Thank you, this is what I have so far... client 172.24.5.32 is downloading ftp://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/iso/FC2-i386-DVD.iso average speed is ~ 135 kB/s via ncftp on linux.box> sh rc.throttleServer download.fedora.redhat.com 21 and clients download continues to drop, decline, it basically works. ----------------------------------------------------------------- cat rc.throttleServer #!/bin/sh # Date: Tue Oct 19 11:41:10 PDT 2004 CMDNAME=`basename $0` if [ ! $1 ]; then echo "no IPADDR" echo "Useage: $0 IPADDR PORT" exit 0 fi if [ ! $2 ]; then echo "no PORT" echo "Useage: $0 IPADDR PORT" exit 0 fi IPTABLES=/sbin/iptables DEV=eth0 SERVERIP=$1 SERVERPORT=$2:65535 LIMIT=1kbit HANDLE=0x1 TC=/sbin/tc ############################################################### # tag all incoming SYN packets through $DEV as mark value 1 ############################################################### $IPTABLES --append PREROUTING --in-interface $DEV --table mangle \ --protocol tcp --source $SERVERIP \ --source-port $SERVERPORT --jump MARK --set-mark $HANDLE ############################################################ # install the ingress qdisc on the ingress interface ############################################################ $TC qdisc add dev $DEV handle ffff: ingress 2>/dev/null ############################################################ # utilize ingress qdisc ############################################################ $TC filter add dev $DEV parent ffff: protocol ip prio 50 handle \ $HANDLE fw police rate $LIMIT burst 1500 mtu 9k drop flowid :$HANDLE -------------------------------------------------------------------------- details: iptables -nL -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 209.132.176.20 0.0.0.0/0 tcp spts:21:65535 MARK set 0x1 MARK tcp -- 209.132.176.220 0.0.0.0/0 tcp spts:21:65535 MARK set 0x1 MARK tcp -- 209.132.176.221 0.0.0.0/0 tcp spts:21:65535 MARK set 0x1 MARK tcp -- 66.187.224.20 0.0.0.0/0 tcp spts:21:65535 MARK set 0x1 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination tc -s qdisc qdisc ingress ffff: dev eth0 ---------------- Sent 44458 bytes 238 pkts (dropped 23, overlimits 0) ######################################################################## but, with the newer revised iptables syntax, I do not seem to be marking properly?, because tc never reports a 'dropped' packet. And it basically does not work... sh rc.throttleS+C download.fedora.redhat.com 21 172.24.5.32 -------------------------------------------------------------------- cat rc.throttleS+C #!/bin/sh # Date: Wed Oct 20 15:32:53 PDT 2004 CMDNAME=`basename $0` if [ ! $1 ]; then echo "no SERVERIP" echo "Useage: $0 SERVERIP PORT LANCLIENT" exit 0 fi if [ ! $2 ]; then echo "no PORT" echo "Useage: $0 SERVERIP PORT LANCLIENT" exit 0 fi if [ ! $3 ]; then echo "no LANCLIENT" echo "Useage: $0 SERVERIP PORT LANCLIENT" exit 0 fi IPTABLES=/sbin/iptables DEV=eth0 SERVERIP=$1 SERVERPORT=$2:65535 LANCLIENT=$3 LIMIT=1kbit HANDLE=0x1 HANDLE2=0x2 TC=/sbin/tc ############################################################### # tag all incoming SYN packets through $DEV as mark value 1 ############################################################### $IPTABLES --append PREROUTING --in-interface eth0 --table mangle \ --protocol tcp --source $SERVERIP \ --source-port $SERVERPORT \ --destination $LANCLIENT \ --jump MARK --set-mark $HANDLE $IPTABLES --append PREROUTING --in-interface eth1 --table mangle \ --protocol tcp --destination $SERVERIP \ --destination-port $SERVERPORT --source $LANCLIENT \ --jump MARK --set-mark $HANDLE2 ############################################################ # install the ingress qdisc on the ingress interface ############################################################ $TC qdisc add dev $DEV handle ffff: ingress 2>/dev/null $TC qdisc add dev eth1 handle ffff: ingress 2>/dev/null ############################################################ # utilize ingress qdisc ############################################################ $TC filter add dev $DEV parent ffff: protocol ip prio 50 handle \ $HANDLE fw police rate $LIMIT burst 1500 mtu 9k drop flowid :$HANDLE $TC filter add dev eth1 parent ffff: protocol ip prio 50 handle \ $HANDLE fw police rate $LIMIT burst 1500 mtu 9k drop flowid :$HANDLE2 --------------------------------------------------------------------- some details: tc -s qdisc qdisc ingress ffff: dev eth0 ---------------- Sent 12955351 bytes 9145 pkts (dropped 0, overlimits 0) qdisc ingress ffff: dev eth1 ---------------- Sent 267129 bytes 6408 pkts (dropped 0, overlimits 0) iptables -nL -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 209.132.176.220 172.24.5.32 tcp spts:21:65535 MARK set 0x1 MARK tcp -- 209.132.176.221 172.24.5.32 tcp spts:21:65535 MARK set 0x1 MARK tcp -- 66.187.224.20 172.24.5.32 tcp spts:21:65535 MARK set 0x1 MARK tcp -- 209.132.176.20 172.24.5.32 tcp spts:21:65535 MARK set 0x1 MARK tcp -- 172.24.5.32 209.132.176.221 tcp dpts:21:65535 MARK set 0x2 MARK tcp -- 172.24.5.32 66.187.224.20 tcp dpts:21:65535 MARK set 0x2 MARK tcp -- 172.24.5.32 209.132.176.20 tcp dpts:21:65535 MARK set 0x2 MARK tcp -- 172.24.5.32 209.132.176.220 tcp dpts:21:65535 MARK set 0x2 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ####################################################################### ####################################################################### i'm thinking of moving on to just the tc tbf cmds... I seem to be having luck with that a bit, just need to figure out how to 'tc tbf' a specific ip addr and not worry about iptables mangle cmds?? tc qdisc add dev eth0 root tbf rate 1bps latency 50ms burst 1540 --Karl > Karl J Rink schrieb: >> I know this will be trivial for most, but I am having trouble with >> getting >> my scenario to work correctly. I want to 'tag' and 'throttle' the >> bandwidth to and from a particular client on my lan side. Better yet, I >> just want to throttle smtp traffic, per say, for that ip. >> >> >> ----lan----------eth1-[linux.box]-eth0----------internet >> >> I have used the technique provided by smueller@xxxxxxxxxx and his >> limit.conn-0.2 perl script, which basically does the following: >> >> iptables --append PREROUTING --in-interface eth0 --table mangle \ >> --protocol tcp --source $SERVERIP \ >> --source-port $SERVERPORT --jump MARK --set-mark 0x1 >> > Hi, > > i´m yet not very familiar to LARTC but based on the IPTables settings it > will throttle the traffic for all clients because you mark it so for tc. > In words it means that before your box routes it marks all traffic > coming in on eth0 with the $SERVERPORT and $SERVERIP with 0x1. So that > tc can handle it. But there is no dependency on a certain client as you > want it to. So every client will get throttled. Perhaps try this don´t > know if it works: > > iptables --append PREROUTING --in-interface eth0 --table mangle \ > --protocol tcp --source $SERVERIP \ > --source-port $SERVERPORT --destination $LANCLIENT \ > --jump MARK --set-mark 0x1 > > iptables --append PREROUTING --in-interface eth1 --table mangle \ > --protocol tcp --destination $SERVERIP \ > --destination-port $SERVERPORT --source $LANCLIENT \ > --jump MARK --set-mark 0x2 > MailKey: GUINNESS _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/