LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-07-2010, 02:35 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
applying download speed limit iptables


I would like to apply a limit using iptables but I am not sure what limit to use. The proxy server we have is for viewing video but only through stremaing. SOme users try to download many items and it is these that I want to limit.

Any thoughts on what's best?
 
Old 11-07-2010, 03:31 PM   #2
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228
Blog Entries: 1

Rep: Reputation: 31
Quote:
Originally Posted by qwertyjjj View Post
I would like to apply a limit using iptables but I am not sure what limit to use. The proxy server we have is for viewing video but only through stremaing. SOme users try to download many items and it is these that I want to limit.

Any thoughts on what's best?
Could you deny often movies extensions in proxy-squid ...user probably look for some .avi, .mp3, .mpg ...etc.etc. So stop these extensions in squid.

hth.
 
Old 11-07-2010, 04:09 PM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by sarajevo View Post
Could you deny often movies extensions in proxy-squid ...user probably look for some .avi, .mp3, .mpg ...etc.etc. So stop these extensions in squid.

hth.
But they need to stream movies so I can't deny them completely.
Also, some move sites use flash and the link isn't always shown on the website.
 
Old 11-09-2010, 07:03 AM   #4
iamwilliam
Member
 
Registered: Apr 2006
Location: Nairobi
Distribution: CentOS
Posts: 78

Rep: Reputation: 21
Hi,

Does limiting the bandwidth per IP sound like a viable option? You might want to consider using iptables and tc together to achieve this.
 
Old 11-09-2010, 07:52 AM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by iamwilliam View Post
Hi,

Does limiting the bandwidth per IP sound like a viable option? You might want to consider using iptables and tc together to achieve this.
Yes, that would work.
I have an eth0 network for the proxy and the VPN is on tun0 and tun1.
Can they all be applied the same speed?
Is tc a script that has to be connected to iptables?
 
Old 11-10-2010, 03:34 AM   #6
iamwilliam
Member
 
Registered: Apr 2006
Location: Nairobi
Distribution: CentOS
Posts: 78

Rep: Reputation: 21
TC is a program installed as part of the iproute2 package and is used to configure traffic control in the kernel. TC and iptables are usually used together. The iptables mark target (-j MARK) 'marks' packets and tc will handle these packets according to the policy you configure. You would need a shell script to apply the traffic policy on the network interfaces. Check out the resources below both include examples of tc scripts and configuration.

http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html
http://www.topwebhosts.org/tools/traffic-control.php

Also, I just read your post again and saw that you mentioned that you were running a proxy-server. If you're running squid, you can implement delay pools to achieve the same result. This is easier to set up IMHO.

http://www.howtoforge.com/squid-dela...dth-management
 
Old 11-10-2010, 03:45 AM   #7
davinders
LQ Newbie
 
Registered: Nov 2009
Posts: 25

Rep: Reputation: 1
Hi..

I hope through iptables it is not possible...if you use the squid then u can block in squid.conf

please provide some more details about your setup & proxy server configuration.
 
Old 11-10-2010, 06:41 AM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by iamwilliam View Post
TC is a program installed as part of the iproute2 package and is used to configure traffic control in the kernel. TC and iptables are usually used together. The iptables mark target (-j MARK) 'marks' packets and tc will handle these packets according to the policy you configure. You would need a shell script to apply the traffic policy on the network interfaces. Check out the resources below both include examples of tc scripts and configuration.

http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html
http://www.topwebhosts.org/tools/traffic-control.php

Also, I just read your post again and saw that you mentioned that you were running a proxy-server. If you're running squid, you can implement delay pools to achieve the same result. This is easier to set up IMHO.

http://www.howtoforge.com/squid-dela...dth-management
The problem with delay pools is that you have to apply an entire bucket to the server. What I want to do is limit each individual user to 1Mbps or less but have the total on the server unlimited.
Actually, the server also has a VPN and I need to use tc for that but that can come later.
An example of my current delay pools is this:

Code:
acl magic_words1 url_regex -i 192.168
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov
# Added nsca_users in a boolean AND fashion
delay_pools 3
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow ncsa_users magic_words1
delay_access 1 deny all
delay_class 2 2
#delay_parameters 2 5000/150000 5000/120000
delay_parameters 2 32000/150000 32000/120000
delay_access 2 allow ncsa_users magic_words2
delay_access 2 deny all
# May need to tweak params, Class 1 means a total-server level bucket??
delay_class 3 1
# 256 Kbit/s fill rate, 1024 Kbit/s reserve
delay_parameters 3 64000/128000
delay_access 3 allow ncsa_users
delay_access 3 deny all
 
Old 11-10-2010, 09:06 AM   #9
iamwilliam
Member
 
Registered: Apr 2006
Location: Nairobi
Distribution: CentOS
Posts: 78

Rep: Reputation: 21
Quote:
The problem with delay pools is that you have to apply an entire bucket to the server. What I want to do is limit each individual user to 1Mbps or less but have the total on the server unlimited.
You would configure "unlimited" by setting the restored/maximum delay parameters as "-1/-1"

Quote:
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow ncsa_users magic_words1
You might have a problem with this part of your configuration. It allows unlimited bandwidth to hosts. Comment out the class 1 delay pool as well

This class 2 delay pool might help achieve what you want:

Code:
delay_parameters 2 -1/-1 128000/128000
delay_access 2 allow ncsa_users magic_words2
delay_access 2 deny all
 
Old 11-10-2010, 09:37 AM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by iamwilliam View Post
You would configure "unlimited" by setting the restored/maximum delay parameters as "-1/-1"



You might have a problem with this part of your configuration. It allows unlimited bandwidth to hosts. Comment out the class 1 delay pool as well

This class 2 delay pool might help achieve what you want:

Code:
delay_parameters 2 -1/-1 128000/128000
delay_access 2 allow ncsa_users magic_words2
delay_access 2 deny all
So I would use this?

Code:
acl magic_words1 url_regex -i 192.168
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

delay_pools 1
delay_class 1 2
delay_parameters 2 -1/-1 128000/128000
delay_access 2 allow ncsa_users magic_words2
delay_access 2 deny all
Is there anything else that I need to deny?
What about magic words 1? That is 192.168, which must be local users on the proxy including the proxy itself?
 
Old 11-10-2010, 10:02 AM   #11
iamwilliam
Member
 
Registered: Apr 2006
Location: Nairobi
Distribution: CentOS
Posts: 78

Rep: Reputation: 21
That would match traffic to urls containing 192.168.x.x. The delay_access section of my post was really just an example based on your earlier post. The ACL configuration part is really network specific and its hard to advice further with the information provided.
 
Old 11-10-2010, 10:23 AM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by iamwilliam View Post
That would match traffic to urls containing 192.168.x.x. The delay_access section of my post was really just an example based on your earlier post. The ACL configuration part is really network specific and its hard to advice further with the information provided.
Well, it's an external proxy server with WAN IP for geo IP location.
So, I access it using a username and password from the ncsa_users list.
I can then access sites within the country of the server. I never receive a 192 ip address but maybe the server needs this acl so the server has unlimited bandwidth even though the ncsausers do not?

Sorry, what I meant was, do I need to deny anything else in the pool?
My current squid conf would be:

[code]
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
auth_param basic realm "AAA proxy server"
auth_param basic credentialsttl 2 hour
authenticate_cache_garbage_interval 1 hour
authenticate_ip_ttl 2 hour
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl cacheadmin src 88.xxx.xxx.xxx
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1863 # MSN messenger
acl ncsa_users proxy_auth REQUIRED
acl maxuser max_user_ip -s 2
acl CONNECT method CONNECT
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny maxuser
http_access allow localhost

http_access allow ncsa_users
http_access deny all
icp_access allow all

http_port 8080
http_port 88.xxx.xxx.xxx:80
hierarchy_stoplist cgi-bin ?
cache_mem 100 MB
maximum_object_size_in_memory 50 KB
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 40000 16 256
maximum_object_size 50 MB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
buffered_logs on

acl magic_words1 url_regex -i 192.168
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

delay_pools 1
delay_class 1 2
delay_parameters 2 -1/-1 128000/128000
delay_access 2 allow ncsa_users magic_words2
delay_access 2 deny all

#does the server need an unlimited pool here?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
half_closed_clients off
cache_mgr aaaaa@xxxxx.co.uk
cachemgr_passwd xxxxxall
visible_hostname aaaaa
log_icp_queries off
dns_nameservers 208.67.222.222 208.67.220.220
hosts_file /etc/hosts
memory_pools off
forwarded_for off

client_db off
coredump_dir /var/spool/squid

Last edited by qwertyjjj; 11-10-2010 at 10:25 AM.
 
Old 11-10-2010, 05:44 PM   #13
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by iamwilliam View Post
That would match traffic to urls containing 192.168.x.x. The delay_access section of my post was really just an example based on your earlier post. The ACL configuration part is really network specific and its hard to advice further with the information provided.
I seem to get this error when starting with that code:
service squid restart
Stopping squid: 2010/11/10 23:43:45| parse_delay_pool_rates: Ignoring pool 2 not in 1 .. 1
2010/11/10 23:43:45| parse_delay_pool_rates: Ignoring pool 2 not in 1 .. 1
2010/11/10 23:43:45| parse_delay_pool_rates: Ignoring pool 2 not in 1 .. 1
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Using tc and iptables to restrict download speed DavidPCV Linux - Networking 1 09-17-2010 07:00 PM
Iptables and tc to limit network speed AcidRain0 Linux - Server 2 05-17-2010 01:31 AM
Problem on applying iptables rules hdinn Programming 5 03-12-2010 10:50 AM
Upload speed limiting to increase download speed dangerousdave Linux - Networking 6 02-16-2010 03:19 PM
Why is my internet upload speed greater than my download speed? km4hr Linux - Networking 1 05-27-2008 08:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration