LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 10-18-2007, 02:52 PM   #1
OrcPeon
LQ Newbie
 
Registered: Sep 2006
Posts: 10

Rep: Reputation: 0
IPtables to stop Bandwidth completely


Goodday

Throttling is not what Im after. Let me explain this very simply.

Set an iptable rule to totally block all bandwidth from a client when they reach a certain value.

Doesnt even matter if the client is trying to upload a 5k document. Any and all communication must be stopped after a value.

Is iptables the right system? Thinking along the line to apply a rule to an IP.

Peon

South Africa
 
Old 10-18-2007, 05:31 PM   #2
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 69
Quote:
Originally Posted by OrcPeon View Post
Is iptables the right system? Thinking along the line to apply a rule to an IP.
Yes, take a look at the quota match.
 
Old 10-19-2007, 11:55 AM   #3
OrcPeon
LQ Newbie
 
Registered: Sep 2006
Posts: 10

Original Poster
Rep: Reputation: 0
HI OSOR

Please could you eloborate a bit further

regards,
Peon
 
Old 10-19-2007, 02:53 PM   #4
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 69
Quote:
Originally Posted by OrcPeon View Post
HI OSOR

Please could you eloborate a bit further
Sure. The quota match allows you to specify an absolute maximum number of bytes for any traffic traversing the rule. After the quota is surpassed, the rule no longer evaluates to true. It does this by initializing a 64-bit counter to some specified value (so the maximum specifiable quota value is 18446744073709551615 bytes). The counter will be decremented by the buffer size every time a packet encounters the match. Each counter is independent, and when a counter reaches zero, the match evaluates to false.

For example, let’s say I route traffic to three clients: A, B, and C (whose IP addresses are 10.0.0.10, 10.0.0.11, and 10.0.0.12 respectively). My policy is that client A will be capped at a limit of 1GB (1073741824 bytes), and clients B and C share a quota of 2GB (2147483648 bytes). This means that once the combined traffic of B and C reaches 2GB, neither of them will have access to my packet forwarding. So in the filter table, I might have these rules (implementing two separate quotas):
Code:
iptables -N A
iptables -N B_AND_C
iptables -P FORWARD DROP
iptables -A A -m quota --quota 1073741824 -j ACCEPT
iptables -A B_AND_C -m quota --quota 2147483648 -j ACCEPT
iptables -A FORWARD -s 10.0.0.10 -j A
iptables -A FORWARD -d 10.0.0.10 -j A
iptables -A FORWARD -s 10.0.0.11 -j B_AND_C
iptables -A FORWARD -d 10.0.0.11 -j B_AND_C
iptables -A FORWARD -s 10.0.0.12 -j B_AND_C
iptables -A FORWARD -d 10.0.0.12 -j B_AND_C
iptables -A A -j DROP
iptables -A B_AND_C -j DROP
Notice that any traffic destined for or originating from our clients’ (and only our clients’) IP addresses will jump to the appropriate chain. So this setup is too simple to be used in a situation where at least one of the clients is routing (when it is forwarding packets without translation) and is in our routes to other addresses/networks.

Last edited by osor; 10-22-2007 at 07:01 PM. Reason: No policies for user-defined chains
 
Old 10-22-2007, 01:11 PM   #5
OrcPeon
LQ Newbie
 
Registered: Sep 2006
Posts: 10

Original Poster
Rep: Reputation: 0
iptables -P A DROP (bad built-in chain name)

Last edited by OrcPeon; 10-22-2007 at 02:27 PM.
 
Old 10-22-2007, 07:01 PM   #6
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 69
Quote:
Originally Posted by OrcPeon View Post
iptables -P A DROP (bad built-in chain name)
Oops. I forgot that you can’t have policies for non-built-in chains. Post four should now be fixed.

If I were to give a disclaimer about my imperfect advice, it would go here…

Last edited by osor; 10-23-2007 at 11:27 AM.
 
Old 10-23-2007, 12:57 PM   #7
OrcPeon
LQ Newbie
 
Registered: Sep 2006
Posts: 10

Original Poster
Rep: Reputation: 0
Works like a charm!! Insert MASSIVE smiley face of happy and thanks...



Say now I would like to reset A's stats ?



regards,
Peon

Last edited by OrcPeon; 10-23-2007 at 01:06 PM.
 
Old 10-23-2007, 06:52 PM   #8
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 69
Quote:
Originally Posted by OrcPeon View Post
Say now I would like to reset A's stats ?
This is the inelegant part. You see, the kernel-level code for the quota match is very simple. An advantage of this is that code maintenance is very easy. A disadvantage is that there is no way to modify a state from userspace (i.e., you may only create and delete quotas, but once you’ve created them, they must run their course). This is different from other such netfilter modules (e.g., recent) which offer a /proc filesystem interface for managing their respective properties.

So the only way to “reset” a quota is to delete and re-add the rule. E.g., if you are reseting client A’s quota in the example from post four, try this:
Code:
iptables -D A 1
iptables -I A -m quota --quota 1073741824 -j ACCEPT
This sort of “reset” functionality may be added to a monthly cron script or the like.

An additional caveat (caused by the lack of /proc interface) is the inability to save the state and reload it. So once the router is powercycled, even if you use iptables-save and iptables-restore, you will inadvertently reset the quota (i.e., there is as of yet no way to remember how much of the quota your client has used when you restart the computer). The only way to prevent this is to keep your computer running all the time (which is not so unusual for a router).
 
Old 10-24-2007, 05:31 AM   #9
OrcPeon
LQ Newbie
 
Registered: Sep 2006
Posts: 10

Original Poster
Rep: Reputation: 0
True what saying, simply create scripts for IP and run them when they full. Also the uptime and saving of data is not so important.

This is used a added service at folks guest house. People only need about 10mb to do their business. I dont plan on starting an ISP or such.

Osor, have you seen the bandwidth throttling on a ClarkeConnect distro?

If so, in what direction could you point me to learn the best way to throttle bandwidth. Such as in ClarkeConnect 4.

Thanks for the help.

regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using iptables for something very specific - bandwidth based on user/day/time koobi Linux - Networking 3 10-05-2007 02:29 AM
How to completely stop terminal output? stankelay Programming 6 08-20-2007 05:34 AM
iptables bandwidth monitoring Jeiku Linux - Networking 3 05-25-2007 02:42 AM
Using iptables to monitor bandwidth MrSako Linux - Networking 20 09-19-2006 06:25 PM
LXer: Bandwidth monitoring with iptables LXer Syndicated Linux News 0 12-26-2005 10:46 AM


All times are GMT -5. The time now is 07:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration