#!/usr/bin/env bash | |
# | |
# Script to rate limit port 443 | |
# | |
#network interface on which to limit traffic | |
IF="bond0" | |
#limit of the network interface in question | |
LINKCEIL="10gbit" | |
#limit outbound https protocol traffic to this rate | |
LIMIT="100mbit" | |
# Net or nets.. Space separated list. | |
# Can use "/32" for single IP addresses. | |
NETS=( 10.199.1.121/32 10.199.1.122/32 10.199.1.123/32 ) | |
#delete existing rules | |
tc qdisc del dev ${IF} root | |
#add root class | |
tc qdisc add dev ${IF} root handle 1: htb default 10 | |
#add parent class | |
tc class add dev ${IF} parent 1: classid 1:1 htb rate ${LINKCEIL} ceil ${LINKCEIL} | |
#add our two classes. one unlimited, another limited | |
tc class add dev ${IF} parent 1:1 classid 1:10 htb rate ${LINKCEIL} ceil ${LINKCEIL} prio 0 | |
tc class add dev ${IF} parent 1:1 classid 1:11 htb rate ${LIMIT} ceil ${LIMIT} prio 1 | |
#add handles to our classes so packets marked with <x> go into the class with "... handle <x> fw ..." | |
tc filter add dev ${IF} parent 1: protocol ip prio 1 handle 1 fw classid 1:10 | |
tc filter add dev ${IF} parent 1: protocol ip prio 2 handle 2 fw classid 1:11 | |
for net in ${NETS[@]}; | |
do | |
#limit outgoing traffic to port 443. but not when dealing with a host on the local network | |
# --set-mark marks packages matching these criteria with the number "2" | |
# these packages are filtered by the tc filter with "handle 2" | |
# this filter sends the packages into the 1:11 class, and this class is limited to ${LIMIT} | |
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 ! -d ${net} -j MARK --set-mark 0x2 | |
done | |
tc -s qdisc ls dev ${IF} | |
## for testing uncomment these lines... | |
# wait 2 min | |
## sleep 120 | |
#delete existing rules | |
## tc qdisc del dev ${IF} root | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment