tor bandwith ratio
gabrix
gabrix at gabrix.ath.cx
Fri Oct 13 17:10:44 UTC 2006
Kelly Byrd wrote:
> I have had this exact same question for my server. It's running on an
> ADSL line, 443 on the OR port, 80 for the Dir port (iptables redirects to
> 9001 and 9030) and I notice MUCH more bandwidth usage when I turn on the
> dir port. Without the dir port, I barely notice tor slowing down my
> regular usage. With it, I often want to turn off tor to do anything
> interesting on the net.
>
> I've been using the burst and mac bandwidth settings, but I think
> prioritizing might be the better way to go. Any good simple references
> for ip tables?
>
> Another thought I had: Does opening up port 80 create problems all by
> itself? I'm imagining non-tor users simply going to 80 and doing GET /
> and slurping the results from my tor server, but not really wanting it.
>
>
>
>
As also the /etc/tor/torrc file says you can advertise a privileged port
, clients see you listening on that port but in facts binding to an
unprivileged one and the syn packet get redirected by iptables to
it.What confused me was an iptables i gave at the end of all rules ,a
catch all ulog jump and i saw 'some' syn packets hitting the advertising
port passing through all chains and not being redirected to the port
where tor was really binding and than get dropped by my iptables,so in
some way , some times,also the advertised port get involved ?Anyway this
is a script i googled around that i modified it and using it.It's just
from a little i'm into the 'mangle' ,looks like it works i will update
you soon and wait eventual corrections some parts are a bit obscures to
me ....
> #
> UPLINK_SPEED=688
> #UPLINK_SPEED=688
> INET_DEV=eth0
> DOWNLINK_THROTTLE=Y # Set to 'Y' if you want to anable downlink
> throttle
> DOWNLINK_SPEED=3000
>
> if [ "$1" = "status" ]
> then
> tc -s qdisc ls dev $INET_DEV
> tc -s class ls dev $INET_DEV
> exit
> fi
>
> # clean existing down- and uplink qdiscs, hide errors
> tc qdisc del dev $INET_DEV root 2> /dev/null > /dev/null
> tc qdisc del dev $INET_DEV ingress 2> /dev/null > /dev/null
> iptables -F -t mangle
>
> if [ "$1" = "stop" ]
> then
> exit
> fi
>
> #################################################################################################
> # qdiscs, classes and filters
>
> # add HTB root qdisc
> tc qdisc add dev $INET_DEV root handle 1: htb default 14
>
> tc class add dev $INET_DEV parent 1: classid 1:1 htb rate
> ${UPLINK_SPEED}kbit ceil ${UPLINK_SPEED}kbit
>
> tc class add dev $INET_DEV parent 1:1 classid 1:10 htb rate
> $[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 0
> tc class add dev $INET_DEV parent 1:1 classid 1:11 htb rate
> $[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 1
> tc class add dev $INET_DEV parent 1:1 classid 1:12 htb rate
> $[$UPLINK_SPEED/100*15]kbit ceil $[$UPLINK_SPEED]kbit prio 2
> tc class add dev $INET_DEV parent 1:1 classid 1:13 htb rate
> $[$UPLINK_SPEED/100*30]kbit ceil $[$UPLINK_SPEED]kbit prio 4
> tc class add dev $INET_DEV parent 1:1 classid 1:14 htb rate
> $[$UPLINK_SPEED/100*20]kbit ceil $[$UPLINK_SPEED]kbit prio 5
>
> tc qdisc add dev $INET_DEV parent 1:10 handle 100: sfq perturb 10
> tc qdisc add dev $INET_DEV parent 1:11 handle 110: sfq perturb 10
> tc qdisc add dev $INET_DEV parent 1:12 handle 120: sfq perturb 10
> tc qdisc add dev $INET_DEV parent 1:13 handle 130: sfq perturb 10
> tc qdisc add dev $INET_DEV parent 1:14 handle 140: sfq perturb 10
>
> # filters
> tc filter add dev $INET_DEV parent 1:0 protocol ip prio 1 handle 1 fw
> classid 1:10
> tc filter add dev $INET_DEV parent 1:0 protocol ip prio 2 handle 2 fw
> classid 1:11
> tc filter add dev $INET_DEV parent 1:0 protocol ip prio 3 handle 3 fw
> classid 1:12
> tc filter add dev $INET_DEV parent 1:0 protocol ip prio 4 handle 4 fw
> classid 1:13
> tc filter add dev $INET_DEV parent 1:0 protocol ip prio 5 handle 5 fw
> classid 1:14
>
> #################################################################################################
> #
> #classid 1:10 htb rate $[$UPLINK_SPEED/5]kbit ceil
> $[$UPLINK_SPEED]kbit prio 0 [mark 1]
> # This is the higher priority class. The packets in this class will
> have the lowest delay
> # and would get the excess of bandwith first so it's a good idea to
> limit the ceil rate to
> # this class. We will send through this class the following packets
> that benefit from low
> # delay, such as interactive traffic: ssh, telnet, dns, quake3,
> irc, and packets with the
> # SYN flag.
> #
> # classid 1:11 htb rate $[$UPLINK_SPEED/5]kbit ceil
> $[$UPLINK_SPEED]kbit prio 1 [mark 2]
> # Here we have the first class in which we can start to put bulk
> traffic. In my example I have
> # traffic from the local web server and requests for web pages:
> source port 80, and destination
> # port 80 respectively. ????
> #
> # classid 1:12 htb rate $[$UPLINK_SPEED/5]kbit ceil
> $[9*$UPLINK_SPEED/10]kbit prio 2 [mark 3]
> # In this class I will put traffic with Maximize-Throughput TOS bit
> set and the rest of the
> # traffic that goes from local processes on the router to the
> Internet. So the following
> # classes will only have traffic that is "routed through" the box.
> #
> # classid 1:13 htb rate $[$UPLINK_SPEED/5]kbit ceil
> $[7*$UPLINK_SPEED/10]kbit prio 3 [mark 4]
> # Here goes mail traffic (SMTP,pop3...) and packets with
> Minimize-Cost TOS bit set.
> #
> # classid 1:14 htb rate $[$UPLINK_SPEED/5]kbit ceil
> $[8*$UPLINK_SPEED/10]kbit prio 4 [mark 5]
> # And finally here we have bulk traffic from the NATed machines
> behind the router. All kazaa,
> # edonkey, and others will go here, in order to not interfere with
> other services.
> #
> #################################################################################################
> # Packets from internal LAN - rule order does matter !
> # Use --dport if you connect TO that port on a server on the internet
> (the only option that makes
> # sense in the PREROUTING chain).
>
> # priority hosts
> iptables -t mangle -A PREROUTING -d 192.168.1.4/32 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -d 192.168.1.4/32 -j RETURN
> iptables -t mangle -A PREROUTING -d 192.168.1.6/32 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -d 192.168.1.6/32 -j RETURN
>
> # SYN packets
> iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
> SYN -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
> SYN -j RETURN
>
>
>
> # TOR packets
> #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j MARK
> --set-mark 2
> #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j RETURN
> #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j MARK
> --set-mark 2
> #iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j RETURN
>
> # POP and SMTP packets
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 25 -j RETURN
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 995 -j RETURN
>
>
> # HTTP packets
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j RETURN
>
> # TOS rules
> iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
> iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK
> --set-mark 3
> iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN
> iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j
> MARK --set-mark 3
> iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j
> RETURN
>
> # All other packets get low priority
> iptables -t mangle -A PREROUTING -j MARK --set-mark 4
>
> # Tor the lowest
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j MARK
> --set-mark 5
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9090 -j RETURN
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j MARK
> --set-mark 5
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 9091 -j RETURN
>
> #################################################################################################
> # Packets originating from localhost - rule order does matter !
> # Use --dport if you connect TO that port on a server on the internet
> # Use --sport to mark packets emmenating from this computer at
> specified port (for services
> # running on this computer).
> #
> # Example :
> # If I connect to a remote computer with SSH, the DESTINATION port
> will be port 22
> # The packets that leave this computer have source port xxx and
> destination port 22
> #
> # If someone connects to this computer with SSH the SOURCE port will be 22
> # The packets that leave this computer will have source port 22 and
> destination port xxxx
> (it is the opposite way isn'it ?)
> # priority hosts
> #iptables -t mangle -A OUTPUT -d 192.168.0.2/32 -j MARK --set-mark 1
> #iptables -t mangle -A OUTPUT -d 192.168.0.2/32 -j RETURN
> iptables -t mangle -A OUTPUT -d my_isp1_dns/32 -j MARK --set-mark 1
> iptables -t mangle -A OUTPUT -d my_isp2_dns/32 -j RETURN
> iptables -t mangle -A OUTPUT -d 87.37.17.11/32 -j MARK --set-mark 1
> iptables -t mangle -A OUTPUT -d 87.37.17.11/32 -j RETURN
>
> # SYN packets
> iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN
> -j MARK --set-mark 2
> iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN
> -j RETURN
>
> # ICMP packets
> iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 3
> iptables -t mangle -A OUTPUT -p icmp -j RETURN
>
> # HTTP packets
> iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 2
> iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j RETURN
> iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 -j MARK
> --set-mark 2
> iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 -j RETURN
>
> # POP and SMTP packets
> iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-mark 2
> iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 25 -j RETURN
> iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j MARK
> --set-mark 2
> iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 995 -j RETURN
>
> # TOS rules
> iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j MARK
> --set-mark 2
> iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j RETURN
> iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j MARK
> --set-mark 3
> iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j RETURN
> iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK
> --set-mark 3
> iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j RETURN
>
> # packets owned by a specific UID
> iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j MARK
> --set-mark 1
> iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner 1000 -j
> RETURN
>
> # All other packets (Tor etc.)
> iptables -t mangle -A OUTPUT -j MARK --set-mark 5
>
>
> if [ $DOWNLINK_THROTTLE = "N" ]
> then
> exit
> fi
>
> ########## downlink #############
> # slow downloads down to somewhat less than the real speed to prevent
> # queuing at our ISP. Tune to see how high you can set it.
> # ISPs tend to have *huge* queues to make sure big downloads are fast
> #
> # attach ingress policer:
>
> tc qdisc add dev $INET_DEV handle ffff: ingress
>
> # filter *everything* to it (0.0.0.0/0), drop everything that's
> # coming in too fast:
>
> tc filter add dev $INET_DEV parent ffff: protocol ip prio 50 u32 match
> ip src \
> 0.0.0.0/0 police rate ${DOWNLINK_SPEED}kbit burst 10k drop flowid :1
More information about the tor-talk
mailing list