Click to See Complete Forum and Search --> : Bittorrent issue, taking most of network throughput.
plasma
05-04-2004, 04:39 AM
Greetings,
I'm having an issue with bittorrent. Users on the network open bittorrent, and the network slows to a halt.
After analyzing the network, I suspect that it may be the amount of outgoing connections (up to 100 connections at a time.
If anyone knows a way to avoid this problem, perhaps giving packets a higher priority than BT, then I would be very appreciative.
Thank you,
Nathan Manzi
plasma
05-04-2004, 05:40 AM
UPDATE:
Problem has been sorted.
Below is my IPTABLES script, Synwall, that I made with a shaping program by AtomicMPC (www.atomicmpc.com.au - a brilliant published magazine) that prioritizes packets using HTB - for those that may have the same problem.
#!/bin/sh
# Environment variables, change these values accordingly
EXT_IF=ppp0
INT_IF=eth0
INT_NET=10.0.1.0/24
ANY=0.0.0.0/0
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
# Flush everything
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Default policy, Drop all but output.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# Input Chain
# Allow bootp port. You may need this.
$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT
# Accept all connections on local and internal interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
# Stateful inspection -- Allow packets in from connections already established
$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop packets from invalid sources (reserved networks and localhost)
$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP
# Don't log igmp, web or ssl. More noise we don't need to log.
$IPTABLES -A INPUT -p igmp -j DROP
$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp --dport 443 -j DROP
# Log everything else
$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "
# Add servers on this machine here
# SSH
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# FTP
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
# DNS
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
# POP3
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
# IMAP
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
# SMTP
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
# Web
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# Webmin (unsafe, but heh. like they'll get my pwd. XD
#$IPTABLES -A INPUT -p tcp --dport 10000 -j ACCEPT
# Secure http, imap and pop3.
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT
# Lastly, SMB
$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 139 -j ACCEPT
# panda's IRC proxy
$IPTABLES -A INPUT -p tcp --dport 6667 -j ACCEPT
# Forwarding Chain
# Stateful inspection -- Forward in connections already established
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forward specified port (ranges) to machines behind the firewall
# Wireless Router
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 10000:15000 -j DNAT --to-dest 10.0.1.4:10000-15000
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 10000:15000 -d 10.0.1.4 -j ACCEPT
# Dwayne's Box
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6000:6999 -j DNAT --to-dest 10.0.1.5:6000-6999
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6000:6999 -d 10.0.1.5 -j ACCEPT
# Forward out all traffic
$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT
# Quality settings
# EGRESS (upstream)
# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30
# UDP
$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10
# ICMP (ping)
$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10
# SSH
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10
# Web, SSL
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20
# ACKs
$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 10
# INGRESS (downstream)
# Only prioritise class 10 traffic
# Don't police high priority UDP, game, ping and SSH packets
$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10
# I want port 80 to be relativly important.
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark 20
# Catchall, police everything else
$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30
# Output Chain, specify outputs.
# Enable masquerade
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE
## Thwart llamax's kazaa attempts.
$IPTABLES -A INPUT -p tcp --dport 1214 -j REJECT
$IPTABLES -A INPUT -p udp --dport 1214 -j REJECT
$IPTABLES -A FORWARD -d 213.248.112.0/24 -j REJECT
And the shaping program is available from the above mentioned site.
Thanks,
Nathan Manzi