[CENTOS] 특정포트 네트워크 속도제한


출처 : https://www.cyberciti.biz/faq/linux-traffic-shaping-ftp-server-port-21-22/

  특정포트에서 너무 많은 네트워크 자원을 사용 하지 못하도록 속도 제한을 거는 방법을 아래와 같이 포스팅 하여 본다. 21번 포트에 대한 예시지만 다른 포트도 응용하여 적용 할 수 있다. 

1. vi /etc/sysconfig/iptables에 다음과 같이 추가. service iptables restart 필요.

2.  아래 내용대로 하되 포트 변경, 40kbps로 처리

  - qdisc 참고자료 : https://labs.gree.jp/blog/2014/10/11288/

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


I recommend that you read this tutorial and tc command man page before typing any one of the following commands.

First, you need to add root qdisc, enter:
### delete old rules if any ###
# /sbin/tc qdisc del dev eth0 root
#### add it ###
# /sbin/tc qdisc add dev eth0 root handle 11: htb default 500 r2q 1

In this following example, I’m going to set guaranteed bandwidth to 64KB/s and max/burstable bandwidth to 128KB/s for testing purpose (feel free to adjust those number as per your setup). Add level 1 class. This class set 128kbps as burstable bandwidth:
# /sbin/tc class add dev eth0 parent 11: classid 11:1 htb rate 128kbps ceil 128kbps quantum 2048

#### this is our level 2 class ####
# /sbin/tc class add dev eth0 parent 11:1 classid 11:101 htb rate 64kbps ceil 128kbps prio 0 quantum 2048

You need to add leaf to our qdisc:
# /sbin/tc qdisc add dev eth0 parent 11:101 handle 1001: sfq
Finally add our filter:
# /sbin/tc filter add dev eth0 parent 11: protocol ip handle 101 fw classid 11:101

iptables POSTROUTING rules

tc is used to configure Traffic Control in the Linux kernel. However, you need to use iptables to apply those rules for ftp tcp port 21 and passive ftp tcp port range 40000:41000 as follows:

### iptables mangle rule ###
/sbin/iptables -A POSTROUTING -t mangle -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j MARK --set-xmark 101
/sbin/iptables -A POSTROUTING -t mangle -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j RETURN

Please note that mangle table is used for specialized packet alteration as follows:

  • PREROUTING – for altering incoming packets before routing.
  • OUTPUT – for altering locally-generated packets before routing.
  • INPUT – for packets coming into the box itself.
  • FORWARD – for altering packets being routed through the box.
  • POSTROUTING – for altering packets as they are about to go out.

Here is a dump of mangle table:
# /sbin/iptables-save -t mangle
Sample outputs:

# Generated by iptables-save v1.4.8 on Sun Sep  9 14:28:18 2012
*mangle
:PREROUTING ACCEPT [353:50724]
:INPUT ACCEPT [353:50724]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [490:67671]
:POSTROUTING ACCEPT [490:67671]
-A POSTROUTING -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j MARK --set-xmark 0x65/0xffffffff 
-A POSTROUTING -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j RETURN 
COMMIT
# Completed on Sun Sep  9 14:28:18 2012

Test it

Use lftp command or any other ftp client to test bandwidth limitations:
$ lftp -u username ftpservername
Try to download a big file:
lftp admin@nas03:/multipedia/iso-images/centos> get CentOS-6.2-x86_64-bin-DVD1.iso