Traffic control (tc)

garett · 04-10-2015, 08:35 AM

Hello! Looks like I need your help: I'm trying to limit speed on my Linux gateway (2 network interfaces, local network 192.168.0.0/24 (eth0) & real world (eth1)). There is no squid, just iptables (need to limit all the protocol types, not just port 80). So my action was:
tc qdisc add dev eth0 root tbf rate 1mbit burst 10kb latency 70ms #download speed limit
tc qdisc add dev eth1 root tbf rate 1mbit burst 10kb latency 70ms #upload speed limit

All is OK, speed has been changed from 100 Mbit/s to 1 Mbit/s. But - I should limit just 2 workstations with static IP's. How can I limit them to 1 Mbps except others? Thanks :-)

nini09 · 04-10-2015, 02:22 PM

You can bind tc and iptable together, using iptable to indicate these two static IPs.

garett · 04-10-2015, 02:43 PM

Quote:

Originally Posted by nini09

You can bind tc and iptable together, using iptable to indicate these two static IPs.

Can you give me simple example, please?

nini09 · 04-13-2015, 02:43 PM

iptables has a method called fwmark, which can be used to add a mark to packages, a mark that can survive routing across interfaces.

First, this makes packages marked with 6, to be processed by the 1:30 class

tc filter add dev eth0 protocol ip parent 1: prio 1 handle 6 fw flowid 1:30

This sets that mark 6, using iptables

iptables -A PREROUTING -t mangle -s 192.168.0.1 -j MARK --set-mark 6

garett · 04-28-2015, 10:09 AM

Quote:

Originally Posted by nini09

iptables has a method called fwmark, which can be used to add a mark to packages, a mark that can survive routing across interfaces.

First, this makes packages marked with 6, to be processed by the 1:30 class

tc filter add dev eth0 protocol ip parent 1: prio 1 handle 6 fw flowid 1:30

This sets that mark 6, using iptables

iptables -A PREROUTING -t mangle -s 192.168.0.1 -j MARK --set-mark 6

I'm sorry for a silly question :-) but -
here is my current iptables-script:

*filter
-A FORWARD -s 192.168.0.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
-A PREROUTING -d real_IP/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.50:3389
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
COMMIT
So there is only one workstation behind my NAT (test network), 3389 - is a port for Remote Control. So I'm trying to add your example:

*filter
-A FORWARD -s 192.168.0.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
-A PREROUTING -t mangle -s 192.168.0.50 -j MARK --set-mark 6
-A PREROUTING -d real_IP/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.50:3389
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
COMMIT
But this scheme is not working. 192.168.0.50 is my workstation IP-address.

nini09 · 04-29-2015, 02:35 PM

What's your tc setting?

garett · 04-30-2015, 03:00 AM

Quote:

Originally Posted by nini09

What's your tc setting?

There is a script /etc/init.d/tc.sh:

#!/bin/bash

/sbin/tc qdisc del dev eth0 root
/sbin/tc qdisc add dev eth0 root tbf rate 1mbit burst 10kb latency 70ms

I added this script to autorun using command: update-rc.d tc.sh defaults

nini09 · 04-30-2015, 02:45 PM

Read the link, http://lartc.org/howto/lartc.cookboo...nat.intro.html, to write correct tc script.