From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Edmund Turner" Date: Tue, 04 Nov 2003 03:54:34 +0000 Subject: RE: [LARTC] New member Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Cillie, take this setup for example: Web server IP =3D 192.168.1.2 1MB access to the internet. Etho -LAN Eth2 - External --1MB access to the internet. tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 1mbit tc class add dev eth2 parent 3:1 classid 3:12 htb rate 400kbit ceil 400kbit prio 4 tc filter add dev eth2 parent 3:0 protocol ip prio 4 u32 match ip src 192.168.1.2 classid 3:12 I manage to limit all outbound traffic from 192.168.1.2 by putting a filter for the src address of the web server on the external NIC. This seems to work for me. Regards edmund -----Original Message----- From: ph4ke [mailto:deff@sadomain.co.za]=20 Sent: Monday, November 03, 2003 9:14 PM To: eturner@monash.edu.my Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] New member Hi Edmund=20 OK, sorry 'bout that.=20 Say for example that I have a webserver and I only want that thing to push=20 512kbit out. The only way that I see that I would be able to limit this kind=20 of outbound traffic with the tc classifier is if I knew which ip's will be=20 visiting web-pages. If this was the situation I would be able to have a long=20 list of rules that all look something like=20 .. u32 match ip src xxx.xxx.xxx.xx flowid 1:1=20 or something=20 Unfortunately there is about a few million possible ipv4 addresses that can=20 access the box if they really felt like it.=20 This could problem could possibly be solved by having a rule like this : .. u32 match ip sport 80 match ip src (webserver) flowid whatever But the real problem lies in limiting ftp, since ftp (at least the way i thought it works. could be wrong. probably am)=20 just does the whole auth section on sport 20/21 and=20 the data transfer actually take place on a random 1024+ source port=20 and a random 1024+ destination port.=20 This would be perfectly solved with iptables marking because one=20 should be able to do something like=20 =09 --append PREROUTING -m state --state ESTABLISHED, RELATED --jump MARK=20 --set mark 1 { please excuse the line wrapping }=20 thanks a lot for your time=20 cilli=E8=20 On Monday 03 November 2003 10:35, you wrote: > Cillie, > I might be missing something here, but I do use this filter setup for > limiting outbound http and ftp traffic. > > > Regards > edmund _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/