Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Bandwidth Quotas using iptables
#1

Well, I thought I would step into the realm of iptables again. This little tutorial will show you how to setup the quota patch for iptables.

The quota patch allows you to well... set a quota, when the quota is match or exceeds the number of bytes, you can perform a certain action.

 

The first step to this guide is to download the iptables source code from netfilter's website (www.netfilter.org) and you will also need the patch-o-matic-ng.

Once you have downloaded both files you will need to get the kernel source, this can be done by simply issuing the following:

 



Code:
yum -y install kernel-devel




 

Once you have the kernel source installed you can begin unpacking the iptables source file and the path-o-matic-ng file using the tar utility as shown below.

 



Code:
tar jxf iptables-1.3.7.tar.bz2
tar jxf patch-o-matic-ng-20040621.tar.bz2




 

Once you have successfully extracted both iptables and path-o-matic you can begin with installing the quota patch as shown below.

 



Code:
cd patch-o-matic-ng
IPTABLES_DIR=/usr/src/iptables-1.3.7 KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686 ./runme quota




 

You will want to replace the iptables source code path with the one that suites your machine and also the kernel directory.

Once this command has been issued you maybe given an error saying it couldn't apply the patch, you can ignore this.

 

Once you have applied the patch you will need to recompile the iptables source code, this can be done by simply issuing the following:

 



Code:
cd iptables-1.3.7
make BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686
make install BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686
make clean BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686




 

Thats it you now have successfully applied the quota patch :).

 

Now lets try out our new iptables module :)issue the following to check that the quota module is loaded and can be used:

 



Code:
modprobe ipt_quota




 

Now that ipt_quota is loaded a simple rule as follows can be used to block web traffic that exceeds 100 bytes.

 



Code:
iptables -A OUTPUT -p tcp --dport 80 -m quota --quota 1024 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j DROP




 

What the above rule does is count down from 1MB (1024 kilobytes is a Megabyte) and when the quota hits zero the second rule will kick in which drops all the traffic.

To prove this issue the above two commands and then view the details in OUTPUT chain by issuing

 



Code:
iptables -L OUTPUT -v




 

This will produce similar output to:

Quote:Chain OUTPUT (policy ACCEPT 3640 packets, 1753K bytes) pkts bytes target prot opt in out source destination

1 40 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http quota: 984 bytes

0 0 DROP tcp -- any any anywhere anywhere tcp dpt:http
 

 

Notice the quota for HTTP, now if you open your web browser and visit www.linux-noob.com you should be able to view the front page

once or at least start to transfer traffic before you will be cut off.

 

If you issue the command iptables -L OUTPUT -v again you will notice that the quota should of or has almost hit 0 which is when the second rule

kicks in as shown below.

 

Quote:Chain OUTPUT (policy ACCEPT 3814 packets, 1773K bytes) pkts bytes target prot opt in out source destination

8 996 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http quota: 0 bytes

9 504 DROP tcp -- any any anywhere anywhere tcp dpt:http
 

Well I hope you enjoyed this little guide :)and be sure I'll have more on iptables soon :)

Reply
#2
More sexy iptables stuff .. yay! nice xdamox
Reply
#3

Quote:What the above rule does is count down from 1MB (1024 bytes is a Megabyte).
 

Wrong! 1024 Kilobytes make a megabyte.

Reply
#4
Thanks for spotting that :)
Reply
#5
No problem :). Maybe lots of people did see the error , but preferred not to point it out
Reply
#6

Hello,

Is it possible to compile a nucleus(kernel) of a router Linksys WRT54GL to have the extension quota?

 

Thanks to you, Vincent

Reply
#7

Dear All,

I read this topic and was very exited to understand the same.Thanks a lot for bringing these kind of stuffs.

However I have a problem with this. My linux box is working as a router with two NIC.

a) eth0=10.10.56.23 (which is connected to internet via NATING)

B) eth1=10.136.15.197 (which is connected to internel N/w).

 

The box is acting as a gateway to the internet where customers connect to eth1 and by iptable forward rule the same gets out to eth0 to internet.

below is my iptable file from /etc/sysconfig

=============================================================

# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010

*mangle

:PREROUTING ACCEPT [35:5022]

:INPUT ACCEPT [35:5022]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [12:1734]

:POSTROUTING ACCEPT [12:1734]

COMMIT

# Completed on Mon Apr 19 23:22:06 2010

# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010

*filter

:INPUT ACCEPT [10:1578]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [12:1734]

:LOGDROP - [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -s ! 192.168.3.0/255.255.255.248 -i eth0 -p tcp -m tcp --dport 2222 -j LOGDROP

-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A LOGDROP -j LOG --log-prefix "LOGDROP "

-A LOGDROP -j DROP

COMMIT

# Completed on Mon Apr 19 23:22:06 2010

# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010

*nat

:PREROUTING ACCEPT [6:1020]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [2:153]

-A POSTROUTING -j MASQUERADE

COMMIT

# Completed on Mon Apr 19 23:22:06 2010

===========================================================

 

but when i apply(add) the iptable rule

iptables -A INPUT -i eth1 -p tcp -m quota --quota 10000 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -j DROP

 

 

it blocks the http traffic from client (eg 10.136.15.196/customer to 10.136.15.197/eth1),till the limit of 10000 which is fine, but my forward traffic which is also going to eth0(wan) and then to internet from eth1(customers), is not getting blocked(remains unlimited).

So in summary I want to mean that traffic destined till eth1 is getting blocked, but traffic destined to internet via eth0 is not getting blocked.

 

Any help in this regard will be highly appeciable.

Thanks

Reply
#8

What netmasks are you using? 10.10.56.23 and 10.136.15.197 are on the same network, if you're using standard Class-A netmasks (10.0.0.0/8).

 

You may want to move eth0 onto something different - like 192.168.10.0 - to logically separate the networks.

 

Also, you probably want to add your rule higher up than your forwarding rules - the "-A" will append it to the bottom of your current ruleset.

 

Lastly - I'm not convinced that your logic is correct... it seems that if you receive more than the allocated quota on eth1 then *all* traffic is dropped (eg: if I hit youtube too much and your rule kicks in, I can't FTP into your machine anymore). I thought it would make more sense to block only specific traffic (port 80 etc) outgoing from eth0 originating from 10.0.0.0/8 (LAN), leaving the gateway machine itself excluded from that rule.

Reply
#9

Quote:What netmasks are you using? 10.10.56.23 and 10.136.15.197 are on the same network, if you're using standard Class-A netmasks (10.0.0.0/8).

 

You may want to move eth0 onto something different - like 192.168.10.0 - to logically separate the networks.

 

Also, you probably want to add your rule higher up than your forwarding rules - the "-A" will append it to the bottom of your current ruleset.

 

Lastly - I'm not convinced that your logic is correct... it seems that if you receive more than the allocated quota on eth1 then *all* traffic is dropped (eg: if I hit youtube too much and your rule kicks in, I can't FTP into your machine anymore). I thought it would make more sense to block only specific traffic (port 80 etc) outgoing from eth0 originating from 10.0.0.0/8 (LAN), leaving the gateway machine itself excluded from that rule.
 

 

Hi Dave, Thanks for your help.Please find the responses below.

 

1. both the NICS are in diff network.

eth0:-10.10.56.23 Bcast:10.10.56.127 Mask:255.255.255.128

eth1:-10.136.15.197 Bcast:10.136.15.255 Mask:255.255.255.0

I cannot change the eth0 ip as that has been static private IP allocated from my ISP.

 

2. I modified the iptable file like this below:- (I m giving the modified snippets, only for the section :RH-Firewall-1-INPUT - [0:0]) where i have put the rules to test if its working(i mean that I had moved the rules up) and restarted the iptables.

 

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -s ! 192.168.3.0/255.255.255.248 -i eth0 -p tcp -m tcp --dport 2222 -j LOGDROP

-A INPUT -i eth1 -p tcp -m quota --quota 10000 -j ACCEPT

-A INPUT -i eth1 -p tcp -j DROP

-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A LOGDROP -j LOG --log-prefix "LOGDROP "

-A LOGDROP -j DROP

 

 

But it didnot work.Let me explain..

from customer side (10.136.x.x) which is connected to eth1, when I try to access the pages of website whose ip is 10.10.56.23 (eth0),the quota is working properly,which means that after using the quota of 10000 bytes, I am not able to access the http:10.10.56.23(eth0),which means that packests are getting dropped.But at the same time If i try to access the you tube video, thye same is working (i m ablke to doenload the video.

So in summary I want to mean that quota is working till I access the limit of eth0(where my personal website is hosted), but when i try to access the internet which is after eth0 is not working

 

Please help...

Please donot hesitate in case of any confusion

Reply
#10

Quote:Hi Dave, Thanks for your help.Please find the responses below.

 

1. both the NICS are in diff network.

eth0:-10.10.56.23 Bcast:10.10.56.127 Mask:255.255.255.128

eth1:-10.136.15.197 Bcast:10.136.15.255 Mask:255.255.255.0

I cannot change the eth0 ip as that has been static private IP allocated from my ISP.
Ah, okay. May be an idea to change eth1 to use 192.168.10.0/255.255.255.0 or at least move it off the 10. network - move it onto a Class-C (a /24) range, rather than try to force it to use 10.136.15.0/24 (since most systems will often default to 10.0.0.0/8).

 

This won't solve your problem, but it does make viewing and editing your rules a bit clearer, since it makes the two different networks stand out.

 

I'll take a look at your rules later - busy at the moment!

Reply


Forum Jump:


Users browsing this thread: 4 Guest(s)