/tc_outbound_https.sh
Created Jul 31, 2017
| #!/usr/bin/env bash | |
| # | |
| # Script to rate limit port 443 | |
| # | |
| #network interface on which to limit traffic | |
| IF="bond0" | |
| #limit of the network interface in question | |
| LINKCEIL="10gbit" | |
| #limit outbound https protocol traffic to this rate | |
| LIMIT="100mbit" | |
| # Net or nets.. Space separated list. | |
| # Can use "/32" for single IP addresses. | |
| NETS=( 10.199.1.121/32 10.199.1.122/32 10.199.1.123/32 ) | |
| #delete existing rules | |
| tc qdisc del dev ${IF} root | |
| #add root class | |
| tc qdisc add dev ${IF} root handle 1: htb default 10 | |
| #add parent class | |
| tc class add dev ${IF} parent 1: classid 1:1 htb rate ${LINKCEIL} ceil ${LINKCEIL} | |
| #add our two classes. one unlimited, another limited | |
| tc class add dev ${IF} parent 1:1 classid 1:10 htb rate ${LINKCEIL} ceil ${LINKCEIL} prio 0 | |
| tc class add dev ${IF} parent 1:1 classid 1:11 htb rate ${LIMIT} ceil ${LIMIT} prio 1 | |
| #add handles to our classes so packets marked with <x> go into the class with "... handle <x> fw ..." | |
| tc filter add dev ${IF} parent 1: protocol ip prio 1 handle 1 fw classid 1:10 | |
| tc filter add dev ${IF} parent 1: protocol ip prio 2 handle 2 fw classid 1:11 | |
| for net in ${NETS[@]}; | |
| do | |
| #limit outgoing traffic to port 443. but not when dealing with a host on the local network | |
| # --set-mark marks packages matching these criteria with the number "2" | |
| # these packages are filtered by the tc filter with "handle 2" | |
| # this filter sends the packages into the 1:11 class, and this class is limited to ${LIMIT} | |
| iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 ! -d ${net} -j MARK --set-mark 0x2 | |
| done | |
| tc -s qdisc ls dev ${IF} | |
| ## for testing uncomment these lines... | |
| # wait 2 min | |
| ## sleep 120 | |
| #delete existing rules | |
| ## tc qdisc del dev ${IF} root | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment