Bandwidth throttling per user

[docrice]

I have an application that many clients will connect to, but I need to throttle the individual connections preferably on a per-user basis. However, since the application itself doesn't provide any bandwidth management capabilities, I'd like to throttle based on IP. Is this possible in Linux (CentOS 5.x) without having to recompile the kernel? Updating the kernel may not be an option in my particular environment, so something like tc (which I really don't know much about) won't work.

We're trying to avoid commercial solutions for this. Does anyone have any suggestions in this regard?

(I accidentally posted this in the coffee lounge; admins, please delete if necessary)

[Rubberman]

Are these incoming or outgoing connections? From your posting, I am surmising that these are incoming connections to your application server, correct? If so, do you want to throttle the incoming stream, outgoing stream, or both?

[docrice]

I'm concerned about both, but more of the outgoing stream from the server's perspective (the client download).

[Rubberman]

You can implement a throttle proxy server that sitting between the network and server handles the connection requiest, connects to the actual server, which sends data back to the proxy server, which can then forward the download data to the requesting client as it wishes. The proxy server would look like a slow network connection to the application server, and the client would never know that its bandwidth was being throttled.

[HROAdmin26]

If you are looking for a simple throttling mechanism, iptables has a rate-limiting module and can be used for this.

Google: iptables bandwidth throttling

* To clarify, I am not sure WHAT kind of throttling you are trying to do. So if the capabilities of iptables are not sufficient, then you may need to look at Squid (proxy - as noted previously.) The link above will point you to the TLDP HOWTO.

[Rubberman]

If you are looking for a simple throttling mechanism, iptables has a rate-limiting module and can be used for this.

Google: iptables bandwidth throttling

Though that article has a link to The Linux Documentation Project which has some articles on bandwidth limiting using squid, the article itself is dealing with rate limiting (number of certain types of packets), not with output bandwidth limiting/throttling per se.

[HROAdmin26]

If users are hitting a server and making new connections, rate-limiting of iptables can be used.

If there is an open, existing connection "through the firewall" to the user that the OP wants to throttle, then he'll need to look at Squid.

This is a question of the application in use and how it makes/uses connections.

[docrice]

Thanks for the replies so far. I'd presume that a proxy (such as Squid with the delay pools function) will only work for TCP connections. I'm more interested in certain types of UDP connections and I'm under the assumption that such proxy servers won't handle that. Correct me if I'm wrong here.

In regards to the iptables module, the article seems to imply that it may not do "per-address" throttling but rather bandwidth management for the interface as a whole. I need to be able to throttle individual connections distinguished by IP (not the most reliable choice in my case, but since our app doesn't have its own method of throttling based on user-session, I'm left with little choice).