top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

limit the bandwidth of some users based on IPs

+1 vote

I am running a small server that everyone connects on it through openvpn. Once connected the server offers some services to the connected members (voip, php forms, company email).
I would to limit the bandwidth of some users based on IPs:
- gets only 1Mbps up/down
- gets only 2Mbps up/down
-the rest of the subnet is free of traffic shapping

the server has an ethernet (eth0) connected to the outside world by public IP and the VPN users connected throught the br0 (virtual interface). I have seen the tc option on the iptables, but this is where i've lost it. the server runs debian wheezy 7.1

posted Sep 19, 2013 by Kumar Mitrasen

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

This is not as simple as you might think. In order to shape per-IP, you'll need to set up a class for each individual IP address, and then filter to that class. I am not aware of a way to write one rule to say "limit each IP address to this amount".

Presumably the reason to filter per-IP is to stop single users hogging the bandwidth. If so, a better approach might be to classify the type of traffic and then shape on that, or alternatively share bandwidth evenly per-IP rather than per-connection (as is the default). There is some information on how to do this on this page at the end of the "downlink" section:

answer Sep 19, 2013 by Anderson
Similar Questions
+3 votes

It will help me more if anybody can explain it with Indian Telecommunication standards frequency bands and can have example with.

+7 votes

What are the factor involve to derive this 100Mhz bandwidth as a maximum limit for CA ?

+5 votes

I want to forward all http traffic coming in from a perticular IP at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend the following in my IPtable

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination
-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

+1 vote

I would like to configure the Netfilter to limit the number of connections of a "certain type". The connlimit match does not seem to meet my needs. From the man page,

"... Allows you to restrict the number of parallel connections to a server per client IP address (or client address block). ..."

the connlimit match counts the connection to a server (a single destination IP, I suppose) from an IP address (client IP) or client address block.

I would rather count (and limit) the number of connections based on my own classification. For example, I would like to limit the number of connection from IPs in a given subnet and directed to IPs in another
given subnet.

I guess I can reach the goal using the quota2 match, which give me the ability to increase and decrease a counter: essentially I'll increase the counter with a SYN packet and decrease the counter with a FIN packet. But this solution is incomplete: it can not count the connections not closed with a FIN packet (time outed connections) and It can't manage the UDP connections (already properly managed by the conntrack module).