Force Binding IP to MAC Address, Bandwidth Limiting Priority in SuSE Linux

In my small office we have 4 groups of internet users. Each group has different internet priorities. Me (of course) and my colleague manager are the first priority. Our school partners are the second, staffs are the third, and the rest is the least priority. High (first) priority has more bandwidth than the one below it.

These groups are differentiate by IP addresses in this stage.

I use SQUID as a proxy server to manage the bandwidth allocation at first. I transparently redirect all web traffic to our proxy server using iptables. SQUID can limit bandwidth by host or subnet BUT it can't prioritise them. 

A better tools is using QOS (Quality of Service) Bandwidth. As the name applied, we can prioritise the bandwidth according to the service such as port, ip address, packet types, etc.

One of the best in Linux is HTB (Hierarchical Token Bucket). I did the following (minimised):

-- begin script

#!/bin/bash

# kbps / mbps = Kilo / Mega BYTE per second

# kbit = Kilo BIT per second

DEV=eth4

tc qdisc add dev $DEV root handle 1: htb default 10

tc class add dev $DEV parent 1: classid 1:1 htb rate 1024kbit ceil 1024kbit burst 6k

tc class add dev $DEV parent 1:1 classid 1:11 htb rate 128kbit ceil 1024kbit burst 6k prio 1 

tc class add dev $DEV parent 1:1 classid 1:12 htb rate 64kbit ceil 128kbit burst 6k prio 2 

tc class add dev $DEV parent 1:1 classid 1:13 htb rate 52kbit ceil 192kbit burst 6k prio 3

tc class add dev $DEV parent 1:1 classid 1:14 htb rate 52kbit ceil 1024kbit burst 6k prio 4 

tc class add dev $DEV parent 1:1 classid 1:15 htb rate 24kbit ceil 128kbit burst 6k prio 5

tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10

tc qdisc add dev $DEV parent 1:11 handle 20: sfq perturb 10

tc qdisc add dev $DEV parent 1:12 handle 30: sfq perturb 10

tc qdisc add dev $DEV parent 1:13 handle 40: sfq perturb 10

tc qdisc add dev $DEV parent 1:14 handle 50: sfq perturb 10

tc qdisc add dev $DEV parent 1:15 handle 60: sfq perturb 10

# Since only SQUID:3128 traffic is allowed by IPTABLES, we only manage this traffic.

U32="tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32"

# Manager HOST

$U32 match ip dst 10.2.3.4 match ip sport 3128 0xffff flowid 1:11

$U32 match ip dst 10.2.3.5 match ip sport 3128 0xffff flowid 1:11

# Partner HOST

$U32 match ip dst 10.2.3.22 match ip sport 3128 0xffff flowid 1:12

$U32 match ip dst 10.2.3.23 match ip sport 3128 0xffff flowid 1:12

# STAFF

$U32 match ip dst 10.2.3.33 match ip sport 3128 0xffff flowid 1:13

$U32 match ip dst 10.2.3.34 match ip sport 3128 0xffff flowid 1:13

# Torrent HOST

$U32 match ip dst 10.2.3.35 match ip sport 3128 0xffff flowid 1:14

#REST

$U32 match ip dst 10.2.3.0/24 match ip sport 3128 0xffff flowid 1:15

-- end script

 

You can see further explaination about the parameter use at the official website of HTB. 

What I love about HTB, we can borrow the bandwidth from someone who doesn't use it. This is where the ceil (ceiling) parameter important.

OK Now I can prioritise the bandwidth, I limit the download bandwidth as well in SQUID. I have ONE MORE PROBLEM. The "REST" people is very playful. They keep trying change their IP address to get into higher priority subnet. Until I found the static arp cache solution:

Edit the file /etc/ethers, put something like this

00:E0:98:94:8A:AB       10.2.3.3

00:90:F5:6B:5E:AB       10.2.3.4

then run 

# arp -f /etc/ethers -i eth4

if 10.2.3.3 is using by different mac address, it won't get to the gateway. Try to ping.

Other solution, you can filter them in the iptables such as:

iptables -A INPUT -s 10.2.3.3 -m mac --mac-source ! 00:E0:98:94:8A:AB -j DROP

Remember to load the mac module in iptables

# modprobe ipt_mac

DONE.. SLEEP WELL