> What I would like to do instead is allow the user to use any protocol > they like, with the caveat that attempting to open many connections > simultaneously will result in a steadily decreasing share of the pipe, > rather than a steadily increasing one. I solved this in a similar but slightly different way. I use connlimit to monitor for when a user has 5 or more connections on ports above 1024. When they have, they are dropped into an ipset; all their traffic is then monitored and any traffic on ports above 1024 is dropped to a very low priority. This has the advantage that web browsing they do is unaffected. Also, it's slightly safer than your proposed method - I have seen instances when just normal surfing of the web can create 5 connections or more. Something like this (eth0 is the user's network): iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: -m \ connlimit --connlimit-above 5 -j SET --add-set p2p src iptables -t mangle -A FORWARD -o eth0 -p tcp -m multiport --sport \ 1024:65535 -m set --set p2p dst -j MARK --set-mark 60 iptables -t mangle -A FORWARD -i eth0 -p tcp -m multiport --dport \ 1024:65535 -m set --set p2p src -j MARK --set-mark 60 You'll have to compile your kernel with ipset and connlimit support. Andy Beverley _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc