Throttle Users

Hey guys ..


Anyone got any ideas on this , would like in the most primitive way for now
be able to have users who have not paid there bill be redirected to a page
and also not be able to use any of my bandwidth say put a minimum of 8k ,
anyone got any ideas.


i have PIX 515E, Packeteer and a few cisco routers and *nix boxes to play
with , which would be appropriate.

cheers




--

--
Fanaticism consists of redoubling your effort when you have forgotten your
aim.
-- George Santayana
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Throttle Users

Hello.

On linux you could do
iptables -t nat -I PREROUTING -p tcp --dport 80 -s source_ip -j DNAT
--to-destination apache_running_machine:80
iptables -I FORWARD -s source_ip -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -s source_ip -p udp --dport 53 -j ACCEPT

considering you don't have a DROP policy or else you're gonna need to
pass DNS both ways. Without DNS resolving i had problems reaching the
page. For example: client tries to reach google.com, browser just
hits timeout -> page cannot be reached. The request won't reach
redirect if DNS is blocked.

on *BSD running ipf
rdr fxp0 source_ip/32 port 80 -> apache_running_machine port 80

or if using ipfw
ipfw add 200 divert 80 tcp from source_ip to apache_running_machine
80 via whateverif0

Again make sure firewall rules do not block client's DNS requests.

For the bandwidth shaping you need a queue with very tiny bandwidth
figures and just throw every bad payer in. Look for ALTQ on
Open/NetBSD or dummynet on FreeBSD, cbq/htb on linux.


--Adrian.


At 11:56 AM 11/29/2005, you wrote:
>Hey guys ..
>
>
>Anyone got any ideas on this , would like in the most primitive way for now
>be able to have users who have not paid there bill be redirected to a page
>and also not be able to use any of my bandwidth say put a minimum of 8k ,
>anyone got any ideas.
>
>
>i have PIX 515E, Packeteer and a few cisco routers and *nix boxes to play
>with , which would be appropriate.
>
>cheers
>
>
>
>
>--
>
> --
>Fanaticism consists of redoubling your effort when you have forgotten your
>aim.
> -- George Santayana
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html


-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Throttle Users

David Ziggy Lubowa wrote:

> Anyone got any ideas on this , would like in the most primitive way for now
> be able to have users who have not paid there bill be redirected to a page
> and also not be able to use any of my bandwidth say put a minimum of 8k ,
> anyone got any ideas.

Bandwidth restrictions are reasonable enough, but I would advise
against attempting to implement redirection. HTTP isn't just for web
browsers; some programs use it to retrieve data, and replacing that
data with HTML may have adverse consequences.

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Throttle Users

All sounds good ... but this will be a separate box meaning i could do Policy
routing off the router with a route-map then it hits box X , after that the
policies below fall into place ...does that work ....????


cheers


On Tuesday 29 November 2005 13:34, Adrian C. wrote:
> Hello.
>
> On linux you could do
> iptables -t nat -I PREROUTING -p tcp --dport 80 -s source_ip -j DNAT
> --to-destination apache_running_machine:80
> iptables -I FORWARD -s source_ip -p tcp --dport 53 -j ACCEPT
> iptables -I FORWARD -s source_ip -p udp --dport 53 -j ACCEPT
>
> considering you don't have a DROP policy or else you're gonna need to
> pass DNS both ways. Without DNS resolving i had problems reaching the
> page. For example: client tries to reach google.com, browser just
> hits timeout -> page cannot be reached. The request won't reach
> redirect if DNS is blocked.
>
> on *BSD running ipf
> rdr fxp0 source_ip/32 port 80 -> apache_running_machine port 80
>
> or if using ipfw
> ipfw add 200 divert 80 tcp from source_ip to apache_running_machine
> 80 via whateverif0
>
> Again make sure firewall rules do not block client's DNS requests.
>
> For the bandwidth shaping you need a queue with very tiny bandwidth
> figures and just throw every bad payer in. Look for ALTQ on
> Open/NetBSD or dummynet on FreeBSD, cbq/htb on linux.
>
>
> --Adrian.
>
> At 11:56 AM 11/29/2005, you wrote:
> >Hey guys ..
> >
> >
> >Anyone got any ideas on this , would like in the most primitive way for
> > now be able to have users who have not paid there bill be redirected to
> > a page and also not be able to use any of my bandwidth say put a minimum
> > of 8k , anyone got any ideas.
> >
> >
> >i have PIX 515E, Packeteer and a few cisco routers and *nix boxes to play
> >with , which would be appropriate.
> >
> >cheers
> >
> >
> >
> >
> >--
> >
> > --
> >Fanaticism consists of redoubling your effort when you have forgotten your
> >aim.
> > -- George Santayana
> >-
> >To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> >the body of a message to majordomo@vger.kernel.org
> >More majordomo info at http://vger.kernel.org/majordomo-info.html

--

--
Fanaticism consists of redoubling your effort when you have forgotten your
aim.
-- George Santayana
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Throttle Users

I'm not very familiar with IOS but i think you can do a port 80
redirect for certain ACLs fairly easy, then you will only need a
working apache/thttpd box. Much more simpler setup.

--Adrian.

At 03:01 PM 11/29/2005, David Ziggy Lubowa wrote:

>All sounds good ... but this will be a separate box meaning i could do Policy
>routing off the router with a route-map then it hits box X , after that the
>policies below fall into place ...does that work ....????
>
>
>cheers
>
>
>On Tuesday 29 November 2005 13:34, Adrian C. wrote:
> > Hello.
> >
> > On linux you could do
> > iptables -t nat -I PREROUTING -p tcp --dport 80 -s source_ip -j DNAT
> > --to-destination apache_running_machine:80
> > iptables -I FORWARD -s source_ip -p tcp --dport 53 -j ACCEPT
> > iptables -I FORWARD -s source_ip -p udp --dport 53 -j ACCEPT
> >
> > considering you don't have a DROP policy or else you're gonna need to
> > pass DNS both ways. Without DNS resolving i had problems reaching the
> > page. For example: client tries to reach google.com, browser just
> > hits timeout -> page cannot be reached. The request won't reach
> > redirect if DNS is blocked.
> >
> > on *BSD running ipf
> > rdr fxp0 source_ip/32 port 80 -> apache_running_machine port 80
> >
> > or if using ipfw
> > ipfw add 200 divert 80 tcp from source_ip to apache_running_machine
> > 80 via whateverif0
> >
> > Again make sure firewall rules do not block client's DNS requests.
> >
> > For the bandwidth shaping you need a queue with very tiny bandwidth
> > figures and just throw every bad payer in. Look for ALTQ on
> > Open/NetBSD or dummynet on FreeBSD, cbq/htb on linux.
> >
> >
> > --Adrian.
> >
> > At 11:56 AM 11/29/2005, you wrote:
> > >Hey guys ..
> > >
> > >
> > >Anyone got any ideas on this , would like in the most primitive way for
> > > now be able to have users who have not paid there bill be redirected to
> > > a page and also not be able to use any of my bandwidth say put a minimum
> > > of 8k , anyone got any ideas.
> > >
> > >
> > >i have PIX 515E, Packeteer and a few cisco routers and *nix boxes to play
> > >with , which would be appropriate.
> > >
> > >cheers
> > >
> > >
> > >
> > >
> > >--
> > >
> > > --
> > >Fanaticism consists of redoubling your effort when you have forgotten your
> > >aim.
> > > -- George Santayana
> > >-
> > >To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > >the body of a message to majordomo@vger.kernel.org
> > >More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>--
>
> --
>Fanaticism consists of redoubling your effort when you have forgotten your
>aim.
> -- George Santayana


-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Throttle Users

David Ziggy Lubowa wrote:
> Anyone got any ideas on this , would like in the most primitive way for now
> be able to have users who have not paid there bill be redirected to a page
> and also not be able to use any of my bandwidth say put a minimum of 8k ,
> anyone got any ideas.
> i have PIX 515E, Packeteer and a few cisco routers and *nix boxes to play
> with , which would be appropriate.

Which Cisco routers and IOS versions ?

For the throttle, I would use the routers if possible, as traffic
shaping on Linux still feels a little unpolished.


This should start you off, assuming :

your inside int = ge0/0
your customers net = 10.0.0.0/24
average rate allowed = 16000 bps
drop packets at burst = 4000 bps


interface GigabitEthernet0/0
rate-limit output access-group 101 16000 4000 4000 conform-action
transmit exceed-action drop
!
access-list 101 permit ip 10.0.0.0 0.0.0.255


-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Throttle Users

You could redirect to a SQUID cache that would redirect any proper
HTTP to a notice page and drop anything else.

OpenBSD PF tables seem like a nice way to filter for offenders.

Glynn Clements wrote:

>David Ziggy Lubowa wrote:
>
>
>>Anyone got any ideas on this , would like in the most primitive way for now
>>be able to have users who have not paid there bill be redirected to a page
>>and also not be able to use any of my bandwidth say put a minimum of 8k ,
>>anyone got any ideas.
>>
>>
>
>Bandwidth restrictions are reasonable enough, but I would advise
>against attempting to implement redirection. HTTP isn't just for web
>browsers; some programs use it to retrieve data, and replacing that
>data with HTML may have adverse consequences.
>
>

--
Stephen Samuel +1(604)450-0066 samnospam@bcgreen.com
http://www.bcgreen.com/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html