Re: throttling an internal IP's upstream bandwidth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2007-02-18 at 14:46 +0100, Martijn Lievaart wrote:
> Scott van Looy wrote:
> > Today Martijn Lievaart did spake thusly:
> >
> >> Scott van Looy wrote:
> >>>
> >>> I'm on DSL, I only have small upstream and big downstream. 
> >>> Everything goes through a 1:1 NAT iptables firewall - so internal 
> >>> IPs are directly mapped to an external IP. I want to throttle the 
> >>> internal upstream bandwidth so the internal machines can't upload at 
> >>> more than 25k/s as the maxing out of the upstream is killing the 
> >>> much faster downstream...is there a way to do this using iptables?
> >>>
> >>
> >> Google for wondershaper.
> >
> > I use wondershaper, it doesn't let me throttle on a per machine basis 
> > tho - I want the firewall to only allow a max of 25k out for each of 
> > my internal machines
> >
> 
> Ah, then you have to do some work yourself. The answer is most probably 
> tc, not netfilter. If you don't have a lot of internal machines, you can 
> add a filter/qdisc for all of them but for large amounts of internal 
> machines (or with dhcp), this gets unwieldy.
> 
> However, wondershaper should do what you ultimately want, shape traffic 
> so uploads don't disturb downloads. It works for me.
> 
> M4
> 
> 

I use tc filter to distribute traffic between classes:

## ssh
tc filter add dev $DEV protocol ip parent 1:0 prio 10 u32\
      match ip dport 22 0xfffe flowid 1:10
## dns
tc filter add dev $DEV protocol ip parent 1:0 prio 11 u32\
      match ip dport 53 0xfffe flowid 1:10
## pings
tc filter add dev $DEV parent 1:0 protocol ip prio 12 u32 \
      match ip protocol 1 0xff flowid 1:10
## small packets (<64 bytes)
tc filter add dev $DEV parent 1: protocol ip prio 13 u32 \
      match ip protocol 6 0xff \
      match u8 0x05 0x0f at 0 \
      match u16 0x0000 0xffc0 at 2 \
      flowid 1:10

The easiest way should be to create a class for each machine and then tc
filter based on ip... alternatively it should be possible to mark
packets with iptables then match different marks with tc filter.


-- 

Pedro Abreu
AnubisNetworks
Rua Alexander Fleming, 5B
1600-054 Lisboa, Portugal
Tel. : +351 21 7252110
Mobile : +351 91 9302990
Fax : +351 21 7252119
pedro.abreu@xxxxxxxxxxxxxxxxxx
http://www.anubisnetworks.com

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux