Results 1 to 1 of 1
i write iptables rules for limit bandwidth download/upload per computer with ip address and mac address ,using tc for limit bandwidth in this below
# Generated by iptables-save v1.3.5 on ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 12-17-2007 #1Just Joined!
- Join Date
- Jun 2007
- Posts
- 85
iptables+squid proxy problem??
i write iptables rules for limit bandwidth download/upload per computer with ip address and mac address ,using tc for limit bandwidth in this below
# Generated by iptables-save v1.3.5 on Mon Dec 17 15:38:29 2007
*nat
:PREROUTING ACCEPT [587813:57358942]
:POSTROUTING ACCEPT [5:264]
:OUTPUT ACCEPT [547434:34852976]
-A PREROUTING -i eth1 -p tcp -m mark --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 80
-A PREROUTING -i eth+ -p tcp -m mark --mark 0x1 -m tcp --dport 3128 -j DROP
-A PREROUTING -i eth1 -p tcp -m mark ! --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Dec 17 15:38:29 2007
# Generated by iptables-save v1.3.5 on Mon Dec 17 15:38:29 2007
*mangle
:PREROUTING ACCEPT [7902558:1901605982]
:INPUT ACCEPT [13620050:6547400706]
:FORWARD ACCEPT [1320372:638137686]
:OUTPUT ACCEPT [13786688:7871109275]
:POSTROUTING ACCEPT [14923694:8497909815]
:maccheck - [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp ! --dport 53 -j maccheck
-A PREROUTING -i eth+ -p udp -m mark ! --mark 0x1 -m udp -j ACCEPT
-A PREROUTING -i eth+ -p tcp -m mark ! --mark 0x1 -m tcp -j ACCEPT
-A PREROUTING -s 192.168.1.134 -i eth+ -m mac --mac-source 00:1C:26:00:4C:E6 -j MARK --set-mark 0x87
-A maccheck -j MARK --set-mark 0x1
COMMIT
# Completed on Mon Dec 17 15:38:29 2007
# Generated by iptables-save v1.3.5 on Mon Dec 17 15:38:29 2007
*filter
:INPUT ACCEPT [8656558:4025985541]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4722325:828302042]
:d-band - [0:0]
:u-band - [0:0]
-A INPUT -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent protocol-INPUT "
-A INPUT -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "peer_id" --algo kmp --to 65535 -j LOG --log-prefix " peer_id-INPUT "
-A INPUT -m string --string "peer_id" --algo kmp --to 65535 -j DROP
-A INPUT -i eth+ -p tcp -m tcp --dport 1234 -j DROP
-A FORWARD -s 63.236.61.128/255.255.255.224 -i eth+ -p tcp -m tcp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m layer7 --l7proto bittorrent -j LOG --log-prefix " Layer7-FORWARD "
-A FORWARD -p udp -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -p tcp -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -m ipp2p --bit -j LOG --log-prefix " ipp2p-FORWARD "
-A FORWARD -p udp -m ipp2p --bit -j DROP
-A FORWARD -p tcp -m ipp2p --bit -j DROP
-A FORWARD -m ipp2p --bit -j DROP
-A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j LOG --log-prefix " peer_id-FORWARD "
-A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent-FORWARD "
-A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent_Protocol-FORWARD "
-A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
-A FORWARD -s 192.168.1.134 -j u-band
-A FORWARD -s 192.168.1.134 -i eth+ -m mac --mac-source 00:1C:26:00:4C:E6 -j ACCEPT
-A FORWARD -d 192.168.1.134 -j d-band
-A FORWARD -i eth1 -p tcp -m tcp ! --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.1.134 -j d-band
-A d-band -j ACCEPT
-A u-band -j ACCEPT
COMMIT
# Completed on Mon Dec 17 15:38:29 2007
********************************************
TC eth1
********************************************
qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit
qdisc tbf 135: parent 1:135 rate 128000bit burst 10Kb lat 320.0ms
********************************************
TC eth0
********************************************
qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit
qdisc tbf 135: parent 1:135 rate 64000bit burst 10Kb lat 640.0ms
i using speed test on web speedtest. it's not working with limit upload bandwidth(port 80 upload).it's not limit upload???
but i test another program sush as ftp,bittorrent (not use port 80 upload) it's work perfectly.
and i try to remove iptables transparent proxy rules (user surf internet without squid proxy)
*****************************************
-A PREROUTING -i eth1 -p tcp -m mark ! --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 3128
*****************************************
it's Working ?????? upload port 80 that it's can limit.
question!!
1. why i using squid that can't limit upload 80.
2. if i want to use squid with transparent proxy (iptables) that how to modify this my iptables.(i don't want to configure with delay pool in squid.conf)
Thank you for every answer.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
