I would like to apply a limit using iptables but I am not sure what limit to use. The proxy server we have is for viewing video but only through stremaing. SOme users try to download many items and it is these that I want to limit.

Any thoughts on what's best?

Could you deny often movies extensions in proxy-squid ...user probably look for some .avi, .mp3, .mpg ...etc.etc. So stop these extensions in squid.

hth.

But they need to stream movies so I can't deny them completely.
Also, some move sites use flash and the link isn't always shown on the website.

Hi,

Does limiting the bandwidth per IP sound like a viable option? You might want to consider using iptables and tc together to achieve this.

Yes, that would work.
I have an eth0 network for the proxy and the VPN is on tun0 and tun1.
Can they all be applied the same speed?
Is tc a script that has to be connected to iptables?

TC is a program installed as part of the iproute2 package and is used to configure traffic control in the kernel. TC and iptables are usually used together. The iptables mark target (-j MARK) 'marks' packets and tc will handle these packets according to the policy you configure. You would need a shell script to apply the traffic policy on the network interfaces. Check out the resources below both include examples of tc scripts and configuration.

http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html
http://www.topwebhosts.org/tools/traffic-control.php

Also, I just read your post again and saw that you mentioned that you were running a proxy-server. If you're running squid, you can implement delay pools to achieve the same result. This is easier to set up IMHO.

http://www.howtoforge.com/squid-dela...dth-management

Hi..

I hope through iptables it is not possible...if you use the squid then u can block in squid.conf

please provide some more details about your setup & proxy server configuration.

The problem with delay pools is that you have to apply an entire bucket to the server. What I want to do is limit each individual user to 1Mbps or less but have the total on the server unlimited.
Actually, the server also has a VPN and I need to use tc for that but that can come later.
An example of my current delay pools is this:

You would configure "unlimited" by setting the restored/maximum delay parameters as "-1/-1"

You might have a problem with this part of your configuration. It allows unlimited bandwidth to hosts. Comment out the class 1 delay pool as well

This class 2 delay pool might help achieve what you want:

So I would use this?

Is there anything else that I need to deny?
What about magic words 1? That is 192.168, which must be local users on the proxy including the proxy itself?

That would match traffic to urls containing 192.168.x.x. The delay_access section of my post was really just an example based on your earlier post. The ACL configuration part is really network specific and its hard to advice further with the information provided.

Well, it's an external proxy server with WAN IP for geo IP location.
So, I access it using a username and password from the ncsa_users list.
I can then access sites within the country of the server. I never receive a 192 ip address but maybe the server needs this acl so the server has unlimited bandwidth even though the ncsausers do not?

Sorry, what I meant was, do I need to deny anything else in the pool?
My current squid conf would be:

[code]
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
auth_param basic realm "AAA proxy server"
auth_param basic credentialsttl 2 hour
authenticate_cache_garbage_interval 1 hour
authenticate_ip_ttl 2 hour
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl cacheadmin src 88.xxx.xxx.xxx
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1863 # MSN messenger
acl ncsa_users proxy_auth REQUIRED
acl maxuser max_user_ip -s 2
acl CONNECT method CONNECT
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny maxuser
http_access allow localhost

http_access allow ncsa_users
http_access deny all
icp_access allow all

http_port 8080
http_port 88.xxx.xxx.xxx:80
hierarchy_stoplist cgi-bin ?
cache_mem 100 MB
maximum_object_size_in_memory 50 KB
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 40000 16 256
maximum_object_size 50 MB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
buffered_logs on

acl magic_words1 url_regex -i 192.168
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

delay_pools 1
delay_class 1 2
delay_parameters 2 -1/-1 128000/128000
delay_access 2 allow ncsa_users magic_words2
delay_access 2 deny all

#does the server need an unlimited pool here?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
half_closed_clients off
cache_mgr aaaaa@xxxxx.co.uk
cachemgr_passwd xxxxxall
visible_hostname aaaaa
log_icp_queries off
dns_nameservers 208.67.222.222 208.67.220.220
hosts_file /etc/hosts
memory_pools off
forwarded_for off

client_db off
coredump_dir /var/spool/squid

I seem to get this error when starting with that code:
service squid restart
Stopping squid: 2010/11/10 23:43:45| parse_delay_pool_rates: Ignoring pool 2 not in 1 .. 1
2010/11/10 23:43:45| parse_delay_pool_rates: Ignoring pool 2 not in 1 .. 1
2010/11/10 23:43:45| parse_delay_pool_rates: Ignoring pool 2 not in 1 .. 1