LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-30-2010, 12:32 PM   #1
toure32
LQ Newbie
 
Registered: Nov 2009
Posts: 25

Rep: Reputation: 15
How to implement a traffic quota


Hi all,
i'd like to alocate a certain quota to my local user for their internet naviguation.
some one can provide me a howto pls.
regards.
 
Old 03-30-2010, 07:42 PM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,395
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Are you trying to monitor IP traffic per user on a single host? Or IP traffic from a single host through a router, or something else. If the first case, I cannot imagine any easy way to accomplish that. If the second case, then an iptables rule in the router, to log all traffic for a certain host IP, along with a cron job to read and accumulate the traffic for the logged IP(s). When the limit is reached, the cron job inserts a blocking rule for the offending host.
--- rod.
 
Old 03-31-2010, 04:04 AM   #3
toure32
LQ Newbie
 
Registered: Nov 2009
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by theNbomr View Post
Are you trying to monitor IP traffic per user on a single host? Or IP traffic from a single host through a router, or something else. If the first case, I cannot imagine any easy way to accomplish that. If the second case, then an iptables rule in the router, to log all traffic for a certain host IP, along with a cron job to read and accumulate the traffic for the logged IP(s). When the limit is reached, the cron job inserts a blocking rule for the offending host.
--- rod.
I trying to monitor IP traffic from single host throut a router.
Can you send pls doc link to implement that.
regards.
 
Old 03-31-2010, 12:30 PM   #4
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,395
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
I don't know of any documents off hand. How is your router presently implemented? In order to use iptables rules, you will have to understand the existing rules. What is your vision of how the enforcement of the quota will work (details)?
I could post a few iptables rules, and a bit of Perl to interpret the output of iptables records, but it doesn't sound like you are ready to absorb that yet. Have you tried anything at all so far?
--- rod.
 
Old 03-31-2010, 01:26 PM   #5
toure32
LQ Newbie
 
Registered: Nov 2009
Posts: 25

Original Poster
Rep: Reputation: 15
This is my first project.
i've take a look at iptable quota module.
and test this iptable rule
Quote:
iptables -A FORWARD -p UDP --dport 1234 -m quota --quota 1024 -j ACCEPT
but when i make this :
Quote:
iptables -L FORWARD -v
I got this output
Quote:
pkts bytes target prot opt in out source destination
2786 3744K ACCEPT udp -- any any anywhere anywhere udp dpt:search-agent quota: 13976899182565778736 bytes
Why the quota is too big even i have fixe to 1024.
 
Old 03-31-2010, 02:00 PM   #6
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,395
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Hmm. Interesting. I never knew about the quota capabilities of iptables. On the systems at my disposal for testing, iptables bugs out with an error "Couldn't load match `quota'" and my man page is silent about matching 'quota'.

Before knowing that some kind of quota mechanism was already built into the kernel, I would have suggested simply accumulating the bytes count for rules matching the IP of the quota-limited host, and when it is exceeded, insert a DROP rule for that host. I already have a Perl script that parses the output of 'iptables -L -v -Z', which I run with cron each minute. I use the script to monitor total throughput of a router, but the same principle could be used to add some control. Probably a bit of a hack compared to any built-in functionality, though.

I guess it is time to look into a more modern kernel and see about the quota capability.

I have no idea what the origin of your iptables problem might be. I would insert, rather than append, the quota rule to the FORWARD chain, as some packets might terminate before trying to match your appended rule.

--- rod.
 
Old 04-02-2010, 03:28 AM   #7
toure32
LQ Newbie
 
Registered: Nov 2009
Posts: 25

Original Poster
Rep: Reputation: 15
pls can send me your perl script sample.
so i could try it.
regards.
 
Old 04-02-2010, 02:38 PM   #8
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,395
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
This is right out of my crontab:
Code:
crontab -l
0-59 * * * * /sbin/iptables -vnxZ -L | perl -e '@in=<>; foreach $rule ( @in ){ if( $rule =~ m/ACCEPT/ ){ @rule=split /\s+/, $rule; $bytes += $rule[2];}}$t=scalar localtime(time); $t =~ m/[A-z][a-z][a-z] (.+)/; print "$1 ", time, " $bytes\n";' >> /var/log/iptablesStats.log
Here is a sample of the resulting log file
Code:
Apr  2 11:31:01 2010 1270236661 39359
Apr  2 11:32:01 2010 1270236721 4899788
Apr  2 11:33:01 2010 1270236781 5044163
Apr  2 11:34:01 2010 1270236841 5357632
Apr  2 11:35:01 2010 1270236901 3041423
Apr  2 11:36:01 2010 1270236961 33395
Apr  2 11:37:01 2010 1270237021 29442
Apr  2 11:38:02 2010 1270237082 44571
Apr  2 11:39:01 2010 1270237141 364249
Apr  2 11:40:01 2010 1270237201 40924
To summarize how it works: run iptables, listing all rules, verbosely to get the byte & packet counts, and also zeroing the counts. Scan all rules, looking for accepted packets, and accumulate the byte counts for each match. Write the accumulated byte count for the period to a log file.
An accompanying script plots the result (gnuplot would do well for that).

Now that I see your quota-based rule, I wonder whether you should DROP rather than ACCEPT the packets that match the rule.
--- rod.

Last edited by theNbomr; 04-02-2010 at 02:41 PM.
 
1 members found this post helpful.
Old 04-30-2010, 04:49 AM   #9
toure32
LQ Newbie
 
Registered: Nov 2009
Posts: 25

Original Poster
Rep: Reputation: 15
Iptables quota module work fine
Code:
iptables -A FORWARD -p UDP --dport 1234 -m quota --quota 1024 -j ACCEPT
but the :

Code:
pkts bytes target prot opt in out source destination
2786 3744K ACCEPT udp -- any any anywhere anywhere udp dpt:search-agent quota: 13976899182565778736 bytes
After
Code:
iptables -L FORWARD -v
Is due to a bug in kernel 2.6.30. I've just upgrade my kernel to 2.6.31
and it work fine.
hoppe this will help some else.

Last edited by toure32; 04-30-2010 at 04:52 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Web Quota + Print Quota dimingo Linux - Newbie 1 09-25-2008 12:31 AM
proftpd traffic acounting, quota management ovidnet Linux - Server 0 03-08-2007 02:06 PM
procmail+quota+bounch mail+but no quota full msg to receipent mickyman Linux - General 3 03-02-2006 03:32 AM
ftp quota probs - 0kb files at quota limit ph_xm Linux - Newbie 0 02-02-2005 11:13 AM
IS there a way to implement a weekly "downloading quota"? linux-addict Linux - Networking 9 01-13-2004 10:42 AM


All times are GMT -5. The time now is 02:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration