Hi Charles, On Mon, May 20, 2002 at 07:17:28AM -0500, Charles Menzes wrote:
> I'm reading over the recent thread about "limiting bandwidth dynamically" > and although its a bit more convoluted that what I am aiming to do, it > seems similar to the question I have had concerning iptables. > This month's SysAdmin mag has an article on limiting bandwidth from a > source machine in order to pull the reigns on multi-media content from > hogging all of your upstream availability. The article says "this can be > done with iptables", but never offers any examples of how. Instead it > focuses on other products, some of which were mentioned in Tomasz Wrona's > recent post (CBQ HTB). Yes. That's the place to look for. A very short and conceptual answer is this: You set up CBQ/HTB rules to define the queueing behavior for the outbound traffic. It means that certain packets would go to certain queues (scheduled to be sent out). Now that you have that you need to somehow identify which packets go to which queue. Here comes your criteria about ip/port or any other packet identifier. The role of netfilter in this is to identify these packets and mark them so the queueing subsystem can direct them to the right queue. However, tc (the program which helps you set up different queues and rules) has the ability to identify the packets itself so you do not need use netfilter perse to mark them. I'd suggest you to take a "good" look at http://lartc.org/ for information as to how to do it. A lot of information to digest... > So, to cut myself short, my aim is simply to limit bandwdith per some > criteria (port, ip address, etc...) I'd like to be able to say "this ip > address outbound with source port of 7070 is limited to 256k". I get how > to match the ip and port, but the bandwidth limitation is the confusing > part for me (i'm coming from strictly ipchains background). I'd also like > to run this local to the machine itself, meaning that address in my chain > would be bound to a local interface to the machine running iptables. > > Is this configurable using LIMIT? Point me in the right direction, and I > will hit the docs. No, LIMIT is a packet based concept as to ACCEPT/DROP/REJECT/LOG packets when certain treshold is reached. It does not let you delay the forwarding of the packets (which is what you need). eg, you don't want to DROP packets as a mean to shape the traffic (well, not immediately anyway). Hope it helps. Ramin > > Regards -c > >
