QoS-Applied

Introduction
This article described an implementation of QoS based on HTB. For a more general overview see QoS.

Kernel
Compile your kernel, install and boot it.

Kernel 2.4
First get the latest 2.4 or 2.6 kernel and put it into /usr/src Then make the link /usr/src/linux point to it.

Next for a 2.4 kernel you must get the POM-patches from http://netfilter.org/ and patch the kernel. The password is: cvs. (Access via cvs doesn't work at the moment...) cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace netfilter/patch-o-matic ./netfilter/patch-o-magic/runme extra

When patching is done you must enable some options in your kernel. If the options doesn't exist, run the POM-patch once again.

Kernel 2.6
Settings arranged a bit different. Here's how to enable it:

Iptables
It should come as no surprise that you need iptables: emerge -av net-firewall/iptables. We will use iptables to mark packets for shaping later on. However, we first should set up a basic NAT router. This setup is not secure at all, it is merely an example showing how to set up NAT:

Setting up NAT
Again, you really should not be using the above script. It is included only for completeness. You should probably read Linux 2.4 Stateful Firewall design (good for 2.6 kernel's too) to aid you in creating a properly secured firewall. Shorewall is a package that configures iptables for you, and you should use that (or something like it) if you don't want to get knee-deep in iptable's syntax.

Setting up marking of packets
Next are the iptables rules used to mark packets a certain priority:

Explanation and notes


 * -t mangle: We want to mangle (change) packets, by marking them.
 * -A FORWARD/OUTPUT: The rule-chains packets are travelling through. In OUTPUT are packets coming out of this machine, and in FORWARD are packets that we are sending for other machines
 * -p icmp: icmp packets only (same for tcp etc)
 * -p ! tcp: packets that aren't tcp only. Note that icmp isn't tcp, yet we have it seperatly. This is unneeded, but improves readability
 * -dport 22: Match (tcp, obviously) packets going to port 22 (Destination Port)
 * -j MARK --set-mark $MARKPRIO1: -j indicates the action we want to take, and --set-mark tells iptables what to mark the packet with
 * -m tos --tos ... : Match on the tos of the packet
 * -m mark --mark 0: Match packets that haven't been marked yet
 * The bittorrent example included will probably not work as intended. Beside hardcoding in the interface (eth0), probably to make sure that incoming traffic is not marked, its important to note that bittorrent does not always use ports 6881-6889. See layer7 and ipp2p later on for better ways to solve this issue.

Alternate method: CLASSIFY target

Instead of using the MARK target in the FORWARD or OUTPUT chains, you can use the CLASSIFY target in the POSTROUTING chain. The following is an example of classifying outgoing ssh traffic (port 22) to HTB class 1:101 (high priority as you will see later in this howto): iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j CLASSIFY --set-class 1:101

HTB/SFQ
To set up HTB you need iproute2: emerge -av sys-apps/iproute2.

Actually you need the programme tc which is included in the iproute2 package.

Run this script to create the four qdiscs and set them up. It creates the HTB/SFQ and Ingress policies. It works well on my home (Comcast cable) connection and currently only limits egress/upload traffic.

L7-filter
L7-filter attempts to be a more general classifier than ipp2p. See L7-filter for more information.