NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: throttling an internal IP's upstream bandwidth

from [Pedro Abreu] [Permanent Link][Original]
To: netfilter@lists.netfilter.org
Subject: Re: throttling an internal IP's upstream bandwidth
From: Pedro Abreu <pedro.abreu@anubisnetworks.com>
Date: Mon, 19 Feb 2007 13:04:05 +0000
Delivered-to: sp-com-lists@consult.net
Delivered-to: netfilter-list1@securepoint.com
In-reply-to: <45D858AD.5060501@rtij.nl>
List-archive: </pipermail/netfilter>
List-help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id: General discussion and user questions <netfilter.lists.netfilter.org>
List-post: <mailto:netfilter@lists.netfilter.org>
List-subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Organization: AnubisNetworks
References: <Pine.LNX.4.64.0702091134220.18820@novak.ethosuk.org.uk> <45D83C7C.6000501@rtij.nl> <Pine.LNX.4.64.0702181232550.32641@novak.ethosuk.org.uk> <45D858AD.5060501@rtij.nl>
Reply-to: pedro.abreu@anubisnetworks.com
Sender: netfilter-bounces@lists.netfilter.org 
On Sun, 2007-02-18 at 14:46 +0100, Martijn Lievaart wrote:
> Scott van Looy wrote:
> > Today Martijn Lievaart did spake thusly:
> >
> >> Scott van Looy wrote:
> >>>
> >>> I'm on DSL, I only have small upstream and big downstream. 
> >>> Everything goes through a 1:1 NAT iptables firewall - so internal 
> >>> IPs are directly mapped to an external IP. I want to throttle the 
> >>> internal upstream bandwidth so the internal machines can't upload at 
> >>> more than 25k/s as the maxing out of the upstream is killing the 
> >>> much faster downstream...is there a way to do this using iptables?
> >>>
> >>
> >> Google for wondershaper.
> >
> > I use wondershaper, it doesn't let me throttle on a per machine basis 
> > tho - I want the firewall to only allow a max of 25k out for each of 
> > my internal machines
> >
> 
> Ah, then you have to do some work yourself. The answer is most probably 
> tc, not netfilter. If you don't have a lot of internal machines, you can 
> add a filter/qdisc for all of them but for large amounts of internal 
> machines (or with dhcp), this gets unwieldy.
> 
> However, wondershaper should do what you ultimately want, shape traffic 
> so uploads don't disturb downloads. It works for me.
> 
> M4
> 
> 

I use tc filter to distribute traffic between classes:

## ssh
tc filter add dev $DEV protocol ip parent 1:0 prio 10 u32\
      match ip dport 22 0xfffe flowid 1:10
## dns
tc filter add dev $DEV protocol ip parent 1:0 prio 11 u32\
      match ip dport 53 0xfffe flowid 1:10
## pings
tc filter add dev $DEV parent 1:0 protocol ip prio 12 u32 \
      match ip protocol 1 0xff flowid 1:10
## small packets (<64 bytes)
tc filter add dev $DEV parent 1: protocol ip prio 13 u32 \
      match ip protocol 6 0xff \
      match u8 0x05 0x0f at 0 \
      match u16 0x0000 0xffc0 at 2 \
      flowid 1:10

The easiest way should be to create a class for each machine and then tc
filter based on ip... alternatively it should be possible to mark
packets with iptables then match different marks with tc filter.


-- 

Pedro Abreu
AnubisNetworks
Rua Alexander Fleming, 5B
1600-054 Lisboa, Portugal
Tel. : +351 21 7252110
Mobile : +351 91 9302990
Fax : +351 21 7252119
pedro.abreu@anubisnetworks.com
http://www.anubisnetworks.com

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [RFC][PATCH][IPTABLES]: suppress the error of modprobe, Yasuyuki KOZAKAI
Next by Date:  Re: throttling an internal IP's upstream bandwidth, Gregory Carter
Previous by Thread:  Re: throttling an internal IP's upstream bandwidth, Gregory Carter
Next by Thread:  How to mangle source packet source ports to a fixed range, Steve
Indexes:  [Date] [Thread] [Top] [All Lists]