Shorewall users - May 2006 - How do I limit download speed by ip address on the LAN?

Hello there,

 

I can modify /etc/shorewall/tcdevices to control overall IN-BANDWITH. It is
quite effective. Just change 2mbit to 128kbit.

 

However, how do I limit download speed for a certain host IP on the LAN? I want
to limit host 192.168.1.140 download speed to 128Kbit. Other hosts on the
192.168.1.0 LAN can still surf at 2mbit.

 

Any input welcome.

 

Kind Regards,

 

Michael

On 5/14/06, Mike Shen <x.shen@orcon.net.nz> wrote:
[snip]
> However, how do I limit download speed for a certain host IP on the LAN? I
> want to limit host 192.168.1.140 download speed to 128Kbit. Other hosts on
> the 192.168.1.0 LAN can still surf at 2mbit.
Hi Mike

Controlling download speed is a hack from the start: Your router can
only drop or delay packets after they have already gotten through your
internet line.  So it''s like throwing the packet away after having
already paid for it...  In an ideal world, the download control would
be done at your ISP _before_ sending anything to you.

But even though it is a hack, it is usually possible to make it work
reasonably well.

The commonly used facilities in Linux (such as HTB used by Shorewall)
work only on outgoing packets.  But as long as your firewall has no
traffic itself, but just passes all traffic through, you can shape
outgoing traffic on your lan-facing interface, and that will have the
same result as if you could shape incoming traffic on the
internet-facing interface.

If your firewall does have its own traffic, you will need to use
special hacks like IMQ or IFB.  In that case, you will not be able to
configure everything in Shorewall.


Would you like me to go into further details? -- this is potentially a
very big subject.


Rune


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Mike Shen wrote:
> However, how do I limit download speed for a certain host IP on the LAN?
> I want to limit host 192.168.1.140 download speed to 128Kbit.
> Other hosts on the 192.168.1.0 LAN can still surf at 2mbit.
You will need to shape traffic leaving your local interface. Send all
packets from the net to 192.168.1.140 to a separate class.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Rune Kock wrote:
> If your firewall does have its own traffic, you will need to use
> special hacks like IMQ or IFB.  In that case, you will not be able to
> configure everything in Shorewall.
Actually, that''s not true. You can classify locally-generated traffic
separately from traffic that you are forwarding from the net using
packet marks.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hello there

Yes, I am interested to know more about these.
My shorewall box is running FC4 with 2 NICs. Squid is running as a transparent
proxy. Squid can be easily disabled.

Internet <------> |eth1--eth0| <------>LAN 

I shaped traffic at eth1 to control the overall download speed. (My TC config
files are listed below)
I have read Tom''s reply. And if I understand correctly, to limit
128kbit download speed to LAN host 192.168.1.140,
I need add to TCDEVICES file: 
eth0	128kit	10Mbit
Add one line to TCCLASSES file: 
eth0	4	full	full	4
Add to TCRULES file:
4	eth0	192.168.1.140	all	-	-

Any comment welcome. Many thanks in advance.

Mike

PS:
Here is my current TCDEVICES file:
#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
eth1            196kbit         120kbit

TCCLASSES file:
#INTERFACE      MARK    RATE    CEIL    PRIORITY        OPTIONS
eth1            1       5*full/10            full            1      
tcp-ack,tos-minimize-delay
eth1            2       2*full/10       2*full/10       2       default
eth1            3       1*full/10       1*full/10       3


And TCRULES file:

#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
#                                                       PORT(S)
#1       eth1           0.0.0.0/0      all
#2       eth2           0.0.0.0/0      all
#1       eth0           0.0.0.0/0      all
3       $FW             0.0.0.0/0      all

1:P             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
1:P             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
1:P             0.0.0.0/0       0.0.0.0/0       tcp     3389
# mark traffic which should have a lower priority with a 3:
# mldonkey
1               192.168.1.150   0.0.0.0/0       all
1               192.168.1.144/28 0.0.0.0/0      all

3               0.0.0.0/0       0.0.0.0/0       udp     -        4666

3               192.168.1.128/28 0.0.0.0/0      all
3               192.168.1.112/28 0.0.0.0/0      all
#3               192.168.3.28     0.0.0.0/0      all
#3               0.0.0.0/0        60.0.0.0/24    all
3               0.0.0.0/0        0.0.0.0/0      udp     6662,6663
3               0.0.0.0/0        0.0.0.0/0      udp     -         6662,6663
3               0.0.0.0/0        0.0.0.0/0      tcp     6662,6663
3               0.0.0.0/0        0.0.0.0/0      tcp     -         6662,6663


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Rune Kock
Sent: Monday, May 15, 2006 7:52 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] How do I limit download speed by ip address on
the LAN?

On 5/14/06, Mike Shen <x.shen@orcon.net.nz> wrote:
[snip]
> However, how do I limit download speed for a certain host IP on the LAN? I
> want to limit host 192.168.1.140 download speed to 128Kbit. Other hosts on
> the 192.168.1.0 LAN can still surf at 2mbit.
Hi Mike

Controlling download speed is a hack from the start: Your router can
only drop or delay packets after they have already gotten through your
internet line.  So it''s like throwing the packet away after having
already paid for it...  In an ideal world, the download control would
be done at your ISP _before_ sending anything to you.

But even though it is a hack, it is usually possible to make it work
reasonably well.

The commonly used facilities in Linux (such as HTB used by Shorewall)
work only on outgoing packets.  But as long as your firewall has no
traffic itself, but just passes all traffic through, you can shape
outgoing traffic on your lan-facing interface, and that will have the
same result as if you could shape incoming traffic on the
internet-facing interface.

If your firewall does have its own traffic, you will need to use
special hacks like IMQ or IFB.  In that case, you will not be able to
configure everything in Shorewall.


Would you like me to go into further details? -- this is potentially a
very big subject.


Rune


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Mike

MS> My shorewall box is running FC4 with 2 NICs. Squid is running
MS> as a transparent proxy. Squid can be easily disabled.
MS>
MS> Internet <------> |eth1--eth0| <------>LAN

Tom was right as usual when he corrected my earlier mail:

RK> If your firewall does have its own traffic, you will need to use
RK> special hacks like IMQ or IFB.  In that case, you will not be able to
RK> configure everything in Shorewall.

TE>Actually, that''s not true. You can classify locally-generated
traffic
TE>separately from traffic that you are forwarding from the net using
TE>packet marks.

But note that he says "locally-generated traffic".  Traffic from the
internet to the firewall itself will still be a problem: you cannot
know how much of the bandwidth the firewall itself has used, so it
will be hard to do accurate shaping.

Squid falls into both categories: both firewall-generated and
firewall-received traffic.  So you may choose to disable squid.  But
probably, squid in most cases doesn''t use its cache but just passes
the traffic through, so you could leave it enabled and just ignore it,
because it will be almost the same amount of traffic going in and out
of squid.

MS> I have read Tom''s reply. And if I understand
MS> correctly, to limit 128kbit download speed to
MS> LAN host 192.168.1.140,
MS> I need add to TCDEVICES file:
MS> eth0    128kit  10Mbit

Yes, if you need to limit total traffic to 128kbit, but if you want
unlimited traffic to everything other than 192.168.1.140, then use:
     eth0  100Mbit   100Mbit
This would not limit the speed on eth0 in general, only for your
specific classes

MS> Add one line to TCCLASSES file:
MS> eth0    4       full    full    4

What about:
    eth0    4    128kbit   128kbit    1
    eth0    5    full       full    1    default

So that mark 4 gets a maximum of 128 kbit, and everything else has no limits.

MS> Add to TCRULES file:
MS> 4       eth0    192.168.1.140   all     -       -

Isn''t that:
    eth0   0.0.0.0/0   192.168.1.140   all    -    -

Disclaimer:  I am not a Shorewall-wizard.  Please check my suggestions
yourself before using them.

Also, in most cases you will want to put some kind of limit on all
traffic, not just for a single ip.


Rune


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Rune Kock wrote:
> 
> But note that he says "locally-generated traffic".  Traffic from
the
> internet to the firewall itself will still be a problem: you cannot
> know how much of the bandwidth the firewall itself has used, so it
> will be hard to do accurate shaping.
> 
> Squid falls into both categories: both firewall-generated and
> firewall-received traffic.  So you may choose to disable squid.  But
> probably, squid in most cases doesn''t use its cache but just
passes
> the traffic through, so you could leave it enabled and just ignore it,
> because it will be almost the same amount of traffic going in and out
> of squid.
But the following tcrule could be used to separately mark the
squid-produced traffic for 192.168.1.140:

#MARK	SOURCE	DEST		PROTO	PORT(S)	SOURCE	USER
#						PORT(S)
x	$FW	192.168.1.140	tcp	-	-	squid

Note that the rule cannot distinguish between pages that Squid had to
retrieve from the net and pages that were already it its cache. But
neither could any other technique.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key