리눅스의 사실상 기본 패키지인 iproute안에는 tc(Traffic Control)이라는 명령어가 포함되어 있습니다.

이 명령어를 사용하여 네트워크 스위치의 도움 없이도 자체적으로 자신의 이더넷 속도를 제한 할 수 있습니다.

이는 보통 네트워크에서 말하는 QOS(Quality Of Service)와 비슷한 기능을 제공합니다.

하지만 저비용으로 고효율을 낼 수 있다는 점에서 매우 괜찮은 방법인듯 합니다.

1) 요구 사항
- iproute RPM 패키지가 설치되어있어야 함
- 리눅스 커널의 iproute 파트의 Traffic Control 옵션(Netlink포함)이 활성화 되어있어야 함.
- 리눅스 커널 2.4버젼 이후의 경우 기본적으로 대부분의 Traffic Control 옵션이 활성화 되어있음.

2) 시스템 명령어 추가
- shaping이라는 명령을 추가합니다.
$ vi /etc/init.d/shaping

- 다음의 소스코드를 입력합니다.
#!/bin/bash
# tc uses the following units when passed as a parameter.
# kbps: Kilobytes per second
# mbps: Megabytes per second
# kbit: Kilobits per second
# mbit: Megabits per second
# bps: Bytes per second
# Amounts of data can be specified in:
# kb or k: Kilobytes
# mb or m: Megabytes
# mbit: Megabits
# kbit: Kilobits
# To get the byte figure from bits, divide the number by 8 bit
#

# tc명령어의 위치를 입력합니다.
TC
=/sbin/tc

# 대역폭을 제한하기 위한 이더넷 인터페이스를 지정합니다.
IF
=eth0

# 다운로드 속도 제한
DNLD
=15mbit

# 업로드 속도 제한
UPLD
=15mbit

# 속도 제한을 적용할 호스트의 IP 주소
IP
=123.123.123.123

# Filter options for limiting the intended interface.
U32
="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32"

start
() {
# We'll use Hierarchical Token Bucket (HTB) to shape bandwidth.
# For detailed configuration options, please consult Linux man
# page.
$TC qdisc add dev $IF root handle
1: htb default 30
$TC
class add dev $IF parent 1: classid 1:1 htb rate $DNLD
$TC
class add dev $IF parent 1: classid 1:2 htb rate $UPLD
$U32 match ip dst $IP
/32 flowid 1:1
$U32 match ip src $IP
/32 flowid 1:2
# The first line creates the root qdisc, and the next two lines
# create two child qdisc that are to be used to shape download
# and upload bandwidth.
#
# The 4th and 5th line creates the filter to match the interface.
# The 'dst' IP address is used to limit download speed, and the
# 'src' IP address is used to limit upload speed.
}

stop
() {
# Stop the bandwidth shaping.
$TC qdisc
del dev $IF root
}

restart
() {
# Self-explanatory.
stop
sleep
1
start
}

show
() {
# Display status of traffic control status.
$TC
-s qdisc ls dev $IF
}

case "$1" in
start
)
echo
-n "Starting bandwidth shaping: "
start
echo
"done"
;;
stop
)
echo
-n "Stopping bandwidth shaping: "
stop
echo
"done"
;;
restart
)
echo
-n "Restarting bandwidth shaping: "
restart
echo
"done"
;;
show
)
echo
"Bandwidth shaping status for $IF:"
show
echo
""
;;
*)
pwd
=$(pwd)
echo
"Usage: tc.bash {start|stop|restart|show}"
;;
esac

exit 0

- 실행 권한을 주고 실행해 봅니다.
$ chmod 755 /etc/init.d/shaping
$
/etc/init.d/shaping start

3) 결과 확인
사용자 삽입 이미지

- 빨간선을 기준으로 왼쪽이 기존의 상황이고 오른쪽이 트래픽 제한을 한 이후 입니다.
- 기존의 경우 엄청나게 들쭉 날쭉한 것을 알 수 있습니다.
- 오른쪽의 경우 강제로 제한이 걸리면서 둥글게 트래픽이 뭉개지는 것을 볼 수 있습니다.
- 제한을 건 속도에 정확하게 제한이 걸리는것으로 보이지는 않습니다.
- 테스트를 거치면서 IDC상황에 맞게 설정하시면 될것 같습니다.

 

출처 : http://theeye.pe.kr

'OS > LINUX' 카테고리의 다른 글

sendmail auth / relay 설정  (0) 2013.08.23
Traffic Control with Linux Command Line tool, "tc"  (0) 2013.01.02
우분투 서버 한글 설정  (0) 2012.07.10
apt & dpkg 사용법  (0) 2012.07.10
vmstat 과 sar 명령  (0) 2012.06.01

Traffic Control with Linux Command Line tool, "tc"


By Scott Seong

Denial of service attacks are major nuisance for web hosts, and as a web host you'll have to take every measure to protect your resources from DoS attacks. Our APF, BFD, DDoS and RootKit article describes Linux utilities available to protect from DDoS attack, and also explains installation procedures. This article supplements above article by providing means to control traffic (bandwidth shaping) with Linux "tc" command so that no single machine can waste the entire network bandwidth.

What is Traffic Shaping?

Traffic Shaping (a.k.a Bandwidth Shaping or Packet Shaping) is an attempt to control network traffic by prioritizing network resources and guarantee certain bandwidth based on predefined policy rules. Traffic shaping uses concepts of traffic classification, policy rules, queue disciplines and quality of service (QoS).

Why implement Traffic Shaping?

Network bandwidth is an expensive resource that is being shared among many parties of an organization, and some applications require guaranteed bandwidth and priority. Traffic shaping lets you (1) control network services, (2) limit bandwidths and (3) guarantee Quality Of Service (QoS). Intelligently managed traffic shaping improves network latency, service availablity and bandwidth utilization.

What is Queue Discipline?

A queue discipline (qdisc) is rules that determine the order in which arrivals are serviced. Immagine standing in a restraurant to be seated, and waiting in an emergency room to be serviced by a physician. They both have people waiting in a queue that needs to be serviced, but have different strategies for clearing them.

Restaurants typically use first-in-first-out (FIFO) strategy with an exception when tables with number of seats do not exist for large number of customers. Customers are generally serviced in the order that they've arrived in the queue, or when the table with number of seats available. On the other hand, emergency queue requires different strategy. Regardless of order in which patients arrive, someone in a critical condition requires most attention and then someone with urgent condition. This is just examples of how queues are handled in the real life scenarios, but traffic shaping requires a lot more disciplines (rules) for clearing traffic queues.

Software Requirements

  • Linux RPM package called 'iproute' is required.
  • Traffic control options (including netlink support) have to enabled on the kernel build in order for certain parts of 'iproute' to function.
  • Linux kernels version 2.4 (and above) have most traffic control options turned on as a default. To explore your configuration, try running the following commands. If you can see the command responses below, you have a basic configuration setup.
# ip link list
1: lo:  mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:  mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:06:5b:8d:13:a0 brd ff:ff:ff:ff:ff:ff
# ip address show
1: lo:  mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:06:5b:8d:13:a0 brd ff:ff:ff:ff:ff:ff
    inet 216.3.128.12/24 brd 216.3.128.255 scope global eth0
    inet6 fe80::206:5bff:fe8d:13a0/64 scope link 
       valid_lft forever preferred_lft forever
# ip route show
216.3.128.0/24 dev eth0  proto kernel  scope link  src 
216.3.128.12 default via 216.3.128.1 dev eth0 

    Bandwidth Management (Traffic Control)

    Linux kernel 2.2 (and above) provides bandwidth management functionality compatible to high-end (dedicated) hardware solution. Linux does offer bandwidth management capability with tc command-line utility, with iptables and iproute2 packages.

    We've written a small bash shell script to automate bandwidth shaping function on a linux machine. The downloadable source code is used to limit bandwidth of an interface, both inbound and outbound to 1mbit each. You may modify this script how ever you desire to customize your bandwidth shaping requirements.

    #!/bin/bash
    #
    #  tc uses the following units when passed as a parameter.
    #  kbps: Kilobytes per second 
    #  mbps: Megabytes per second
    #  kbit: Kilobits per second
    #  mbit: Megabits per second
    #  bps: Bytes per second 
    #       Amounts of data can be specified in:
    #       kb or k: Kilobytes
    #       mb or m: Megabytes
    #       mbit: Megabits
    #       kbit: Kilobits
    #  To get the byte figure from bits, divide the number by 8 bit
    #
    
    #
    # Name of the traffic control command.
    TC=/sbin/tc
    
    # The network interface we're planning on limiting bandwidth.
    IF=eth0             # Interface
    
    # Download limit (in mega bits)
    DNLD=1mbit          # DOWNLOAD Limit
    
    # Upload limit (in mega bits)
    UPLD=1mbit          # UPLOAD Limit
    
    # IP address of the machine we are controlling
    IP=216.3.128.12     # Host IP
    
    # Filter options for limiting the intended interface.
    U32="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32"
    
    start() {
    
    # We'll use Hierarchical Token Bucket (HTB) to shape bandwidth.
    # For detailed configuration options, please consult Linux man
    # page.
    
        $TC qdisc add dev $IF root handle 1: htb default 30
        $TC class add dev $IF parent 1: classid 1:1 htb rate $DNLD
        $TC class add dev $IF parent 1: classid 1:2 htb rate $UPLD
        $U32 match ip dst $IP/32 flowid 1:1
        $U32 match ip src $IP/32 flowid 1:2
    
    # The first line creates the root qdisc, and the next two lines
    # create two child qdisc that are to be used to shape download 
    # and upload bandwidth.
    #
    # The 4th and 5th line creates the filter to match the interface.
    # The 'dst' IP address is used to limit download speed, and the 
    # 'src' IP address is used to limit upload speed.
    
    }
    
    stop() {
    
    # Stop the bandwidth shaping.
        $TC qdisc del dev $IF root
    
    }
    
    restart() {
    
    # Self-explanatory.
        stop
        sleep 1
        start
    
    }
    
    show() {
    
    # Display status of traffic control status.
        $TC -s qdisc ls dev $IF
    
    }
    
    case "$1" in
    
      start)
    
        echo -n "Starting bandwidth shaping: "
        start
        echo "done"
        ;;
    
      stop)
    
        echo -n "Stopping bandwidth shaping: "
        stop
        echo "done"
        ;;
    
      restart)
    
        echo -n "Restarting bandwidth shaping: "
        restart
        echo "done"
        ;;
    
      show)
    
        echo "Bandwidth shaping status for $IF:"
        show
        echo ""
        ;;
    
      *)
    
        pwd=$(pwd)
        echo "Usage: tc.bash {start|stop|restart|show}"
        ;;
    
    esac
    
    exit 0
    

    The above script has been tested on Centos 4.x system and (Linux AS 2.x) versions. There is also another utility called tcng, which supposely simplify the arcane tc configuration. If you have comments or suggestions on the above script, please contact feedback@topwebhosts.org.

    For detailed explanation of Linux Advanced Routing & Traffic Control HOWTO, please visit http://www.lartc.org website. The above HOWTO also describes method for preventing SYN Floods and ICMP DDoS.

     

    출처 : http://www.topwebhosts.org/tools/traffic-control.php

     

    'OS > LINUX' 카테고리의 다른 글

    sendmail auth / relay 설정  (0) 2013.08.23
    Ethernet Bandwidth Limit 걸기 (속도 제한/QOS)  (0) 2013.01.02
    우분투 서버 한글 설정  (0) 2012.07.10
    apt & dpkg 사용법  (0) 2012.07.10
    vmstat 과 sar 명령  (0) 2012.06.01

    + Recent posts