> What I would like to do instead is allow the user to use any protocol
> they like, with the caveat that attempting to open many connections
> simultaneously will result in a steadily decreasing share of the pipe,
> rather than a steadily increasing one.
I solved this in a similar but slightly different way. I use connlimit
to monitor for when a user has 5 or more connections on ports above
1024. When they have, they are dropped into an ipset; all their traffic
is then monitored and any traffic on ports above 1024 is dropped to a
very low priority.
This has the advantage that web browsing they do is unaffected. Also,
it's slightly safer than your proposed method - I have seen instances
when just normal surfing of the web can create 5 connections or more.
Something like this (eth0 is the user's network):
iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: -m \
connlimit --connlimit-above 5 -j SET --add-set p2p src
iptables -t mangle -A FORWARD -o eth0 -p tcp -m multiport --sport \
1024:65535 -m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -i eth0 -p tcp -m multiport --dport \
1024:65535 -m set --set p2p src -j MARK --set-mark 60
You'll have to compile your kernel with ipset and connlimit support.
Andy Beverley
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
|