Hi everyone

Not sure where this should go but its not really a SECURITY issue so ill place it here...

I am hopeing to (using iptables if possible) limit the amount of bandwidth used by certain protocols.. basically I have noticed that as soon as my firewall is opened for "non-office" hours everyone jumps on eDonkey and other P2P. It slows down the normal downloads and also browsing the internet. I could block them all but I think that they need to feel that they arent being given the IT SQUIRREL GRIP (if u dont know what that is DONT WORRY hehe) so what I want is for services to be split into 2 categories

1. Normal Traffic
2. Special Traffic

I want services such as HTTP, EMAIL and the sort to have priority over the others.

I would therefor like to have the other services (running on different ports) to be able to use a certain amount of the bandwidth. IF the network gets conjested then HTTP, EMAIL etc will be able to use 50%

if its easier I would just give NORMAL TRAFFIC 50% and SPECIAL TRAFFIC 50%
but preferably it would adjust itself to suit the need. If no requests are being made on NORMAL TRAFFIC then SPECIAL TRAFFIC could use more of the bandwidth. this IDEAL but if its not possible then ill just go with 50/50 (if thats possible)

I would like to impliment this into my iptables scripts if possible

Thanks
Chris

If you want to work with % percentages, you will need a proper queing package
eg cbq, tc etc

If it's ok to work with kB per connection, the LIMIT match works well, or
you could consider some netfilter patches at www.netfilter.org in the patchomatic system.

ok

so what would the settings be?

the command will look like this:
let say I want to limit p2p downloads to say 56KB (we have a 256K connection) what would the line look like?

Thanks
Chris

ok i think im confusing myself hahaha

I have worked out that I must also restrict the "sport" to effectively restrict the traffic HOWEVER I have no way of REALLY testing if its working? any suggestions?

this is what I have atm

at the moment I am only restricting myself cause if something goes bad its my own prob ahhaha

so how to test if it is limiting the traffic...

let me try to write out my understanding of the rule and then id love ANYONE to correct me cause i think im wrong

-m limit --limit 5/second -j ACCEPT

5/second will only allow 5 packets(or Kb's???) through each second and the rest will be dropped? correct?

what does the limit-burst command actually do? does it allow 5 packets (or Kb's?) per second until it reaches the packet burst.. then resets?

the man page isnt that helpful with this.. at least I dont really understand..

So things i would LOVE answers too
1. is the number relevant to KB's or Packets?
2. If its packets how do I translate THAT into KB's so I know how many to allow per second. We have a 256KB connection.. so I would like to restrict the P2P to say 56Kb/Second (spread over everyone) which will piss people off but at least our normal traffic can run without coming to a slow stop

A little help :P

Thanks
Chris

I have looked into tc because I cant get any answers regarding the limit function.. but i find it really confusing... can anyone help with some exampled...

IDEALLY i want to limit traffic from all ports except say: 80, 443, 20, 21, 22, 3128, etc etc

so i want to limit the traffic on the remaining ports to say 30%

If their is no traffic will it then realise and be able to download a higher percentage??

Thanks
Chris