Slow down individual connections passing through a Linux router?

We have a Linux server acting as a router/firewall for our office. Occasionally someone will upload a large file that takes up all our bandwidth. I don't want to implement any complex rules or traffic shaping, but I'm wondering if there is a way to slow down a single connection on the spot? I found tcpnice, but it doesn't slow down the transfers in my testing.


Solution 1:

If traffic shaping does not shape traffic properly for both shell and active uploads (I think it can, but not sure) then you could:

a) run ssh on two ports - you could prioritize one for file transfers and one for interactive work.

b) limit the total ssh rates - the only problem is if you fill up upload capacity of the link and ssh will work nicely interactively if you limit the rate to something like 50kbps (this will force users to use some other protocol for larger file transfers)

c) prioritize the traffic on source address if you can

also, traffic shaping should make the traffic more balanced regardless so that single connection would not monopolize the whole link.

EDIT: Here's an example that uses a bash script. It mentions that ssh indeed sets TOS on interactive to interactive, so I would presume Wondershaper takes advantage of that.

If you want other options besides Wondershaper make sure you take a look at shorewall or pyshape.

Shorewall is quite mature and nice balance of flexibility, power and simplicity.

Solution 2:

Wondershaper can do wonders, and it's quite easy to setup. Other than that, you can find some userland programs to do that. In Linux there's Trickle, there might be equivalents for Windows.

But really, you want traffic shaping- people will forget to run the program, etc. Just limiting uploads to slightly less than your full capacity will probably do you a lot of good.

Solution 3:

Have a look at connrate in iptables(8) manpage. You can match the connection rate and slow down a connection that has uploading too fast by either putting it into an appropriate tc class or drop or tarpit or whatever works for you.

Solution 4:

Have you thought of setting up a reverse Squid proxy and setting up delay-pools? You could also do this with the limit directive of iptables.

The one issue I have with your request is that it seems that you want to start limiting the transfer rate of an already established connection which is going to be quite difficult to do as everything I can think of is going to want to start operating on a new connection, and will leave existing connections going.

I have to agree with alex in that you're probably going to need some sort of traffic shaper, what you want to look at is packets per second as an interactive shell is going to have a significantly smaller value than a modest file transfer.