Jump to content
Sign in to follow this  
xDamox

Bandwidth Quotas using iptables

Recommended Posts

Well, I thought I would step into the realm of iptables again. This little tutorial will show you how to setup the quota patch for iptables.

The quota patch allows you to well... set a quota, when the quota is match or exceeds the number of bytes, you can perform a certain action.

 

The first step to this guide is to download the iptables source code from netfilter's website (www.netfilter.org) and you will also need the patch-o-matic-ng.

Once you have downloaded both files you will need to get the kernel source, this can be done by simply issuing the following:

 

yum -y install kernel-devel

 

Once you have the kernel source installed you can begin unpacking the iptables source file and the path-o-matic-ng file using the tar utility as shown below.

 

tar jxf iptables-1.3.7.tar.bz2
tar jxf patch-o-matic-ng-20040621.tar.bz2

 

Once you have successfully extracted both iptables and path-o-matic you can begin with installing the quota patch as shown below.

 

cd patch-o-matic-ng
IPTABLES_DIR=/usr/src/iptables-1.3.7 KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686 ./runme quota

 

You will want to replace the iptables source code path with the one that suites your machine and also the kernel directory.

Once this command has been issued you maybe given an error saying it couldn't apply the patch, you can ignore this.

 

Once you have applied the patch you will need to recompile the iptables source code, this can be done by simply issuing the following:

 

cd iptables-1.3.7
make BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686
make install BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686
make clean BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686

 

Thats it you now have successfully applied the quota patch :).

 

Now lets try out our new iptables module :) issue the following to check that the quota module is loaded and can be used:

 

modprobe ipt_quota

 

Now that ipt_quota is loaded a simple rule as follows can be used to block web traffic that exceeds 100 bytes.

 

iptables -A OUTPUT -p tcp --dport 80 -m quota --quota 1024 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j DROP

 

What the above rule does is count down from 1MB (1024 kilobytes is a Megabyte) and when the quota hits zero the second rule will kick in which drops all the traffic.

To prove this issue the above two commands and then view the details in OUTPUT chain by issuing

 

iptables -L OUTPUT -v

 

This will produce similar output to:

Chain OUTPUT (policy ACCEPT 3640 packets, 1753K bytes)

pkts bytes target prot opt in out source destination

1 40 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http quota: 984 bytes

0 0 DROP tcp -- any any anywhere anywhere tcp dpt:http

 

 

Notice the quota for HTTP, now if you open your web browser and visit www.linux-noob.com you should be able to view the front page

once or at least start to transfer traffic before you will be cut off.

 

If you issue the command iptables -L OUTPUT -v again you will notice that the quota should of or has almost hit 0 which is when the second rule

kicks in as shown below.

 

Chain OUTPUT (policy ACCEPT 3814 packets, 1773K bytes)

pkts bytes target prot opt in out source destination

8 996 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http quota: 0 bytes

9 504 DROP tcp -- any any anywhere anywhere tcp dpt:http

 

Well I hope you enjoyed this little guide :) and be sure I'll have more on iptables soon :)

  • Like 1

Share this post


Link to post
Share on other sites

More sexy iptables stuff .. yay! nice xdamox

Share this post


Link to post
Share on other sites

Dear All,

I read this topic and was very exited to understand the same.Thanks a lot for bringing these kind of stuffs.

However I have a problem with this. My linux box is working as a router with two NIC.

a) eth0=10.10.56.23 (which is connected to internet via NATING)

B) eth1=10.136.15.197 (which is connected to internel N/w).

 

The box is acting as a gateway to the internet where customers connect to eth1 and by iptable forward rule the same gets out to eth0 to internet.

below is my iptable file from /etc/sysconfig

=============================================================

# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010

*mangle

:PREROUTING ACCEPT [35:5022]

:INPUT ACCEPT [35:5022]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [12:1734]

:POSTROUTING ACCEPT [12:1734]

COMMIT

# Completed on Mon Apr 19 23:22:06 2010

# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010

*filter

:INPUT ACCEPT [10:1578]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [12:1734]

:LOGDROP - [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -s ! 192.168.3.0/255.255.255.248 -i eth0 -p tcp -m tcp --dport 2222 -j LOGDROP

-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A LOGDROP -j LOG --log-prefix "LOGDROP "

-A LOGDROP -j DROP

COMMIT

# Completed on Mon Apr 19 23:22:06 2010

# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010

*nat

:PREROUTING ACCEPT [6:1020]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [2:153]

-A POSTROUTING -j MASQUERADE

COMMIT

# Completed on Mon Apr 19 23:22:06 2010

===========================================================

 

but when i apply(add) the iptable rule

iptables -A INPUT -i eth1 -p tcp -m quota --quota 10000 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -j DROP

 

 

it blocks the http traffic from client (eg 10.136.15.196/customer to 10.136.15.197/eth1),till the limit of 10000 which is fine, but my forward traffic which is also going to eth0(wan) and then to internet from eth1(customers), is not getting blocked(remains unlimited).

So in summary I want to mean that traffic destined till eth1 is getting blocked, but traffic destined to internet via eth0 is not getting blocked.

 

Any help in this regard will be highly appeciable.

Thanks

Share this post


Link to post
Share on other sites

What netmasks are you using? 10.10.56.23 and 10.136.15.197 are on the same network, if you're using standard Class-A netmasks (10.0.0.0/8).

 

You may want to move eth0 onto something different - like 192.168.10.0 - to logically separate the networks.

 

Also, you probably want to add your rule higher up than your forwarding rules - the "-A" will append it to the bottom of your current ruleset.

 

Lastly - I'm not convinced that your logic is correct... it seems that if you receive more than the allocated quota on eth1 then *all* traffic is dropped (eg: if I hit youtube too much and your rule kicks in, I can't FTP into your machine anymore). I thought it would make more sense to block only specific traffic (port 80 etc) outgoing from eth0 originating from 10.0.0.0/8 (LAN), leaving the gateway machine itself excluded from that rule.

Share this post


Link to post
Share on other sites

What netmasks are you using? 10.10.56.23 and 10.136.15.197 are on the same network, if you're using standard Class-A netmasks (10.0.0.0/8).

 

You may want to move eth0 onto something different - like 192.168.10.0 - to logically separate the networks.

 

Also, you probably want to add your rule higher up than your forwarding rules - the "-A" will append it to the bottom of your current ruleset.

 

Lastly - I'm not convinced that your logic is correct... it seems that if you receive more than the allocated quota on eth1 then *all* traffic is dropped (eg: if I hit youtube too much and your rule kicks in, I can't FTP into your machine anymore). I thought it would make more sense to block only specific traffic (port 80 etc) outgoing from eth0 originating from 10.0.0.0/8 (LAN), leaving the gateway machine itself excluded from that rule.

 

 

Hi Dave, Thanks for your help.Please find the responses below.

 

1. both the NICS are in diff network.

eth0:-10.10.56.23 Bcast:10.10.56.127 Mask:255.255.255.128

eth1:-10.136.15.197 Bcast:10.136.15.255 Mask:255.255.255.0

I cannot change the eth0 ip as that has been static private IP allocated from my ISP.

 

2. I modified the iptable file like this below:- (I m giving the modified snippets, only for the section :RH-Firewall-1-INPUT - [0:0]) where i have put the rules to test if its working(i mean that I had moved the rules up) and restarted the iptables.

 

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -s ! 192.168.3.0/255.255.255.248 -i eth0 -p tcp -m tcp --dport 2222 -j LOGDROP

-A INPUT -i eth1 -p tcp -m quota --quota 10000 -j ACCEPT

-A INPUT -i eth1 -p tcp -j DROP

-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A LOGDROP -j LOG --log-prefix "LOGDROP "

-A LOGDROP -j DROP

 

 

But it didnot work.Let me explain..

from customer side (10.136.x.x) which is connected to eth1, when I try to access the pages of website whose ip is 10.10.56.23 (eth0),the quota is working properly,which means that after using the quota of 10000 bytes, I am not able to access the http:10.10.56.23(eth0),which means that packests are getting dropped.But at the same time If i try to access the you tube video, thye same is working (i m ablke to doenload the video.

So in summary I want to mean that quota is working till I access the limit of eth0(where my personal website is hosted), but when i try to access the internet which is after eth0 is not working

 

Please help...

Please donot hesitate in case of any confusion

Share this post


Link to post
Share on other sites

Hi Dave, Thanks for your help.Please find the responses below.

 

1. both the NICS are in diff network.

eth0:-10.10.56.23 Bcast:10.10.56.127 Mask:255.255.255.128

eth1:-10.136.15.197 Bcast:10.136.15.255 Mask:255.255.255.0

I cannot change the eth0 ip as that has been static private IP allocated from my ISP.

Ah, okay. May be an idea to change eth1 to use 192.168.10.0/255.255.255.0 or at least move it off the 10. network - move it onto a Class-C (a /24) range, rather than try to force it to use 10.136.15.0/24 (since most systems will often default to 10.0.0.0/8).

 

This won't solve your problem, but it does make viewing and editing your rules a bit clearer, since it makes the two different networks stand out.

 

I'll take a look at your rules later - busy at the moment!

Share this post


Link to post
Share on other sites

Hi Dave

Thanks a lot for your support.

I will try out your trick by moving eth1 to some other B/C network.See I will tell you what I have done to setup my router initially(after installation of OS) so as to understand better.

1. Defined the eth0 as 10.10.56.23

2. Define eth1 as 10.136.15.197

3. enabled ip forwarding in the sysctl.conf

Controls IP packet forwarding

net.ipv4.ip_forward = 1

4. applied the below for firewall rules (after flushing all the iptable rules)

iptables -A FORWARD --in-interface eth1 --out-interface eth0 --source 10.136.0.0/24 -m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -t nat -j MASQUERADE

Share this post


Link to post
Share on other sites

Hi Dave,

just to inform you all that I have solved the problem.Here is how:-

 

 

iptables -t mangle -A PREROUTING -i eth1 -p tcp -m quota --quota 100000 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth1 -p tcp -j LOG --log-prefix "quotaover " --log-level 4

iptables -t mangle -A PREROUTING -i eth1 -p tcp -j DROP

 

But one strange thing is for example I m have fixed the quota to 3000bytes, and then i randomly doewnload video to exceed the quota,and once i exceed the quota i again and again (very fast)execute the command below to check the status for the quota

iptables -t mangle -L -v

then I see that the left out quota (usually 0 bytes as I have exceeded the defined quota of 3000) keeps on changing automatically and randomly.sometimes it comes to again the original value(3000) and then again reverts to 0 value.it keeps on fluctualting between 3000 and 0.But one good thing is I am not able to surf the internet once the I have crossed the quota (though the value keeps on changing)

Thanks a lot for your help..

Will dig further to know why this value keeps fluctuating

Share this post


Link to post
Share on other sites

If you are downloading using a browser, be aware that you could be looking at a cached copy.

 

Try the "wget" command if you want to download without a browser.

Share this post


Link to post
Share on other sites

I am downloading from a internet explorer after deleting the cache from browser.Also I am downloading a video from the Youtube which I have never seen before for testing, which means that If i have not visited that video, then there is no question of being cached.

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...