LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-15-2005, 10:45 PM   #1
Quantum0726
Member
 
Registered: Dec 2003
Location: Milwaukee, WI
Distribution: Gentoo
Posts: 39

Rep: Reputation: 15
Traffic-shaping with iptables


Hi,
I'm running iptables on my router and I would like to limit traffic on port 22. I have been searching google and found several ways to packet shape and traffic shape with several other open-source programs, but I'm not too concerned about shaping based on packets or even priority shaping. It is meant primarily so that when my roommate and I download from our friend's server, it doesn't kill our web surfing as well. Simply put I want to limit port traffic on port 22 to a maximum speed, and if so, do it with iptables (since I'm fairly familar and it's already set up on the router). If not possible, I can install other software, but I'd like something fairly basic, just have to be able to turn it on and off for the occasional case that we need the full speed.

Thanks in advance for any advice!
 
Old 08-16-2005, 07:53 AM   #2
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

all you'll be able to do with iptables is setting up quotas (http://www.netfilter.org/documentati...-3.html#ss3.13)
which doesn't solves your issue.
i really think that you'll have to use the tc tool (traffic control). hopefully, even though tc's use may be tough, your needs are _very_ basic ones, so a simple config should work great.
maybe you can have a look at: http://lartc.org/howto/lartc.qdisc.html

good luck
 
1 members found this post helpful.
Old 08-16-2005, 07:56 AM   #3
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 374

Rep: Reputation: 55
Re: Traffic-shaping with iptables

Quote:
Originally posted by Quantum0726
Hi,
I'm running iptables on my router and I would like to limit traffic on port 22. I have been searching google and found several ways to packet shape and traffic shape with several other open-source programs, but I'm not too concerned about shaping based on packets or even priority shaping. It is meant primarily so that when my roommate and I download from our friend's server, it doesn't kill our web surfing as well. Simply put I want to limit port traffic on port 22 to a maximum speed, and if so, do it with iptables (since I'm fairly familar and it's already set up on the router). If not possible, I can install other software, but I'd like something fairly basic, just have to be able to turn it on and off for the occasional case that we need the full speed.

Thanks in advance for any advice!
I guess you sftp the files from your friend, because it seems a bit unusual to shape traffic on port 22.
Anyway.
You only need the "iproute" program, which you will already have as all major distribution include it.

I will try to describe a very small set of commands that do what you want.

#delete the qdisc so we can try from the beginning
tc qdisc del dev eth1 root
#add primary qdisc
tc qdisc add dev eth1 root handle 1:0 htb default 2
# add primary class
tc class add dev eth1 parent 1:0 classid 1:1 htb rate 100mbit ceil 100mbit
#add 2 classes inside the primary class
tc class add dev eth1 parent 1:1 classid 1:2 htb rate 90mbit ceil 100mbit
tc class add dev eth1 parent 1:1 classid 1:3 htb rate 128kbit ceil 128kbit
#tell which algorithm the classes use
tc qdisc add dev eth1 parent 1:2 sfq
tc qdisc add dev eth1 parent 1:3 sfq

This was the initial setup
Some things to consider:
1) I use "eth1" for the interface, you will put yours.
2) In the primary class i use "rate 100mbit ceil 100mbit" because i am talking about a 100mbit ethernet card. Change accordingly
3) I use the "htb" algorithm with "sfq" queues. You can also use a handful of different algorithms like cbq,etc.
I mention HTB because it has very few parameters for you to consider as you see in the above commands.

Now for the filtering.
You can do 2 things: 1) use iproute 2) use iptables both achieve the same thing.

1) iproute
tc filter add dev eth1 parent 1:0 protocol ip u32 match ip sport 22 0xffff flowid 1:3
tc filter add dev eth1 parent 1:0 protocol ip u32 match ip dport 22 0xffff flowid 1:3

i tell that all packets with port 22 will go through the 1:3 flow (128kbit)

2) iptables
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 7 fw flowid 1:3

i tell that all packets marked with handle 7 go through the 1:3 flow (128kbit)
now all i have to do is mark the packets i want as 7

iptables -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 7
iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 7

What you want to shape is rather simple, so you can use the first example and not use iptables.
But, with complex setups iptables MARK comes very handy.

For what i mentioned to work you need some things in your kernel.
If i remember correctly, they are the following:

#
# QoS and/or fair queueing
#
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CLK_JIFFIES=y
CONFIG_NET_SCH_HTB=y
CONFIG_NET_SCH_SFQ=y
CONFIG_NET_QOS=y
CONFIG_NET_ESTIMATOR=y
CONFIG_NET_CLS=y
CONFIG_NET_CLS_FW=y
CONFIG_NET_CLS_U32=y
CONFIG_CLS_U32_PERF=y

I tried to explain as simple as i can.
If i didn't explain something correctly or you need more info please tell me.
 
Old 08-18-2005, 01:13 PM   #4
Quantum0726
Member
 
Registered: Dec 2003
Location: Milwaukee, WI
Distribution: Gentoo
Posts: 39

Original Poster
Rep: Reputation: 15
Wow, fantastic help. Everythign worked perfectly. It seems that there is a bit of a lag before the speed is actually capped, but after that point tc holds it pretty close to the speed I listed.

I am wondering though if there is any way of allowing the download speed from ssh to be the full speed, but only limit the upload speed. I get 3Mbps down and only 384Kbps up, so down is not too much of a worry, but the up is what seems to kill web browsing.

Also, why do you have 90 set for rate and 100 set for ceil? What's the difference between rate and ceil?

Last, and probably in this case least, is there any way to adjust these rules per user? For now just turning tc off when we need the extra bandwidth is fine, since we both have root access, but it would be nice to have the connection limit for specific user names or for specific destinations and such, all automatically. I have a feeling this is getting a little more complex than the setup listed here, but if you have any good ideas, let me know.

Thanks!
 
Old 08-18-2005, 03:35 PM   #5
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 374

Rep: Reputation: 55
Quote:
Originally posted by Quantum0726
Wow, fantastic help. Everythign worked perfectly. It seems that there is a bit of a lag before the speed is actually capped, but after that point tc holds it pretty close to the speed I listed.

I am wondering though if there is any way of allowing the download speed from ssh to be the full speed, but only limit the upload speed. I get 3Mbps down and only 384Kbps up, so down is not too much of a worry, but the up is what seems to kill web browsing.


Shaping Outgoing traffic is very easy (Essentially, you send the packets at the rate you want and queue the others). Shaping
incoming traffic is not as easy, but can be done ofcourse.

Now, you mention "I'm running iptables on my router", so let me explain some more.
In my router i shape the "outgoing traffic" on both interfaces, so what is that ?
On my external interface the outgoing traffic is the one that goes to internet (therefore the outgoing of my lan pcs)
On my internal interface the outgoing traffic is the one that go to the lan (therefore the incoming of my lan pcs)
Therefore, in the router you can easily shape both the outgoing and the incoming traffic with this trick.
Otherwise, you need ingress shaping and other things which is more difficult to setup.

As fr_laz mentioned lartc.org has very good info about traffic shaping.
Also some howtos have good info.

Quote:
Originally posted by Quantum0726

Also, why do you have 90 set for rate and 100 set for ceil? What's the difference between rate and ceil?

tc class add dev eth1 parent 1:1 classid 1:2 htb rate 90mbit ceil 100mbit
tc class add dev eth1 parent 1:1 classid 1:3 htb rate 128kbit ceil 128kbit

I believe you are referring to this, right ?
I copied it from some scripts of mine, which had many more commands.
the 1:3 class has 128kbit limit. I used it for shaping traffic.
I used the 1:2 class for default policy, thatis if i didn't match the traffic as 1:3 (or 1:4 or etc i had other classes too) then
the traffic flowed through 1:2. The "rate" is the bandwidth the class gets. The "ceil" is the absolute maximum.
More simply.
a)
Let's suppose i have 2 kinds of traffic. one for 1:2 and one for 1:3
the 1:3 would get 128kbit
the 1:2 would get 100mbit-128kbit.
b)
Now let's suppose i have only traffic that goes through 1:2
It would get the full 100mbit
In this example it doesn't make any difference because 90mbit and 100mbit doesn't make much of a difference, but there are
other examples (like ADSL for example) which the ceil will make a difference.

The rules i posted are only a sample. They aren't the best possible rules.

Quote:
Originally posted by Quantum0726

Last, and probably in this case least, is there any way to adjust these rules per user? For now just turning tc off when we need the extra bandwidth is fine, since we both have root access, but it would be nice to have the connection limit for specific user names or for specific destinations and such, all automatically. I have a feeling this is getting a little more complex than the setup listed here, but if you have any good ideas, let me know.


Thanks!
Hm. I can't think of some way to do per user shaping.
Wrong. I can think of some ways but they are not good.

Netfilter/Iptables include a user match module, so you could use that.
e.g
remember this rules i mentioned in my other post ?
iptables -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 7

You could write it as:
iptables -t mangle -A POSTROUTING -p tcp --dport 22 -m owner --uid-owner 1000 -j MARK --set-mark 7
where 1000 the uid of the user you want.
There are 2 catches. First the author mention that "owner" module is to be avoided. Second the iptables manpage
says that it only works in the OUTPUT chain so i don't know if it works at all.

Another thing you can do, is tell ssh/sftp to use only some local ports in the users you don't want to shape traffic, and
shape the traffic from the others.
e.g iptables -t mangle -A POSTROUTING -p tcp --sport ! 5000:5050 --dport 22 -j MARK --set-mark 7

These are not real/good solutions but i write anything i can think of.

My english is not very good, so i hope i didn't confuse you.
 
Old 08-18-2005, 08:59 PM   #6
Quantum0726
Member
 
Registered: Dec 2003
Location: Milwaukee, WI
Distribution: Gentoo
Posts: 39

Original Poster
Rep: Reputation: 15
Ok, that makes sense and since I have the two interfaces on my router I can easily figure out how to set that up. So am I understanding correct that tc only shapes the output traffic on the specified card and not the input?

As far as the user filter options go, having two ports for ssh would probably work really well. I already have ssh running on port 443 (so I can tunnel it's traffic through an https proxy server), so I'll just use that when my roommate and I need the extra bandwidth and then let everyone else use 22. Granted anyone with an ssh client and nmap could figure out that ssh is running on 443 as well, but for the small enough user-base that we have, I think I can trust them. If not, there's always the logs to check! Can I set up ssh to block certain users for certain ports but allow on others?

Finally, your English is very clear. I have seen many American-born English speakers with much worse.
 
Old 08-19-2005, 06:52 AM   #7
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 374

Rep: Reputation: 55
Quote:
Originally posted by Quantum0726
Ok, that makes sense and since I have the two interfaces on my router I can easily figure out how to set that up. So am I understanding correct that tc only shapes the output traffic on the specified card and not the input?
tc is the userspace tool for the kernel interface. it can do anything. it is not limited to output traffic shaping.
What i meant is that shaping incoming traffic is more difficult to setup and has some drawbacks.
If you read the howtos on bandwidth limiting and such there are some paragraphs that explain in detail what are the drawbacks.

If you see the config files for ssh there are some options for users,ports etc. Maybe you can work something out of them.
 
Old 08-21-2005, 11:39 PM   #8
Quantum0726
Member
 
Registered: Dec 2003
Location: Milwaukee, WI
Distribution: Gentoo
Posts: 39

Original Poster
Rep: Reputation: 15
Great, shapping is working well and provided I have some spare time this week I will peruse the sshd man page to see if I can limit users on specific ports, as well as perusing the lartc page to see what else I can get my router to do.

Thanks again for all your help!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 12:09 AM
Traffic Shaping jrmann1999 Linux - Networking 3 10-23-2008 12:43 PM
Traffic Shaping SchwipSchwap Linux - Newbie 2 10-23-2008 12:42 PM
Traffic shaping shy Linux - Networking 2 11-30-2004 09:51 AM
Traffic Shaping ?? DocKane Linux - Networking 2 08-24-2001 09:32 AM


All times are GMT -5. The time now is 05:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration