From: Pedro Abreu <pedro.abreu@anubisnetworks.com>
To: netfilter@lists.netfilter.org
Subject: Re: throttling an internal IP's upstream bandwidth
Date: Mon, 19 Feb 2007 13:04:05 +0000 [thread overview]
Message-ID: <1171890245.5374.19.camel@localhost.localdomain> (raw)
In-Reply-To: <45D858AD.5060501@rtij.nl>
[-- Attachment #1: Type: text/plain, Size: 2325 bytes --]
On Sun, 2007-02-18 at 14:46 +0100, Martijn Lievaart wrote:
> Scott van Looy wrote:
> > Today Martijn Lievaart did spake thusly:
> >
> >> Scott van Looy wrote:
> >>>
> >>> I'm on DSL, I only have small upstream and big downstream.
> >>> Everything goes through a 1:1 NAT iptables firewall - so internal
> >>> IPs are directly mapped to an external IP. I want to throttle the
> >>> internal upstream bandwidth so the internal machines can't upload at
> >>> more than 25k/s as the maxing out of the upstream is killing the
> >>> much faster downstream...is there a way to do this using iptables?
> >>>
> >>
> >> Google for wondershaper.
> >
> > I use wondershaper, it doesn't let me throttle on a per machine basis
> > tho - I want the firewall to only allow a max of 25k out for each of
> > my internal machines
> >
>
> Ah, then you have to do some work yourself. The answer is most probably
> tc, not netfilter. If you don't have a lot of internal machines, you can
> add a filter/qdisc for all of them but for large amounts of internal
> machines (or with dhcp), this gets unwieldy.
>
> However, wondershaper should do what you ultimately want, shape traffic
> so uploads don't disturb downloads. It works for me.
>
> M4
>
>
I use tc filter to distribute traffic between classes:
## ssh
tc filter add dev $DEV protocol ip parent 1:0 prio 10 u32\
match ip dport 22 0xfffe flowid 1:10
## dns
tc filter add dev $DEV protocol ip parent 1:0 prio 11 u32\
match ip dport 53 0xfffe flowid 1:10
## pings
tc filter add dev $DEV parent 1:0 protocol ip prio 12 u32 \
match ip protocol 1 0xff flowid 1:10
## small packets (<64 bytes)
tc filter add dev $DEV parent 1: protocol ip prio 13 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x0000 0xffc0 at 2 \
flowid 1:10
The easiest way should be to create a class for each machine and then tc
filter based on ip... alternatively it should be possible to mark
packets with iptables then match different marks with tc filter.
--
Pedro Abreu
AnubisNetworks
Rua Alexander Fleming, 5B
1600-054 Lisboa, Portugal
Tel. : +351 21 7252110
Mobile : +351 91 9302990
Fax : +351 21 7252119
pedro.abreu@anubisnetworks.com
http://www.anubisnetworks.com
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3205 bytes --]
prev parent reply other threads:[~2007-02-19 13:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-09 11:38 throttling an internal IP's upstream bandwidth Scott van Looy
2007-02-18 11:46 ` Martijn Lievaart
2007-02-18 12:33 ` Scott van Looy
2007-02-18 13:46 ` Martijn Lievaart
2007-02-19 2:29 ` Gregory Carter
[not found] ` <Pine.LNX.4.64.0702191106070.32641@novak.ethosuk.org.uk>
2007-02-19 15:52 ` Gregory Carter
2007-02-19 13:04 ` Pedro Abreu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1171890245.5374.19.camel@localhost.localdomain \
--to=pedro.abreu@anubisnetworks.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.