# Traffic shaping, the easy way, *TIPS/TRICKS*

## really

I needed some form of traffic shaping really bad, becouse my webserver got popular and everyone was downloading like mad from it, making my upload speed to the possible maximum and all my other connections timeing out. I solved it by turning of the webserver when i needed the bandwidth the most, but that is in no way a acceptable solution. So after a week of reading traffic shaping documentation, you know tc (iproute2).

Ive finaly managed to understand its really really arcane syntax.

And this is what commands you have to execute to bandwidth limit certain ports without having to use iptables, becouse that adds to overhead. Example ripped from http://www.knowplace.org/shaper/

You could do it like this in one shot (ripped from lartc)

```
tc qdisc add dev eth0 root tbf rate 464kbit latency 100ms burst 2096
```

 Which will still allow the webserver to take all the 464kbit but now youll stil be able to surf.

Or the better way...

```
1. tc qdisc add dev eth0 root handle 1: htb default 60

2. tc class add dev eth0 parent 1: classid 1:60 htb rate 464kbit

3. tc class add dev eth0 parent 1: classid 1:1 htb rate 118kbit

4. tc class add dev eth0 parent 1:1 classid 1:10 htb rate 25kbit ceil 118kbit prio 0

5. tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10

6. tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 80 0xfffe flowid 1:10
```

(Numbered for easier explanation)

That will limit the upload bandwidth for por 80 to 14kb/s (118/8=14)

Quick explanation:

1. This line will add the htb queue sheduler to eth0 as the root handle and it will hit something whit classid of 60

2. This line attaches the classid 60 to the parent 1: (which is the root) with a rate of 464, this is the maximum outbandwidth ever allowed, if you have a 512line up 464/8=58kb/s (when you understand enough try using the tbf queueing disciplin)

3. Attaches another class (1:1) with rate 118kbit.

4. Attaches a leaf node with minimum 25kbit and max max.

5. Attaches the sfq q to the class 1:10 so that any client to the webserver cant use it all up.

6. Finaly match everything from 80 and throw it onto flow id of 10 whic is the one wich has the rate 118kbit

You can ofcourse change portnumber to 20 for ftp if youlld like and add another class with another speed with

tc class add dev eth0 parent 1: classid 1:20 htb rate 256kbit

then have flowid 1:20 to pass traffic to it.

Just copy/paste this to bandwidth your webbserver the way you like it.

```
tc qdisc add dev eth0 root handle 1: htb default 60

tc class add dev eth0 parent 1: classid 1:60 htb rate 464bit

tc class add dev eth0 parent 1: classid 1:1 htb rate 118kbit

tc class add dev eth0 parent 1:1 classid 1:10 htb rate 25kbit ceil 118kbit prio 0

tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10

tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 80 0xfffe flowid 1:10
```

Now to suit your needs change 464kbit to your maximum upload but less a couple of bits, if you have 512 464 is fine, if you have 1mb/s up you can have 1016.

Change 118kbit to how much you want to allow the webbserver to use (or anything else just change the port number 80 to 22 perhaps)

This is one way you can do it ofcourse. You could mix in iptables if you think thats easier but i think throwing in iptables to the mix just to bandwidth limit certain ports is a bit to much, its still complex and arcane. iptables also brings overhead. 

Read: http://lartc.org/howto/lartc.qdisc.html for explanation and experiment to learn more and dont forget to have fun  :Shocked:  .

Thats it lads.

----------

## Landonis

Thanks for this - good site link for reading up on as I have meaning to go through this for ages.

Quick correction on the second line  - needed kbit:

```

tc class add dev eth0 parent 1: classid 1:60 htb rate 464kbit

```

Is there any way of instead of doing it via port to just limit traffic from a particular ip or mac address?

----------

## really

 *Landonis wrote:*   

> Thanks for this - good site link for reading up on as I have meaning to go through this for ages.
> 
> Quick correction on the second line  - needed kbit:
> 
> ```
> ...

 Probably.

Im thinking marking the packets with iptables, the easy way. Something like...

iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.2 -j MARK --set-mark 20

And then something like tc filter ablablah parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:10

Without iptables... 

tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip dst 192.168.0.2/24 flowid 1:10

Change "dst" for "src" the way you like it.

You can add more "match" rules if youlld like, for example to match only certain ports from certain ips just add before flowid another match ip dport 80 0xfffe

Hm, mac-adressess, i dont know. Iptables is the easiest way you can match mac adresses there I think and just mark them. 

If you really want to learn this you must have atleast two cans connected or a friend on the internet ready to pull files from you at your command, so you see how your rules affect the traffic, ofcourse its easier it you have to cans and can do it yourself.

If you dont experiment with this you wont learn much trust me, its not like some other things when it comes to linux, to understand this arcane syntax you have to experiment. When you use tc remember that it takes affect as you type the command, its pretty cool watching someones bandwidth usage go down to 20 from 55 in a second  :Laughing: 

Edit: Anyone who wishes to learn about traffic shaping on linux should read the lartc and if you cant make certain things (i.e your just a human) out of it ask here and ill do my best.

----------

## bk0

Just curious, are you using a 2.4 kernel? I've had a lot of trouble trying to get iproute2 to work with 2.6.x kernels. It seemed like it wasn't supported under 2.6. I hope I'm wrong.

----------

## really

 *bk0 wrote:*   

> Just curious, are you using a 2.4 kernel? I've had a lot of trouble trying to get iproute2 to work with 2.6.x kernels. It seemed like it wasn't supported under 2.6. I hope I'm wrong.

 Im using a 2.4 kernel yes.

Dont know about 2.6 but there must be something for it.

What error message do you get when trying to emerge it under 2.6 ?

----------

## bk0

It emerged fine, just didn't work afterwards. Using 'tc' caused kernel call traces to get dumped to the console and the other network tools like ifconfig stopped working. Bad stuff. Had to reboot to get everything working normally again.

----------

## really

 *bk0 wrote:*   

> It emerged fine, just didn't work afterwards. Using 'tc' caused kernel call traces to get dumped to the console and the other network tools like ifconfig stopped working. Bad stuff. Had to reboot to get everything working normally again.

 Odd.

Have you comiled in everything conserning netfilter as modules?

----------

## GenKreton

This is a superb guide, thank you. I can't wait till I get home and attempt to implement this. I've been needing a way to throttle down my ftp/apache/bt/amule/ssh connections so I can still go to google...

----------

## bk0

 *really wrote:*   

> Odd.
> 
> Have you comiled in everything conserning netfilter as modules?

 

Yes, and it seemed like all the relevent modules were being autoloaded normally after running tc. The system just broke horribly and the queueing didn't work. 

Here's a link to the original thread I started after discovering this:

https://forums.gentoo.org/viewtopic.php?t=126654

----------

