I have a small home office setup. I use google voice and vonage for phone calls.

Please see the diagram --

I know this not the ideal but since my cisco switch (3550) packed up so this is the only way to max out the ethernet inputs; I don't have the budget to spend a penny at the moment.

The vonage box has QOS on and QOS on the interface going to the obitalk. The cisco switch was just vlans and routing, no qos. The wireless access point was on one vlan, the phones another. It was an effective set up.

Since the switch died, the quality of the phone calls has been bad so I figure I need to implement QOS on the linux box with iptables? particularly when someone is connecting on the VPN, this was never a problem before. I have a pretty good internet connection.

Is there one line of iptables I can write that will put QOS on everything coming from the Vonage box ? and drop the priority of the openvpn? I would rather openvpn clients run a bit slower as it's only used for safe internet browsing when away. The openvpn runs on port 443.

Below is my current iptables -L:

Chain INPUT (policy DROP)
target     prot opt source               destination         
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:ACK/ACK 
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            state RELATED 
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain dpts:1024:65535 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:auth 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere  
  • 53,385
  • 32
  • 133
  • 208
  • 389
  • 1
  • 8

1 Answers1


Are you looking to actually perform traffic shaping on the Linux box? Or are you looking to simply set the TOS flags on outgoing packets? If the former:

Setting TOS Flags

If all you want to do is set the TOS flags on packets transiting your Linux box, you can use the iptables TOS module. There's an example in the LARTC document referenced below that might help.

Traffic shaping

If you're actually looking to implement traffic shaping...

You can implement QOS -- or traffic shaping -- under Linux using the tc command. This is a pretty big rabbit hole, but it can be very effective. For example, I used this to rate limit backups from my house during the day to stop them from causing issues with our VOIP service.

There are a number of guides out there. You can start with the Linux Advanced Routing & Traffic Control HOWTO, but that's not a particularly good guide for the beginner. This has a practical walkthrough, and this has links to a variety of other reading.

  • 41,276
  • 13
  • 117
  • 170