Traffic shaping outbound clients source ip with tc / iptables

Posted on

Traffic shaping outbound clients source ip with tc / iptables – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, iptables, traffic-shaping, qos, tc.

My question is I am trying to limit a users bandwidth on a server and wondering the best way to do this. Before I dive to far into the tc/iptables I was wondering if I could get any advice on this and if someone could give me a sample config that might be something I can play around with, it would be greatly appreciated.

From what I understand you can make rules with tc then apply the rules with iptables using the mark statement. Some people say to use the mangle postrouting or output, but not 100% sure which one is best or if it even matters. I believe with tc I will be using the htb (token bucket to limit bandwidth) however people say there are performance trade off’s and I am looking for the lowest latency method. These users are not on the internal network, but connecting to a server.

I have two types of users, so there only needs to be two rules to limit them.
So far what I can see is the tc/iptables combo to be what I want, but am open for suggestions for alternatives.

I think for iptables the command will look like

Bandwidth limit rule 1

iptables -A PREROUTING -s xxx.xxx.xxx.xxx -t mangle -j MARK --set-mark 0x1

Bandwidth limit rule 2

iptables -A PREROUTING -s xxx.xxx.xxx.xxx -t mangle -j MARK --set-mark 0x2

What I want to happen

  • User comes in on eth0 (their IP will be known. Not random IP’s)
  • requests info from server
  • server sends out info on eth0 back to user with rule applied

Solution :

Using tc is a right way for shaping in linux. The best documentation is LARTC. First of all you need to understand what kind of traffic will you shape – egress or ingress. After that you must to choose an interface to doing that (it is simpler to shape ingress traffic on outgoing interface based on source addresses before NAT and egress traffic on local interface based on destination address after NAT). Also there may be no iptables rules at all for example if you using different interfaces (may be VLAN interfaces) for your two types of users. After that you should set up qdiscs on interfaces you chose. it may be classless if your users divided by interfaces or classful if you using one interface to shape bandwidth for few users type. And after that you must set up a filter (if you use classful scheme). There are many examples in the link below. Good luck…

Leave a Reply

Your email address will not be published.