU screen</tt> screen changes (^A^N) will be fast. Any traffic over these burst limits will be reclassified as "maximize-throughput" and thus will drop to our lower-priority class 1:12.

← Older revision		Revision as of 15:44, 24 May 2011
Line 148:		Line 148:
	[[Category:Investigations]]		[[Category:Investigations]]
	[[Category:Articles]]		[[Category:Articles]]
		+	[[Category:Featured]]

← Older revision		Revision as of 08:07, 23 February 2011
Line 147:		Line 147:

	[[Category:Investigations]]		[[Category:Investigations]]
		+	[[Category:Articles]]