We must remember that our LAN users can spoil our efforts from chapter 3, if they use Napster or Realaudio. We must also remember that we didn't block ftp traffic in section 3.3.
We will achieve it in a different way -- not by limiting downloading directly, but rather, indirectly. If our internet device is ppp0 and LAN device is eth0, we will limit outgoing traffic on interface eth0, and thus, limit incoming traffic to ppp0.
To do it, we will get familiar with CBQ and cbq.init script. You can obtain it from ftp://ftp.equinox.gu.net/pub/linux/cbq/. Download cbq.init-v0.6.2 and put it in /etc/rc.d/.
You will also need iproute2 installed. It comes with every Linux distribution.
Now look in your /etc/sysconfig/cbq/ directory. There, you should have an example file, which should work with cbq.init. If it isn't there, you probably don't have it compiled in your kernel.
In chapter 3, we didn't block ftp for two reasons -- so that we could do uploads, and so that users with buggy IE5.5 could browse through ftp directories. In all, our web browsers and ftp programs should make downloads via our Squid proxy and ftp uploads/renaming/deleting should be made via IP-masquerade.
We create a file called cbq-10.ftp-network in the /etc/sysconfig/cbq/ directory:
# touch /etc/sysconfig/cbq/cbq-10.ftp-network
We insert the following lines into it:
DEVICE=eth0,10Mbit,1Mbit RATE=10Kbit WEIGHT=1Kbit PRIO=5 RULE=:20,192.168.1.0/24 RULE=:21,192.168.1.0/24 |
You will find the description of thses lines in cbq.init-v0.6.2 file.
When you start /etc/rc.d/cbq.init-v.0.6.2 script, it will read your configuration, which is in /etc/sysconfig/cbq/:
# /etc/rc.d/cbq.init-v.0.6.2 start
If everything is working, we add /etc/rc.d/cbq.init-v.0.6.2 start to the end of your initializing scripts. Usually, it can be /etc/rc.d/rc.local.
Thanks to this command, your server will not send ftp data through eth0 faster than 10kbits/s, and thus will not download ftp data faster than 10kbits/s. Your LAN users will see that it's more efficient to use Squid proxy for doing ftp downloads. They will be also able to browse ftp directories using their buggy IE5.5.
There is also another bug in IE5.5 - when you right click on a file in a ftp directory then select 'Copy To Folder', the file is downloaded not through proxy, but directly through IP-masquerade, thus omitting Squid with delay pools.
Here, the idea is the same as with ftp; we just add another port and set a different speed.
We create file called cbq-50.napster-network in the /etc/sysconfig/cbq/ directory:
# touch /etc/sysconfig/cbq/cbq-50.napsterandlive
Put these lines into that file:
DEVICE=eth0,10Mbit,1Mbit RATE=50Kbit WEIGHT=5Kbit PRIO=5 #Windows Media Player RULE=:1755,192.168.1.0/24 #Real Player uses TCP port 554, for UDP it uses different ports, #but generally RealAudio in UDP doesn't consume much bandwidth RULE=:554,192.168.1.0/24 RULE=:7070,192.169.1.0/24 #Napster uses ports 6699 and 6700, maybe some other? RULE=:6699,192.168.1.0/24 RULE=:6700,192.168.1.0/24 #Audiogalaxy uses ports around 41000, thera are many of them, #so keep in mind I didn't list all of them here RULE=:41060,192.168.1.0/24 RULE=:41133,192.168.1.0/24 #Some clever users can connect to SOCKS servers when using Napster, #Audiogalaxy etc.; it's also a good idea to do so #when you run your own SOCKS proxy RULE=:1080,192.168.1.0/24 #Add any other ports you want; you can easily check #ports that programs use with IPTraf #RULE=:port,192.168.1.0/24 |