How can I limit download data traffic for a specific user?

mohamad sadeghi

4/18/24, 9:29 PM

I want to limit download data traffic to 50GB per user on Ubuntu.

The restriction should be based on user ID or group ID or similar. It cannot be based on IP or port or application. I am trying to set a limit for SSH DIRECT users who all use the same port.

312

1 + 1

server

ssh

networking

ubfan1

4/19/24, 2:36 AM

The downloads have to go somewhere -- maybe you could limit their disk quota (see quota) and meet your needs.

Score:0

Ubuntu

matigo

4/19/24, 1:55 AM

To the best of my knowledge, there is no "simple" way to do this, as Linux generally does not keep track of which users are using network resources. However, if you are comfortable with scripting, you can make something that reads from iptables to monitor how much bandwidth is being used.

Here are some commands that will get you started:

Tell iptables to monitor traffic for a specific user on a specific interface:
```
iptables -A OUTPUT -o {interface} -m owner --uid-owner {uid}
```
^{Notes: This command must be run either with sudo or as root in a start-up script if you want it to watch traffic from boot. Be sure to replace {interface} with the network interface, and {uid} with the user id that is being monitored. This will need to be done for each user account.}

Query iptables to see how much bandwidth has been used by each monitored user:

iptables -L -v -n

^{Notes: This command must be run either with sudo or as root.}

The output will look something like this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 9646 1470K            all  --  *      wlp4s0  0.0.0.0/0            0.0.0.0/0            owner UID match 1000

Disable network access for a given user:
```
iptables -A OUTPUT -m owner --uid-owner {uid} -j DROP
```
^{Notes: This command must be run either with sudo or as root. Be sure to replace {uid} with the appropriate user id.}

Additional Notes:

If you would like to also track incoming network traffic, be sure to use -A INPUT in your iptables command.
If this is being run as part of a scheduled process, note that it will be quite difficult to have a hard cutoff of 50GB (or any arbitrary amount). Someone who exceeds the limit will still have network access until the monitoring script is run and issues the -j DROP. Running the script every minute should be sufficient, though.
If people are SSHing into the machine regularly for operations, you may want to consider having a MOTD message that shows people how much of their bandwidth allowance remains to reduce the rage someone might feel if a download is terminated at 99.9%.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I limit download data traffic for a specific user?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.