My server has multiple IPs on which only one is mapper to the inbound physical interface eth0. Other IPs are handled in a virtual manner via iptables/DNAT.
I want to limit the traffic to one of my lxc containers called "service1" (192.168.123.2 internally) to max 50MBit/s.
From external I reach my main server "hypervisor" via x.x.x.90 but the Firewall routes all needed ports for x.x.x.89 to "service1" (I only use Port 10000 and 5666)
How can I shape the traffic with tc to a max limit of 50Mbit/s for traffic that reaches service1 contianer on the IP x.x.x.89?
I would start with
DEV=eth0
IPT=/sbin/iptables
TC=/sbin/tc
$IPT -t mangle -F
# clear old rules:
$TC qdisc del dev $DEV ingress > /dev/null 2>&1
$TC qdisc del dev $DEV root > /dev/null 2>&1
$TC qdisc del dev lo root > /dev/null 2>&1
# initialize shaping and set default to channel 12:
$TC qdisc add dev $DEV root handle 1:0 htb default 12 r2q 6
# set max limit to 1GBit
$TC class add dev $DEV parent 1:0 classid 1:1 htb rate 1Gbit ceil 1Gbit
These are my iptables rules (iptables-save):
-A PREROUTING -d x.x.x.89/32 -i eth0 -p tcp -m tcp --dport 5666 -j DNAT --to-destination 192.168.123.2:5666
-A PREROUTING -d x.x.x.89/32 -i eth0 -p udp -m udp --dport 5666 -j DNAT --to-destination 192.168.123.2:5666
-A PREROUTING -d x.x.x.89/32 -i eth0 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 192.168.123.2:10000
-A PREROUTING -d x.x.x.89/32 -i eth0 -p udp -m udp --dport 10000 -j DNAT --to-destination 192.168.123.2:10000
-A POSTROUTING -s 192.168.123.0/24 -o eth0 -j SNAT --to-source x.x.x.89
Now how would I have to define rules to limit traffic to max 50Mit for only those two ports 10000 and 5666 from and to "service1"?
For a start, you should use
tcngto generate the tc rules:http://linux-ip.net/gl/tcng/node10.html