Scribd Logo
Upload

Welcome to Scribd!

  • 05 Roteamento Avancado Linux

    Uploaded by

    LampZOS
    15 views30 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views30 pages

    05 Roteamento Avancado Linux

    Uploaded by

    LampZOS

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 30

    17 REUNIO GTER Roteamento avanado Controle de banda

    Roteamento avanado e controle de banda em Linux


    Hlio Loureiro
    <helio@loureiro.eng.br>

    Sumrio

    17 REUNIO GTER Roteamento avanado Controle de banda

    Roteamento avanado

    Sintaxe Exemplo

    Controle de banda Sintaxe Exemplo

    NOTA: os exemplos so baseados na distribuio Debian mas funcionam similarmente em todas as demais.

    Cenrio tpico

    17 REUNIO GTER Roteamento avanado Controle de banda

    Internet

    ADSL Router

    Firewall

    Usurios (NAT)

    Servidores

    usca de informa!es

    17 REUNIO GTER Roteamento avanado Controle de banda

    "policy routing" <O.S.>


    Linux - iptables/ipchains/iproute - !"#$# lin%s Free&S' - ip(w/ip(w /ip(ilter - " )# lin%s *pen&S' - ip(ilter/p( - +",$# lin%s Solaris - ip(ilter - "#,! lin%s -et&S' - ip(ilter - +"$ # lin%s SC* ./nixware0 - 1 - +",,# lin%s 2indows - 1 - 3" ## lin%s

    O ter o !"oli#$ routing% & utili'(ndo e rote(dores) en*u(nto *ue !sour#e routing% e Linu+,-SD%.

    Source routin" #inux$ SD #inux


    17 REUNIO GTER Roteamento avanado Controle de banda

    iptables - sintaxe muito (lex4vel .complexa0 iptables - di(4cil padroni5a6o para cria6o script iproute - (7cil con(i8ura6o para roteamento iproute - est7vel9

    Open SD

    p( - sintaxe simples .&S'0 p( - roteamento atravs dele p( - recm lanado na vers6o $"#

    17 REUNIO GTER Roteamento avanado Controle de banda


    block in log all scrub in all pass out all keep state pass out inet proto tcp from any to any keep state pass in quick on $EXT proto tcp from $HELIO to $FW \ port 22 flags S/SA keep state pass in quick proto udp from any to any port 53 keep state pass in on $EXT inet proto tcp from any to $SERVER \ port {25,80,110,143,443} flags S/SA modulate state pass in on $EXT proto udp from any port 53 to $FW keep state pass in on xl0 fastroute from 192.168.0.0/24 to $DMZ keep state pass in on xl0 fastroute from 192.168.0.0/24 to $EXTERNAL keep state

    pass in on xl0 route-to xl3:200.100.10.1 from \ 192.168.0.0/24 to any keep state

    Sistema tra%a%a...

    &reparando o 'ernel

    17 REUNIO GTER Roteamento avanado Controle de banda

    [*] Prompt for development and/or incomplete code/drivers --[*] TCP/IP Networking [*] Networking packet filtering (replaces ipchains) [*] Networking packet filtering debugging [*] Socket Filtering --[*] IP: advanced router [*] IP: policy routing [*] IP: use netfilter MARK value as routing key [*] IP: fast network address translation [*] IP: equal cost multipath [*] IP: use TOS value as routing key . dis"on/vel no 0ernel [*] IP: verbose route monitoring 1.2.13 ou su"erior [*] IP: large routing tables [*] IP: GRE tunnels over IP

    iproute(

    17 REUNIO GTER Roteamento avanado Controle de banda

    Solu45o desenvolvid( "(r( o 0ernel 1.2. Substitui os #o (ndos arp) ifconfig e route. Sint(+e se elh(nte 6 #li de rote(dores. 7er ite #ri(r regr(s de rote( ento. N5o inter(ge #o os #o (ndos leg(dos. In#lui o "rogr( ( de #ontrole de b(nd( (tc). Us( o siste ( de 8iltros e 8il(s.

    apt)"et install iproute

    ip lin'

    17 REUNIO GTER Roteamento avanado Controle de banda

    Us(do "(r( veri8i#(r e,ou #on8igur(r o endere4o 8/si#o (9A:) d(s inter8(#es de rede. A#eit( (s o"4;es show e set.
    router:~# ip link show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast link/ether 00:04:75:7a:73:63 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast link/ether 00:04:75:7a:73:8e brd ff:ff:ff:ff:ff:ff 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast link/ether 00:04:75:7a:73:31 brd ff:ff:ff:ff:ff:ff 5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast link/ether 00:04:75:7a:73:a4 brd ff:ff:ff:ff:ff:ff

    qlen 100 qlen 100 qlen 100 qlen 100

    ip addr

    17 REUNIO GTER Roteamento avanado Controle de banda

    Us(do "(r( inter(gir #o (s inter8(#es de rede. A#eit( (s o"4;es list) add e del entre outr(s.
    router~# ip addr list 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:5a:9b:1e:fd brd ff:ff:ff:ff:ff:ff inet 192.168.254.200/24 brd 192.168.254.255 scope global eth0 router~# ip addr add 192.168.253.200/24 dev eth0 router~# ip addr list dev eth0 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:10:5a:9b:1e:fd brd ff:ff:ff:ff:ff:ff inet 192.168.254.200/24 brd 192.168.254.255 scope global eth0 inet 192.168.253.200/24 scope global eth0 router~# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:10:5A:9B:1E:FD inet addr:192.168.254.200 Bcast:192.168.254.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ip route

    17 REUNIO GTER Roteamento avanado Controle de banda

    Us(do "(r( veri8i#(r e,ou #on8igur(r (s rot(s estti#(s d( rede. A#eit( (s o"4;es list, flush, add, e del entre outros.
    router:~# ip route list 200.1.2.0/26 dev eth2 proto kernel scope link src 200.1.2.20 200.100.10.0/26 dev eth3 proto kernel scope link src 200.100.10.56 10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.254 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254 default via 200.1.2.1 dev eth2 router:~# ip route add nat 192.168.0.100 via 200.1.2.20

    $etc$iproute($rt*tables

    17 REUNIO GTER Roteamento avanado Controle de banda

    Ar*uivo onde (s t(bel(s (de regr(s) de rote( ento s5o de8inid(s. :(d( t(bel( & de8inid( "or seu n< ero identi8i#(dor e no e. A orden(45o v(i de 3 6 1== (1=> v(lores ? @ bits) e ( 8(i+( de 1=A 6 1== & reserv(d( 6s t(bel(s do siste ( (lo#(l) (in e de8(ult). U ( entr(d( n( (r*uivo (s se regr( de8inid( n5o & ("resent(d( no #o (ndo "ip rule list". 7(r( 8or4(r o 0ernel ( ler ( nov( entr(d() o #o (ndo "ip route flush cache" & ne#essrio.
    router ~# echo "200 dmznet" >> /etc/iproute2/rt_tables router ~# cat /etc/iproute2/rt_tables # reserved 255 local 254 main 253 default 0 unspec # local 1 inr.ruhep 200 dmznet

    ip rule

    17 REUNIO GTER Roteamento avanado Controle de banda

    Us(do "(r( #ri(r regr(s es"e#/8i#(s de rote( ento. B+iste (lgu (s t(bel(s ini#i(is *ue n5o "ode ser re ovid(sC local (loo"b(#0)) main e de(ault. :ri(Dse u ( ou (is t(bel(s "(r( o rote( ento deseE(do. No #(so ("resent(do) so ente ( t(bel( dm5net 8oi (di#ion(d() dei+(ndo todos os de (is dentro d( t(bel( main. A#eit( (s o"4;es list, add e del.
    router:~# ip 0: from 32762: from 32763: from 32764: from 32765: from 32766: from 32767: from rule list all lookup local 10.0.0.11 lookup dmznet 192.168.0.0/24 to 200.1.2.0/26 lookup dmznet 200.100.10.0/26 lookup dmznet 192.168.0.0/24 lookup dmznet all lookup main all lookup default

    Situao inicial +uma sada,

    17 REUNIO GTER Roteamento avanado Controle de banda

    Internet

    Router

    Usurios (NAT) Servidores

    Situao dese-ada

    17 REUNIO GTER Roteamento avanado Controle de banda

    Internet

    133.F33.F3.F Router 133.F.1.F

    F3.3.3.3,12 Usurios (NAT) FG1.F>@.3.3,12

    Servidores

    $etc$init.d$iproute
    #! ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip /bin/sh route add rule add route add rule add addr add addr add addr add addr add addr add addr add addr add addr add rule add route add route add rule add

    17 REUNIO GTER Roteamento avanado Controle de banda

    default via 200.100.10.1 table dmznet from 192.168.0.0/24 table dmznet 192.168.0.0/24 via 192.168.0.254 table dmznet from 200.100.10.0/26 table dmznet 200.1.2.3/26 dev eth2 200.1.2.4/26 dev eth2 200.1.2.5/26 dev eth2 200.1.2.7/26 dev eth2 200.1.2.14/26 dev eth2 200.1.2.15/26 dev eth2 200.1.2.27/26 dev eth2 200.1.2.62/26 dev eth2 from 192.168.0.0/24 to 200.1.2.0/26 table dmznet 200.1.2.0/26 via 200.1.2.20 table dmznet 10.0.0.0/24 via 10.0.0.254 table dmznet from 10.0.0.11/32 table dmznet

    Alterando rotas

    17 REUNIO GTER Roteamento avanado Controle de banda

    #! /bin/sh case $1 in start|adsl) echo "Roteando Intranet pelo link ADSL" ip route del default via 200.1.2.1 table dmznet ip route add default via 200.100.10.1 table dmznet echo "Iniciando regras de firewall" /etc/init.d/firewall start ;; stop|frame-relay) echo "Roteando Intranet pelo link FR" ip route del default via 200.100.10.1 table dmznet ip route add default via 200.1.2.1 table dmznet echo "Desligando regras de firewall" /etc/init.d/firewall stop ;; restart) $0 stop $0 start ;; *) echo "Use: $0 {start|adsl|stop|frame-relay|restart}"

    alanceamento de car"a

    17 REUNIO GTER Roteamento avanado Controle de banda

    Internet

    133.F.1.F

    133.F33.F3.F

    Usurios (NAT) FG1.F>@.3.3,12

    Atribuindo peso .s rotas

    17 REUNIO GTER Roteamento avanado Controle de banda

    ip route add default scope global nexthop \ via 200.100.10.1 dev eth0 weight 1 \ nexthop via 200.1.2.1 dev eth1 weight 1

    T/nel 012

    17 REUNIO GTER Roteamento avanado Controle de banda

    Internet

    133.F.1.F

    133.F.1.13 133.F33.F3.13

    FG1.F>@.3.3,12 FG1.F>@.F33.3,12

    T/nel 012

    17 REUNIO GTER Roteamento avanado Controle de banda

    ip tunnel add netgre mode gre remote 200.100.10.20 \ local 200.1.2.20 ttl 255 ip link set netgre up ip addr add 10.0.1.1 dev netgre ip route add 192.168.100.0/24 dev netgre

    17 REUNIO GTER Roteamento avanado Controle de banda

    :ontrole de b(nd(

    Controle de banda

    17 REUNIO GTER Roteamento avanado Controle de banda

    Dois ti"os bsi#osC #l(ssless e #l(ss8ull. A bos 8('e reD"riori'(45o de "(#otes. 7er ite #on8igur(45o de "(rH etros #o oC latency, burst, rate, peakrate, etc. B ger(l 8un#ion( so ente n( inter8(#e egress Do siste ( (e+iste u ( #l(sse es"e#/8i#( "(r( ( Ingress). 7ode ser utili'(do "(r( d(r (ior "riorid(de "or host ou "or servi4o ou ( bos.

    Classless

    17 REUNIO GTER Roteamento avanado Controle de banda

    I(' #ontrole sobre inter8(#e inteir(. N5o "er ite subDdivis;es de #l(sse. :on8igur( o #o "ort( ento d( 8il( d( inter8(#e. B+C "8i8oJ8(st) T-I (To0en -u#0et Iilter) e SKI (Sto#h(sti# I(irness Kueueing).
    tc qdisc add dev ppp0 root tbf rate 220kbit

    Classfull

    17 REUNIO GTER Roteamento avanado Controle de banda

    Utili'( estrutur( de rvore. 7er ite #ri(45o de ti"os de tr8ego #o "or #l(sse (#l(ssless) ou "or 8ilho. 7er ite g(r(nti( de b(nd( /ni (. 7er ite #o "(rtilh( ento de b(nd(.
    FC FCF FCF3 F3C F3CF F3C1 FC13 13C

    li it(45o

    &reparando o 'ernel

    17 REUNIO GTER Roteamento avanado Controle de banda

    Networking options ---> QoS and/or fair queueing ---> [*] QoS and/or fair queueing <M> HTB packet scheduler <M> CBQ packet scheduler <M> CSZ packet scheduler <M> The simplest PRIO pseudoscheduler <M> RED queue <M> TEQL queue <M> TC index classifier <M> TBF queue <M> Routing table based classifier <M> GRED queue <M> Firewall based classifier <M> Diffserv field marker <M> U32 classifier <M> Ingress Qdisc <M> Special RSVP classifier [*] QoS support [*] Traffic policing (needed for [*] Rate estimator in/egress) [*] Packet classifier API

    3T 4

    17 REUNIO GTER Roteamento avanado Controle de banda

    Lier(r#hi#(l To0en -u#0et. :ontrole "re#iso (di8erente do :-K). :o "ort( ento se elh(nte (o ALTK (-SDs). Mer(l ente utili'( outr( dis#i"lin( de 8il(s dentro de su(s #l(sses 8ilhos.
    FCF3 #eil FC FC13 FCA3 burst r(te burst

    2xemplo

    17 REUNIO GTER Roteamento avanado Controle de banda

    tc qdisc add dev eth0 root handle 1: htb default 1000 tc class add dev eth0 parent 1: classid 1:1 htb \ rate 256 kbit ceil 256 kbit tc class add dev eth0 parent 1:1 classid 1:10 htb \ rate 56 kbit ceil 128 kbit burst 6k tc class add dev eth0 parent 1:1 classid 1:1000 htb \ rate 32 kbit ceil 56 kbit burst 6k tc qdisc add dev eth0 parent 1:10 handle 10: sfq pertub 10 tc qdisc add dev eth0 parent 1:1000 handle 1000: sfq \ pertub 10 tc filter add dev eth0 parent 1: protocol ip prio 1 \ u32 match ip src $IP flowid 1:1 tc filter add dev eth0 parent ffff: protocol ip prio 50 \ u32 match ip src $IP police rate 32 kbit burst 6k \ drop flowid :1

    iblio"rafia

    17 REUNIO GTER Roteamento avanado Controle de banda

    Note( ento (v(n4(do #o

    o Linu+O All(n Bdg(rd Silv(

    Ireit(s <(ll(n@#e8etb(.br>O NePs Mener(tionO -oleti bi estr(l sobre te#nologi( de redesO 2 de 8evereiro de 1331 Q volu e >) n< ero FOhtt"C,,PPP.rn".br,nePsgen,313F,rote( entoJlinu+.ht l

    Linu+ Adv(n#ed Nouting R Tr(88i# :ontrol LOSTOO


    -ert Lubert e outrosO Netherl(bs -T <bert.hubert@netherl(bs.nl>O htt"C,,l(rt#.org,hoPto,inde+.ht l

    I7 :o

    ,usr,sh(re,do#,i"routeD1.2.V,i"D#re8."s

    (nd Ne8eren#eO Ale+e$ N. Uu'netsovO

    A"radecimentos e per"untas5555

    17 REUNIO GTER Roteamento avanado Controle de banda

    FIM

    You might also like