We must remember that our LAN users can spoil our efforts from chapter 3, if they use Napster, Kazaa or Realaudio. We must also remember that we didn't block ftp traffic in section 3.3.
We will achieve it in a different way -- not by limiting downloading directly, but rather, indirectly. If our internet device is ppp0 and LAN device is eth0, we will limit outgoing traffic on interface eth0, and thus, limit incoming traffic to ppp0.
To do it, we will get familiar with CBQ and cbq.init script. You can obtain it from ftp://ftp.equinox.gu.net/pub/linux/cbq/. Download cbq.init-v0.6.2 and put it in /etc/rc.d/.
You will also need iproute2 installed. It comes with every Linux distribution.
Now look in your /etc/sysconfig/cbq/ directory. There, you should have an example file, which should work with cbq.init. If it isn't there, you probably don't have it compiled in your kernel nor it isnt't present as modules. Well, in any case, just make that directory, put example files provided below, and see if it'd work for you.
In chapter 3, we didn't block ftp for two reasons -- so that we could do uploads, and so that users with buggy IE5.5 could browse through ftp directories. In all, our web browsers and ftp programs should make downloads via our Squid proxy and ftp uploads/renaming/deleting should be made via IP-masquerade.
We create a file called cbq-10.ftp-network in the /etc/sysconfig/cbq/ directory:
# touch /etc/sysconfig/cbq/cbq-10.ftp-network
We insert the following lines into it:
DEVICE=eth0,10Mbit,1Mbit RATE=15Kbit WEIGHT=1Kbit PRIO=5 RULE=:20,192.168.1.0/24 RULE=:21,192.168.1.0/24
You will find the description of thses lines in cbq.init-v0.6.2 file.
When you start /etc/rc.d/cbq.init-v0.6.2 script, it will read your configuration, which is placed in /etc/sysconfig/cbq/:
# /etc/rc.d/cbq.init-v0.6.2 start
If everything is working, we add /etc/rc.d/cbq.init-v0.6.2 start to the end of your initializing scripts. Usually, it can be /etc/rc.d/rc.local.
Thanks to this command, your server will not send ftp data through eth0 faster than about 15kbits/s, and thus will not download ftp data from the internet faster than 15kbits/s.Your LAN users will see that it's more efficient to use Squid proxy for doing ftp downloads. They will be also able to browse ftp directories using their buggy IE5.5.
There is also another bug in IE5.5 - when you right click on a file in a ftp directory then select 'Copy To Folder', the file is downloaded not through proxy, but directly through IP-masquerade, thus omitting Squid with delay pools.
Here, the idea is the same as with ftp; we just add another port and set a different speed.
We create file called cbq-50.napster-network in the /etc/sysconfig/cbq/ directory:
# touch /etc/sysconfig/cbq/cbq-50.napsterandlive
Put these lines into that file:
DEVICE=eth0,10Mbit,1Mbit RATE=35Kbit WEIGHT=3Kbit PRIO=5 #Windows Media Player. RULE=:1755,192.168.1.0/24 #Real Player uses TCP port 554, for UDP it uses different ports, #but generally RealAudio in UDP doesn't consume much bandwidth. RULE=:554,192.168.1.0/24 RULE=:7070,220.127.116.11/24 #Napster uses ports 6699 and 6700, maybe some other? RULE=:6699,192.168.1.0/24 RULE=:6700,192.168.1.0/24 #Audiogalaxy uses ports from 41000 to as high as probably 41900, #there are many of them, so keep in mind I didn't list all of #them here. Repeating 900 nearly the same lines would be of course #pointless. We will simply cut out ports 410031-41900 using #ipchains or iptables. RULE=:41000,192.168.1.0/24 RULE=:41001,192.168.1.0/24 #continue from 41001 to 41030 RULE=:41030,192.168.1.0/24 #Some clever users can connect to SOCKS servers when using Napster, #Audiogalaxy etc.; it's also a good idea to do so #when you run your own SOCKS proxy RULE=:1080,192.168.1.0/24 #Add any other ports you want; you can easily check and track #ports that programs use with IPTraf #RULE=:port,192.168.1.0/24
Don't forget to cut out remaining Audiogalaxy ports (41031-41900), using ipchains (kernels 2.2.x or iptables (kernels 2.4.x).
/sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 41031:41900 -p TCP -j REJECT
/sbin/iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 --dport 41031:41900 -p TCP -j REJECT
Don't forget to add a proper line to your initializing scripts.