michaelcoyote · July 31, 2017 23:38
diff --git a/tc_outbound_https.sh b/tc_outbound_https.sh
 #!/usr/bin/env bash
 #

 # Script to rate limit port 443
 #
 #network interface on which to limit traffic
 IF="bond0"
 #limit of the network interface in question
 LINKCEIL="10gbit"
 #limit outbound https protocol traffic to this rate
 LIMIT="100mbit"
 # Net or nets.. Space separated list.
 # Can use "/32" for single IP addresses.
 NETS=( 10.199.1.121/32 10.199.1.122/32 10.199.1.123/32 )

 #delete existing rules
 tc qdisc del dev ${IF} root

 #add root class
 tc qdisc add dev ${IF} root handle 1: htb default 10

 #add parent class
 tc class add dev ${IF} parent 1: classid 1:1 htb rate ${LINKCEIL} ceil ${LINKCEIL}

 #add our two classes. one unlimited, another limited
 tc class add dev ${IF} parent 1:1 classid 1:10 htb rate ${LINKCEIL} ceil ${LINKCEIL} prio 0
 tc class add dev ${IF} parent 1:1 classid 1:11 htb rate ${LIMIT} ceil ${LIMIT} prio 1

 #add handles to our classes so packets marked with <x> go into the class with "... handle <x> fw ..."
 tc filter add dev ${IF} parent 1: protocol ip prio 1 handle 1 fw classid 1:10
 tc filter add dev ${IF} parent 1: protocol ip prio 2 handle 2 fw classid 1:11



 for net in ${NETS[@]};
  do
    #limit outgoing traffic to port 443. but not when dealing with a host on the local network
    #   --set-mark marks packages matching these criteria with the number "2"
    #   these packages are filtered by the tc filter with "handle 2"
    #   this filter sends the packages into the 1:11 class, and this class is limited to ${LIMIT}
    iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 ! -d ${net} -j MARK --set-mark 0x2
  done

 tc -s qdisc ls dev ${IF}

 ## for testing uncomment these lines...
 # wait 2 min
 ## sleep 120
 #delete existing rules
 ## tc qdisc del dev ${IF} root
	#!/usr/bin/env bash
	#

	# Script to rate limit port 443
	#
	#network interface on which to limit traffic
	IF="bond0"
	#limit of the network interface in question
	LINKCEIL="10gbit"
	#limit outbound https protocol traffic to this rate
	LIMIT="100mbit"
	# Net or nets.. Space separated list.
	# Can use "/32" for single IP addresses.
	NETS=( 10.199.1.121/32 10.199.1.122/32 10.199.1.123/32 )

	#delete existing rules
	tc qdisc del dev ${IF} root

	#add root class
	tc qdisc add dev ${IF} root handle 1: htb default 10

	#add parent class
	tc class add dev ${IF} parent 1: classid 1:1 htb rate ${LINKCEIL} ceil ${LINKCEIL}

	#add our two classes. one unlimited, another limited
	tc class add dev ${IF} parent 1:1 classid 1:10 htb rate ${LINKCEIL} ceil ${LINKCEIL} prio 0
	tc class add dev ${IF} parent 1:1 classid 1:11 htb rate ${LIMIT} ceil ${LIMIT} prio 1

	#add handles to our classes so packets marked with <x> go into the class with "... handle <x> fw ..."
	tc filter add dev ${IF} parent 1: protocol ip prio 1 handle 1 fw classid 1:10
	tc filter add dev ${IF} parent 1: protocol ip prio 2 handle 2 fw classid 1:11



	for net in ${NETS[@]};
	do
	#limit outgoing traffic to port 443. but not when dealing with a host on the local network
	# --set-mark marks packages matching these criteria with the number "2"
	# these packages are filtered by the tc filter with "handle 2"
	# this filter sends the packages into the 1:11 class, and this class is limited to ${LIMIT}
	iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 443 ! -d ${net} -j MARK --set-mark 0x2
	done

	tc -s qdisc ls dev ${IF}

	## for testing uncomment these lines...
	# wait 2 min
	## sleep 120
	#delete existing rules
	## tc qdisc del dev ${IF} root