Thank you, this is what I have so far...
client 172.24.5.32 is downloading
ftp://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/iso/FC2-i386-DVD.iso
average speed is ~ 135 kB/s via ncftp
on linux.box>
sh rc.throttleServer download.fedora.redhat.com 21
and clients download continues to drop, decline, it basically works.
-----------------------------------------------------------------
cat rc.throttleServer
#!/bin/sh
# Date: Tue Oct 19 11:41:10 PDT 2004
CMDNAME=`basename $0`
if [ ! $1 ]; then
echo "no IPADDR"
echo "Useage: $0 IPADDR PORT"
exit 0
fi
if [ ! $2 ]; then
echo "no PORT"
echo "Useage: $0 IPADDR PORT"
exit 0
fi
IPTABLES=/sbin/iptables
DEV=eth0
SERVERIP=$1
SERVERPORT=$2:65535
LIMIT=1kbit
HANDLE=0x1
TC=/sbin/tc
###############################################################
# tag all incoming SYN packets through $DEV as mark value 1
###############################################################
$IPTABLES --append PREROUTING --in-interface $DEV --table mangle \
--protocol tcp --source $SERVERIP \
--source-port $SERVERPORT --jump MARK --set-mark $HANDLE
############################################################
# install the ingress qdisc on the ingress interface
############################################################
$TC qdisc add dev $DEV handle ffff: ingress 2>/dev/null
############################################################
# utilize ingress qdisc
############################################################
$TC filter add dev $DEV parent ffff: protocol ip prio 50 handle \
$HANDLE fw police rate $LIMIT burst 1500 mtu 9k drop flowid :$HANDLE
--------------------------------------------------------------------------
details:
iptables -nL -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- 209.132.176.20 0.0.0.0/0 tcp
spts:21:65535 MARK set 0x1
MARK tcp -- 209.132.176.220 0.0.0.0/0 tcp
spts:21:65535 MARK set 0x1
MARK tcp -- 209.132.176.221 0.0.0.0/0 tcp
spts:21:65535 MARK set 0x1
MARK tcp -- 66.187.224.20 0.0.0.0/0 tcp
spts:21:65535 MARK set 0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
tc -s qdisc
qdisc ingress ffff: dev eth0 ----------------
Sent 44458 bytes 238 pkts (dropped 23, overlimits 0)
########################################################################
but, with the newer revised iptables syntax, I do not seem to be marking
properly?, because tc never reports a ''dropped'' packet. And
it basically
does not work...
sh rc.throttleS+C download.fedora.redhat.com 21 172.24.5.32
--------------------------------------------------------------------
cat rc.throttleS+C
#!/bin/sh
# Date: Wed Oct 20 15:32:53 PDT 2004
CMDNAME=`basename $0`
if [ ! $1 ]; then
echo "no SERVERIP"
echo "Useage: $0 SERVERIP PORT LANCLIENT"
exit 0
fi
if [ ! $2 ]; then
echo "no PORT"
echo "Useage: $0 SERVERIP PORT LANCLIENT"
exit 0
fi
if [ ! $3 ]; then
echo "no LANCLIENT"
echo "Useage: $0 SERVERIP PORT LANCLIENT"
exit 0
fi
IPTABLES=/sbin/iptables
DEV=eth0
SERVERIP=$1
SERVERPORT=$2:65535
LANCLIENT=$3
LIMIT=1kbit
HANDLE=0x1
HANDLE2=0x2
TC=/sbin/tc
###############################################################
# tag all incoming SYN packets through $DEV as mark value 1
###############################################################
$IPTABLES --append PREROUTING --in-interface eth0 --table mangle \
--protocol tcp --source $SERVERIP \
--source-port $SERVERPORT \
--destination $LANCLIENT \
--jump MARK --set-mark $HANDLE
$IPTABLES --append PREROUTING --in-interface eth1 --table mangle \
--protocol tcp --destination $SERVERIP \
--destination-port $SERVERPORT --source $LANCLIENT \
--jump MARK --set-mark $HANDLE2
############################################################
# install the ingress qdisc on the ingress interface
############################################################
$TC qdisc add dev $DEV handle ffff: ingress 2>/dev/null
$TC qdisc add dev eth1 handle ffff: ingress 2>/dev/null
############################################################
# utilize ingress qdisc
############################################################
$TC filter add dev $DEV parent ffff: protocol ip prio 50 handle \
$HANDLE fw police rate $LIMIT burst 1500 mtu 9k drop flowid :$HANDLE
$TC filter add dev eth1 parent ffff: protocol ip prio 50 handle \
$HANDLE fw police rate $LIMIT burst 1500 mtu 9k drop flowid :$HANDLE2
---------------------------------------------------------------------
some details:
tc -s qdisc
qdisc ingress ffff: dev eth0 ----------------
Sent 12955351 bytes 9145 pkts (dropped 0, overlimits 0)
qdisc ingress ffff: dev eth1 ----------------
Sent 267129 bytes 6408 pkts (dropped 0, overlimits 0)
iptables -nL -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- 209.132.176.220 172.24.5.32 tcp
spts:21:65535 MARK set 0x1
MARK tcp -- 209.132.176.221 172.24.5.32 tcp
spts:21:65535 MARK set 0x1
MARK tcp -- 66.187.224.20 172.24.5.32 tcp
spts:21:65535 MARK set 0x1
MARK tcp -- 209.132.176.20 172.24.5.32 tcp
spts:21:65535 MARK set 0x1
MARK tcp -- 172.24.5.32 209.132.176.221 tcp
dpts:21:65535 MARK set 0x2
MARK tcp -- 172.24.5.32 66.187.224.20 tcp
dpts:21:65535 MARK set 0x2
MARK tcp -- 172.24.5.32 209.132.176.20 tcp
dpts:21:65535 MARK set 0x2
MARK tcp -- 172.24.5.32 209.132.176.220 tcp
dpts:21:65535 MARK set 0x2
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
#######################################################################
#######################################################################
i''m thinking of moving on to just the tc tbf cmds... I seem to be
having
luck with that a bit, just need to figure out how to ''tc tbf''
a specific
ip addr and not worry about iptables mangle cmds??
tc qdisc add dev eth0 root tbf rate 1bps latency 50ms burst 1540
--Karl
> Karl J Rink schrieb:
>> I know this will be trivial for most, but I am having trouble with
>> getting
>> my scenario to work correctly. I want to ''tag'' and
''throttle'' the
>> bandwidth to and from a particular client on my lan side. Better yet,
I
>> just want to throttle smtp traffic, per say, for that ip.
>>
>>
>> ----lan----------eth1-[linux.box]-eth0----------internet
>>
>> I have used the technique provided by smueller@chronox.de and his
>> limit.conn-0.2 perl script, which basically does the following:
>>
>> iptables --append PREROUTING --in-interface eth0 --table mangle \
>> --protocol tcp --source $SERVERIP \
>> --source-port $SERVERPORT --jump MARK --set-mark 0x1
>>
> Hi,
>
> i´m yet not very familiar to LARTC but based on the IPTables settings it
> will throttle the traffic for all clients because you mark it so for tc.
> In words it means that before your box routes it marks all traffic
> coming in on eth0 with the $SERVERPORT and $SERVERIP with 0x1. So that
> tc can handle it. But there is no dependency on a certain client as you
> want it to. So every client will get throttled. Perhaps try this don´t
> know if it works:
>
> iptables --append PREROUTING --in-interface eth0 --table mangle \
> --protocol tcp --source $SERVERIP \
> --source-port $SERVERPORT --destination $LANCLIENT \
> --jump MARK --set-mark 0x1
>
> iptables --append PREROUTING --in-interface eth1 --table mangle \
> --protocol tcp --destination $SERVERIP \
> --destination-port $SERVERPORT --source $LANCLIENT \
> --jump MARK --set-mark 0x2
>
MailKey: GUINNESS
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/