I have this scenario.
I need to block large uploads from the private network (10.0.30.0) to the internet. I am routing 0.0.0.0/0 traffic from the private network via the Bastion / Router eth1.
There I am forwarding: sudo sysctl -w net.ipv4.ip_forward=1
And as we are behind a NAT: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
It works.
Then I am trying to limit just the download bandwidth from the eth1 (so limiting the upload from the subnet) but I am not being able to mark correctly the packages:
#! /bin/bash
NETCARDOUT=eth0
NETCARDIN=eth1
MAXBANDWIDTH=1000000
SUBNET=10.0.30.0/24
mark=1
bandwidth=100
#Allow forwarding using one interface only
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o $NETCARDOUT -j MASQUERADE
iptables -t mangle -A FORWARD -i $NETCARDIN -j MARK --set-mark $mark
# reinit
tc qdisc del dev $NETCARDIN root handle 1
tc qdisc add dev $NETCARDIN root handle 1: htb default 9999
# create the default class
tc class add dev $NETCARDIN parent 1:0 classid 1:9999 htb rate $(( $MAXBANDWIDTH ))kbit ceil $(( $MAXBANDWIDTH ))kbit burst 5k prio 9999
# traffic shaping rule
tc class add dev $NETCARDIN parent 1:0 classid 1:$mark htb rate $(( $bandwidth ))kbit ceil $(( $bandwidth ))kbit burst 5k prio $mark
# filter that bind the two
tc filter add dev $NETCARDIN parent 1:0 protocol ip prio $mark handle $mark fw flowid 1:$mark
echo "Subnet $SUBNET is attached to mark $mark and limited to $bandwidth kbps"
It seems that the iptables rule with the mark is not working.
So far I have managed to block eth0 upload, but it is not the same. For that I use a TC-only script without marking connections or packages. I don't want the Bastion upload to be restricted so it is not a valid solution.
Next step would be to reduce de bandwith for connections with lots of bytes. I think connbytes is the way to go but I need to first resolve this step. I think the MASQUERADE is what is making my life hardder :D
Thank you!
