1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help with connbytes syntax to throttle large downloads

Discussion in 'Tomato Firmware' started by affer, May 13, 2007.

  1. affer

    affer LI Guru Member

    Can anyone help me with the iptables connbytes syntax? I want to mark packets from a specific IP and if it downloads >500KB, throttle that connection. This is for a WRT54G v2 that is running tomato 1.06.0981 firmware. I know that this can be done with connbytes, but I don't really understand the syntax. I thought that the following would do what I want -

    iptables -A INPUT -m connbytes --connbytes 500000: -j MARK --set-mark 12
    tc filter add dev br0 parent 1:1 protocol ip prio 4 handle 12 fw classid 1:11

    ..but it doesn't appear to do anything. No doubt that means that I have the syntax wrong. I've been searching with Google, but every webpage or mailing list tutorial that I can find on connbytes appears to be incomplete. And the syntax is rather arcane if you are new to it. I was trying to mark 192.168.0.102 connections that exceed 500KB (up or down) & then reclassify those to a lower tc priority band (to throttle larger downloads). I am appending this to an existing firewall script that seems to work properly, it's just my attempt to use connbytes that is giving me problems. E.g.


    #--------------------------------------------
    #WRT54 Script Generator v1.01
    #(C) 2006-2007 Robert "Robson" Mytkowski
    #--------------------------------------------
    TCA="tc class add dev br0"
    TFA="tc filter add dev br0"
    TQA="tc qdisc add dev br0"
    SFQ="sfq perturb 10"
    tc qdisc del dev br0 root
    tc qdisc add dev br0 root handle 1: htb
    tc class add dev br0 parent 1: classid 1:1 htb rate 6400kbit
    $TCA parent 1:1 classid 1:10 htb rate 1000kbit ceil 1200kbit prio 4
    $TCA parent 1:1 classid 1:11 htb rate 100kbit ceil 120kbit prio 7
    $TQA parent 1:10 handle 10: $SFQ
    $TQA parent 1:11 handle 11: $SFQ
    $TFA parent 1:0 prio 4 protocol ip handle 10 fw flowid 1:10
    $TFA parent 1:0 prio 7 protocol ip handle 11 fw flowid 1:11
    iptables -t mangle -A POSTROUTING -d 192.168.0.102 -j MARK --set-mark 10
    iptables -t mangle -A POSTROUTING -d 192.168.0.150 -j MARK --set-mark 11
    iptables -I FORWARD -s 192.168.0.102 -p tcp -m connlimit --connlimit-above 150 -j DROP
    iptables -I FORWARD -s 192.168.0.150 -p tcp -m connlimit --connlimit-above 150 -j DROP

    iptables -A INPUT -m connbytes --connbytes 500000: -j MARK --set-mark 12
    tc filter add dev br0 parent 1:1 protocol ip prio 4 handle 12 fw classid 1:11

     
  2. affer

    affer LI Guru Member

    No one uses iptables?
     

Share This Page