Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
03-30-2010, 12:32 PM
|
#1
|
|
LQ Newbie
Registered: Nov 2009
Posts: 25
Rep: 
|
How to implement a traffic quota
Hi all,
i'd like to alocate a certain quota to my local user for their internet naviguation.
some one can provide me a howto pls.
regards.
|
|
|
|
|
03-30-2010, 07:42 PM
|
#2
|
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,270
|
Are you trying to monitor IP traffic per user on a single host? Or IP traffic from a single host through a router, or something else. If the first case, I cannot imagine any easy way to accomplish that. If the second case, then an iptables rule in the router, to log all traffic for a certain host IP, along with a cron job to read and accumulate the traffic for the logged IP(s). When the limit is reached, the cron job inserts a blocking rule for the offending host.
--- rod.
|
|
|
|
|
03-31-2010, 04:04 AM
|
#3
|
|
LQ Newbie
Registered: Nov 2009
Posts: 25
Original Poster
Rep:
|
Quote:
Originally Posted by theNbomr
Are you trying to monitor IP traffic per user on a single host? Or IP traffic from a single host through a router, or something else. If the first case, I cannot imagine any easy way to accomplish that. If the second case, then an iptables rule in the router, to log all traffic for a certain host IP, along with a cron job to read and accumulate the traffic for the logged IP(s). When the limit is reached, the cron job inserts a blocking rule for the offending host.
--- rod.
|
I trying to monitor IP traffic from single host throut a router.
Can you send pls doc link to implement that.
regards. |
|
|
|
|
03-31-2010, 12:30 PM
|
#4
|
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,270
|
I don't know of any documents off hand. How is your router presently implemented? In order to use iptables rules, you will have to understand the existing rules. What is your vision of how the enforcement of the quota will work (details)?
I could post a few iptables rules, and a bit of Perl to interpret the output of iptables records, but it doesn't sound like you are ready to absorb that yet. Have you tried anything at all so far?
--- rod.
|
|
|
|
|
03-31-2010, 01:26 PM
|
#5
|
|
LQ Newbie
Registered: Nov 2009
Posts: 25
Original Poster
Rep:
|
This is my first project.
i've take a look at iptable quota module.
and test this iptable rule
Quote:
|
iptables -A FORWARD -p UDP --dport 1234 -m quota --quota 1024 -j ACCEPT
|
but when i make this :
I got this output
Quote:
pkts bytes target prot opt in out source destination
2786 3744K ACCEPT udp -- any any anywhere anywhere udp dpt:search-agent quota: 13976899182565778736 bytes
|
Why the quota is too big even i have fixe to 1024. |
|
|
|
|
03-31-2010, 02:00 PM
|
#6
|
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,270
|
Hmm. Interesting. I never knew about the quota capabilities of iptables. On the systems at my disposal for testing, iptables bugs out with an error "Couldn't load match `quota'" and my man page is silent about matching 'quota'.
Before knowing that some kind of quota mechanism was already built into the kernel, I would have suggested simply accumulating the bytes count for rules matching the IP of the quota-limited host, and when it is exceeded, insert a DROP rule for that host. I already have a Perl script that parses the output of 'iptables -L -v -Z', which I run with cron each minute. I use the script to monitor total throughput of a router, but the same principle could be used to add some control. Probably a bit of a hack compared to any built-in functionality, though.
I guess it is time to look into a more modern kernel and see about the quota capability.
I have no idea what the origin of your iptables problem might be. I would insert, rather than append, the quota rule to the FORWARD chain, as some packets might terminate before trying to match your appended rule.
--- rod.
|
|
|
|
|
04-02-2010, 03:28 AM
|
#7
|
|
LQ Newbie
Registered: Nov 2009
Posts: 25
Original Poster
Rep:
|
pls can send me your perl script sample.
so i could try it.
regards.
|
|
|
|
|
04-02-2010, 02:38 PM
|
#8
|
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,270
|
This is right out of my crontab:
Code:
crontab -l
0-59 * * * * /sbin/iptables -vnxZ -L | perl -e '@in=<>; foreach $rule ( @in ){ if( $rule =~ m/ACCEPT/ ){ @rule=split /\s+/, $rule; $bytes += $rule[2];}}$t=scalar localtime(time); $t =~ m/[A-z][a-z][a-z] (.+)/; print "$1 ", time, " $bytes\n";' >> /var/log/iptablesStats.log
Here is a sample of the resulting log file
Code:
Apr 2 11:31:01 2010 1270236661 39359
Apr 2 11:32:01 2010 1270236721 4899788
Apr 2 11:33:01 2010 1270236781 5044163
Apr 2 11:34:01 2010 1270236841 5357632
Apr 2 11:35:01 2010 1270236901 3041423
Apr 2 11:36:01 2010 1270236961 33395
Apr 2 11:37:01 2010 1270237021 29442
Apr 2 11:38:02 2010 1270237082 44571
Apr 2 11:39:01 2010 1270237141 364249
Apr 2 11:40:01 2010 1270237201 40924
To summarize how it works: run iptables, listing all rules, verbosely to get the byte & packet counts, and also zeroing the counts. Scan all rules, looking for accepted packets, and accumulate the byte counts for each match. Write the accumulated byte count for the period to a log file.
An accompanying script plots the result (gnuplot would do well for that).
Now that I see your quota-based rule, I wonder whether you should DROP rather than ACCEPT the packets that match the rule.
--- rod.
Last edited by theNbomr; 04-02-2010 at 02:41 PM.
|
|
|
1 members found this post helpful.
|
|
04-30-2010, 04:49 AM
|
#9
|
|
LQ Newbie
Registered: Nov 2009
Posts: 25
Original Poster
Rep:
|
Iptables quota module work fine
Code:
iptables -A FORWARD -p UDP --dport 1234 -m quota --quota 1024 -j ACCEPT
but the :
Code:
pkts bytes target prot opt in out source destination
2786 3744K ACCEPT udp -- any any anywhere anywhere udp dpt:search-agent quota: 13976899182565778736 bytes
After
Code:
iptables -L FORWARD -v
Is due to a bug in kernel 2.6.30. I've just upgrade my kernel to 2.6.31
and it work fine.
hoppe this will help some else.
Last edited by toure32; 04-30-2010 at 04:52 AM.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 12:49 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
