Making iptables recognize youtube streams and large files

iptables tc qos

Solution 1:

You can try using -m connbytes. Have it match something large. Then mark the packet, and use tc's fwmark matching mechanism.

However, I tend to agree with the others that for this purpose, you should use something that works at Layer 7.

Example usage of -m connbytes 

iptables -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m connbytes --connbytes $TRIGGER_SIZE: --connbytes-dir reply --connbytes-mode bytes -j CONNMARK --set-mark $BULK_MARKER
iptables -t mangle -A PREROUTING -m connmark --mark $BULK_MARKER -j CONNMARK --restore-mark

The first rule will match against connections whose total bytes transferred is greater than $TRIGGER_SIZE (careful; that colon must exist!)

The second rule will transfer the CONNMARK to packet MARK (fwmark) so that tc can do some throttling/policing.

Note that I specify -i, -o, and -dir reply in the 1st rule; this will match against packets entering WAN interface (and exiting LAN interface) that are replies to an outgoing connection initiated by someone in the LAN. If you do not specify -i and -o, and/or use -dir both, you will also match against outgoing packets (e.g., mails from the mail server).

Solution 2:

This from the perspective of iptables for a sec. When you handle packets one by one it is not possible to identify a packet as coming from the transfer of a large or a small file, you just pass them along. If you do deep packet inspection you can find a little bit more about the content, but you still don't really know how big a file is going to be or even that it's part of a file and not a web page.

You could tag packets routed to and from Youtube and filter those separately, but I find the last thing you want to do with streaming media is slow it down. The faster it happens the happier the users are and the sooner the traffic is out of the way. You can use TC to put everything coming from Youtube servers (by IP block) into a lower priority queue, but if your users are still watching videos, whether they take a long time or a short time to download the same number of bytes are going to move over your network.

I suggest you consider this at least partially an HR problem and make and enforce (using human communication not digital detection) some acceptable use policies. Then if you still need network capacity, grow your infrastructure a little.

Related

500 - Internal server error NOT appearing in error.log (or access.log)
SSL Packet inspection on Linux
Google network architecture
How to make SQL Server 2008 redundant?
How do I successfully transition from network administrator to IT Manager? [closed]
PG_Dump Fails Due to Mistaken Low Disk Space
Testing apache config changes
Password less sudo in script
How can I make ubuntu use samba to resolve windows host names?
Should SQL Server MDF/LDF files always be on separate physical disks, even on databases that are barely used?
PHP_Flag and PHP_Value Command Not Found Issue
Problems with multiple SSL on same IP, but only in select clients