4

I searched for a while but couldn't find anything concrete, hopefully someone can help me.

I'm going to be running a Debian server on a gigabit port, and want to give each user his/her fair share of internet access.

The first objective is easy - transfer rates (speed) per user. From what I've looked at, IPTables/Shorewall could do the job easy. Is this easy to setup, or could one of you point me at a config? I was hoping to limit users at 300mbit or 650mbit each.

The second objective gets complicated. Due to the usage of the boxes, most of the traffic will be internal network traffic that does NOT get counted to the quota. However, I still need to limit the external traffic, and if they go over, cut off access (or throttle traffic to a very low speed (10mbit?)). Let's say the user has a 3TB external traffic limit. The IF part is: If the hostname they are exchanging the traffic with DOES NOT MATCH .ovh. or .kimsufi. (company owns multiple TLDs), count to the quota. Once said quota exceeds 3TB, choke them.

Where could I find a system to count that for me? It would also need to reset or be able to be manually reset on a monthly basis.

Thanks ahead of time!

3 Answers3

1

Take a look at tc. (man tc)

Your first problem is uniquely identifying each "user".

Will each user be using a different IP? If so, tc will let you share the interface fairly and divide available resources per IP.

Your second objective is much trickier. It seems to me like you're talking about multiple vhosts on a web server. You can process the logs in batches (every hour or so) to track total bytes transferred by vhost and then use that to "choke" the IP using tc.

Differentiating between local and remote traffic should be manageable using tc as long as you know all your internal subnets ahead of time.

Good luck.

Joel K
  • 5,853
  • 2
  • 30
  • 34
0

I'd suggest looking at your network hardware (switches) for setting available bandwith on a per port basis.

For limiting external bandwidth used, you might want to look at something like pfsense and its captive portal.

Cheers

-1

iptables comes with some sort of filtering based on user. Have a look at: http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html

Ztyx
  • 1,385
  • 3
  • 14
  • 28
  • 1
    It is strongly recommended that you make sure your answers contain actual content, instead of just linking to a page. If you have the knowledge and experience to write a good answer, then please do so. Otherwise, don't bother. – EEAA Dec 12 '11 at 17:51