IPtables to stop Bandwidth completely
 

Goodday

Throttling is not what Im after. Let me explain this very simply.

Set an iptable rule to totally block all bandwidth from a client when they reach a certain value.

Doesnt even matter if the client is trying to upload a 5k document. Any and all communication must be stopped after a value.

Is iptables the right system? Thinking along the line to apply a rule to an IP.

Peon

South Africa

Yes, take a look at the quota match.

HI OSOR

Please could you eloborate a bit further

regards,
Peon

Sure. The quota match allows you to specify an absolute maximum number of bytes for any traffic traversing the rule. After the quota is surpassed, the rule no longer evaluates to true. It does this by initializing a 64-bit counter to some specified value (so the maximum specifiable quota value is 18446744073709551615 bytes). The counter will be decremented by the buffer size every time a packet encounters the match. Each counter is independent, and when a counter reaches zero, the match evaluates to false.

For example, let’s say I route traffic to three clients: A, B, and C (whose IP addresses are 10.0.0.10, 10.0.0.11, and 10.0.0.12 respectively). My policy is that client A will be capped at a limit of 1GB (1073741824 bytes), and clients B and C share a quota of 2GB (2147483648 bytes). This means that once the combined traffic of B and C reaches 2GB, neither of them will have access to my packet forwarding. So in the filter table, I might have these rules (implementing two separate quotas):
Notice that any traffic destined for or originating from our clients’ (and only our clients’) IP addresses will jump to the appropriate chain. So this setup is too simple to be used in a situation where at least one of the clients is routing (when it is forwarding packets without translation) and is in our routes to other addresses/networks.

iptables -P A DROP (bad built-in chain name)

Oops. I forgot that you can’t have policies for non-built-in chains. Post four should now be fixed.

If I were to give a disclaimer about my imperfect advice, it would go here… ;)

Works like a charm!! Insert MASSIVE smiley face of happy and thanks...

:D:D:D:D:D:D:D:D:D

Say now I would like to reset A's stats ?



regards,
Peon

This is the inelegant part. You see, the kernel-level code for the quota match is very simple. An advantage of this is that code maintenance is very easy. A disadvantage is that there is no way to modify a state from userspace (i.e., you may only create and delete quotas, but once you’ve created them, they must run their course). This is different from other such netfilter modules (e.g., recent) which offer a /proc filesystem interface for managing their respective properties.

So the only way to “reset” a quota is to delete and re-add the rule. E.g., if you are reseting client A’s quota in the example from post four, try this:
This sort of “reset” functionality may be added to a monthly cron script or the like.

An additional caveat (caused by the lack of /proc interface) is the inability to save the state and reload it. So once the router is powercycled, even if you use iptables-save and iptables-restore, you will inadvertently reset the quota (i.e., there is as of yet no way to remember how much of the quota your client has used when you restart the computer). The only way to prevent this is to keep your computer running all the time (which is not so unusual for a router).

True what saying, simply create scripts for IP and run them when they full. Also the uptime and saving of data is not so important.

This is used a added service at folks guest house. People only need about 10mb to do their business. I dont plan on starting an ISP or such.

Osor, have you seen the bandwidth throttling on a ClarkeConnect distro?

If so, in what direction could you point me to learn the best way to throttle bandwidth. Such as in ClarkeConnect 4.

Thanks for the help.

regards,