399 lines
7.6 KiB
HTML
399 lines
7.6 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Dealing with Other Bandwidth-consuming Protocols Using CBQ</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="Bandwidth Limiting HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Installing and Configuring Necessary Software"
|
|
HREF="install.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Frequently Asked Questions"
|
|
HREF="faq.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Bandwidth Limiting HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="install.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="faq.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="CBQ"
|
|
>4. Dealing with Other Bandwidth-consuming Protocols Using CBQ</A
|
|
></H1
|
|
><P
|
|
>We must remember that our LAN users can spoil our efforts from chapter
|
|
3, if they use Napster, Kazaa or Realaudio. We must also remember that we didn't
|
|
block <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
> traffic in section 3.3.</P
|
|
><P
|
|
>We will achieve it in a different way -- not by limiting downloading directly,
|
|
but rather, indirectly. If our internet device is <TT
|
|
CLASS="LITERAL"
|
|
>ppp0</TT
|
|
>
|
|
and LAN device is <TT
|
|
CLASS="LITERAL"
|
|
>eth0</TT
|
|
>, we will limit outgoing traffic
|
|
on interface <TT
|
|
CLASS="LITERAL"
|
|
>eth0</TT
|
|
>, and thus, limit incoming traffic to <TT
|
|
CLASS="LITERAL"
|
|
>ppp0</TT
|
|
>.</P
|
|
><P
|
|
>To do it, we will get familiar with CBQ and <TT
|
|
CLASS="FILENAME"
|
|
>cbq.init</TT
|
|
>
|
|
script. You can obtain it from <A
|
|
HREF="ftp://ftp.equinox.gu.net/pub/linux/cbq/"
|
|
TARGET="_top"
|
|
>ftp://ftp.equinox.gu.net/pub/linux/cbq/</A
|
|
>. Download <TT
|
|
CLASS="FILENAME"
|
|
>cbq.init-v0.6.2</TT
|
|
> and put it in<TT
|
|
CLASS="FILENAME"
|
|
> /etc/rc.d/</TT
|
|
>.</P
|
|
><P
|
|
>You will also need <TT
|
|
CLASS="FILENAME"
|
|
>iproute2</TT
|
|
> installed. It comes
|
|
with every Linux distribution.</P
|
|
><P
|
|
>Now look in your <TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysconfig/cbq/</TT
|
|
> directory.
|
|
There, you should have an example file, which should work with <TT
|
|
CLASS="FILENAME"
|
|
>cbq.init</TT
|
|
>. If it isn't there, you probably don't have it compiled in your
|
|
kernel nor it isnt't present as modules. Well, in any case, just make that
|
|
directory, put example files provided below, and see
|
|
if it'd work for you.</P
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN235"
|
|
>4.1. FTP</A
|
|
></H2
|
|
><P
|
|
>In chapter 3, we didn't block ftp for two reasons -- so that we could do uploads,
|
|
and so
|
|
that users with buggy IE5.5 could browse through <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
>
|
|
directories. In all, our web browsers and <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
> programs
|
|
should make downloads via our Squid proxy and <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
> uploads/renaming/deleting
|
|
should be made via IP-masquerade.</P
|
|
><P
|
|
>We create a file called <TT
|
|
CLASS="FILENAME"
|
|
>cbq-10.ftp-network</TT
|
|
> in the <TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysconfig/cbq/</TT
|
|
> directory:</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
># touch /etc/sysconfig/cbq/cbq-10.ftp-network</B
|
|
></P
|
|
><P
|
|
>We insert the following lines into it:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>DEVICE=eth0,10Mbit,1Mbit
|
|
RATE=15Kbit
|
|
WEIGHT=1Kbit
|
|
PRIO=5
|
|
RULE=:20,192.168.1.0/24
|
|
RULE=:21,192.168.1.0/24</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>You will find the description of thses lines in <TT
|
|
CLASS="FILENAME"
|
|
>cbq.init-v0.6.2</TT
|
|
> file.</P
|
|
><P
|
|
>When you start <TT
|
|
CLASS="FILENAME"
|
|
>/etc/rc.d/cbq.init-v0.6.2</TT
|
|
> script,
|
|
it will read your configuration, which is placed in <TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysconfig/cbq/</TT
|
|
>:</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
># /etc/rc.d/cbq.init-v0.6.2 start</B
|
|
></P
|
|
><P
|
|
>If everything is working, we add <TT
|
|
CLASS="FILENAME"
|
|
>/etc/rc.d/cbq.init-v0.6.2 start</TT
|
|
> to the end of your initializing scripts. Usually, it can
|
|
be <TT
|
|
CLASS="FILENAME"
|
|
>/etc/rc.d/rc.local</TT
|
|
>.</P
|
|
><P
|
|
>Thanks to this command, your server will not send <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
> data
|
|
through <TT
|
|
CLASS="FILENAME"
|
|
>eth0</TT
|
|
> faster than about 15kbits/s, and thus will not
|
|
download <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
> data from the internet faster than 15kbits/s.Your LAN users
|
|
will see that it's more efficient to use Squid proxy for doing <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
> downloads. They will be also able to browse <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
>
|
|
directories using their buggy IE5.5.</P
|
|
><P
|
|
>There is also another bug in IE5.5 - when you right click on a file
|
|
in a <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
> directory then select 'Copy To Folder',
|
|
the file is downloaded not through proxy, but directly through IP-masquerade,
|
|
thus omitting Squid with delay pools.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN266"
|
|
>4.2. Napster, Realaudio, Windows Media and other issues</A
|
|
></H2
|
|
><P
|
|
>Here, the idea is the same as with <TT
|
|
CLASS="FILENAME"
|
|
>ftp</TT
|
|
>; we just
|
|
add another port and set a different speed.</P
|
|
><P
|
|
>We create file called <TT
|
|
CLASS="FILENAME"
|
|
>cbq-50.napster-network</TT
|
|
> in the <TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysconfig/cbq/</TT
|
|
> directory:</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
># touch /etc/sysconfig/cbq/cbq-50.napsterandlive</B
|
|
></P
|
|
><P
|
|
>Put these lines into that file:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>DEVICE=eth0,10Mbit,1Mbit
|
|
RATE=35Kbit
|
|
WEIGHT=3Kbit
|
|
PRIO=5
|
|
#Windows Media Player.
|
|
RULE=:1755,192.168.1.0/24
|
|
#Real Player uses TCP port 554, for UDP it uses different ports,
|
|
#but generally RealAudio in UDP doesn't consume much bandwidth.
|
|
RULE=:554,192.168.1.0/24
|
|
RULE=:7070,192.169.1.0/24
|
|
#Napster uses ports 6699 and 6700, maybe some other?
|
|
RULE=:6699,192.168.1.0/24
|
|
RULE=:6700,192.168.1.0/24
|
|
#Audiogalaxy uses ports from 41000 to as high as probably 41900,
|
|
#there are many of them, so keep in mind I didn't list all of
|
|
#them here. Repeating 900 nearly the same lines would be of course
|
|
#pointless. We will simply cut out ports 410031-41900 using
|
|
#ipchains or iptables.
|
|
RULE=:41000,192.168.1.0/24
|
|
RULE=:41001,192.168.1.0/24
|
|
#continue from 41001 to 41030
|
|
RULE=:41030,192.168.1.0/24
|
|
#Some clever users can connect to SOCKS servers when using Napster,
|
|
#Audiogalaxy etc.; it's also a good idea to do so
|
|
#when you run your own SOCKS proxy
|
|
RULE=:1080,192.168.1.0/24
|
|
#Add any other ports you want; you can easily check and track
|
|
#ports that programs use with IPTraf
|
|
#RULE=:port,192.168.1.0/24</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Don't forget to cut out remaining Audiogalaxy ports (41031-41900), using ipchains
|
|
(kernels 2.2.x or iptables (kernels 2.4.x).</P
|
|
><P
|
|
>Kernels 2.2.x.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>/sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 41031:41900
|
|
-p TCP -j REJECT</B
|
|
></P
|
|
><P
|
|
>Kernels 2.4.x.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>/sbin/iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1
|
|
--dport 41031:41900 -p TCP -j REJECT</B
|
|
></P
|
|
><P
|
|
>Don't forget to add a proper line to your initializing scripts.</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="install.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="faq.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Installing and Configuring Necessary Software</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Frequently Asked Questions</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |