[ale] iptables TOS (was: b'bye)

Bob Toxen transam at verysecurelinux.com
Wed May 25 19:36:16 EDT 2005


The --tos feature requires support of the upstream routers to be of
any use.  I suspect that very few providers pay any attention to it.
You will have more luck using the bandwidth monitoring that is built
into Linux itself.  I've had excellent success with using it for
clients.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

On Tue, May 24, 2005 at 12:52:25PM -0400, Jim Popovitch wrote:
> On Tue, 2005-05-24 at 12:29 -0400, Christopher Fowler wrote:
> > On Tue, 2005-05-24 at 11:40, James Sumners wrote:
> > > I am interested in controlling the bandwith of specific protocols
> > > across a whole network.
> > 
> > What I want to do too.  I want to be sure that all traffic leaving my
> > network with a destination of port 25 has extremely low priority.  And
> > at most can consume no more than 10% of the total bandwidth.  I also
> > want my VOIP Packet8 device to have very high priority.  My firewall is
> > a 2.4.X machine so I'm sure things are different in 2.6.X vs 2.4.X. 

> Iptables works on 2.4.x, I'm using it on several Redhat 7.3 boxes
> (kernel 2.4.20) and 2.6.11 boxes

> The problem w/ 10% is not something that (afaik) iptables can address.
> That is a more advanced routing feature.

> Here's some examples of what you can do with iptables, modify
> accordingly:

> #Slow down GoogleBot
> iptables -A INPUT -i eth* -p tcp -s 64.68.82.0/24 -m tos --tos
>  Minimize-Cost
> iptables -A OUTPUT -o eth* -p tcp -d 64.68.82.0/24 -m tos --tos
>  Minimize-Cost

> #give high priority (Maximize-Reliability) status to SSH
> iptables -A INPUT -i eth* -p tcp --dport 22 -m tos --tos
>  Maximize-Reliability
> iptables -A OUTPUT -o eth* -p tcp --sport 22 -m tos --tos
>  Maximize-Reliability

> #give high priority (Minimize-Delay) to http traffic
> iptables -A INPUT -i eth* -p tcp --dport 80 -m tos --tos Minimize-Delay
> iptables -A OUTPUT -o eth* -p tcp --sport 80 -m tos --tos Minimize-Delay

> #give low priority (Minimize-Cost) status to in/out smtp traffic
> iptables -A INPUT -i eth* -p tcp --dport 25 -m tos --tos Minimize-Cost
> iptables -A OUTPUT -o eth* -p tcp --dport 25 -m tos --tos Minimize-Cost


> see "iptables -m tos -h' for other TOS values.

> -Jim P.



More information about the Ale mailing list