Rate-limiting with Shorewall

Open web proxies can incur heavy traffic. By default, SwiperProxy will use all bandwidth available to it. However, you may want to restrict the bandwidth usage to leave some for other services, or to stay within bandwidth quota's.

This document assumes that you are already moderately familiar with Shorewall and have a basic functional service set up. If not, see the Shorewall website. We will also assume IPv4-only. The same practices used here also mostly apply to shorewall6.

These lines in their respective configuration files will rate limit the proxy usage. They are meant as examples, and you should tweak and configure as desired.

rules

#ACTION    SOURCE    DEST    PROTO  DEST  SOURCE    ORIGINAL  RATE    USER/  MARK  CONNLIMIT  TIME         HEADERS         SWITCH
SECTION NEW
ACCEPT     net       fw      tcp    80    -         -         s:apache2:10/min:15
ACCEPT     net       fw      tcp    443   -         -         s:apache2:10/min:15

tcclasses

# DEVICE  MARK  RATE  CEIL   PRIORITY  OPTIONS
eth0      2     1mbit 10mbit 2         tcp-ack,tos-minimize-delay
eth0      3     2mbit 10mbit 3         default
eth0      4     1mbit 1mbit  4         flow=dst
eth0      5     1mbit 5mbit  5         flow=dst

tcdevices

# INTERFACE  IN-BANDWIDTH  OUT-BANDWIDTH
eth0         90mbit        90mbit

tcrules

# ACTION  SOURCE  DEST  PROTO  DPOST  SPORT  USER        TEST  LENGTH  TOS  CONNBYTES
4         fw      -     tcp    -      80,443
4         fw      -     -      -      -      www-data
5         fw      -     tcp    -      80,443
5         fw      -     -      -      -      swiperproxy