Routing and bandwidth problem

Jeff Vian jvian10 at charter.net
Wed May 5 12:36:28 UTC 2004 


Rodolfo J. Paiz wrote:

> Hey...
>
> I have no idea of which FM to R here, so I will happily accept 
> pointers to good documentation and HOWTO documents. Any other help is 
> also welcome, as I will need to solve this problem very soon. The 
> problem is this:
>
> My small business is one of four tenants in a small building. The 
> other three have agreed to allow me to buy one big connection and then 
> resell service to them, such that they get a better price and I get to 
> subsidize my own Internet service. However, while I *could* set this 
> up quickly without any controls, they each want different service 
> levels and amounts of bandwidth and will be paying different prices, 
> so I want to do this properly.
>
> The firewall/gateway will run Fedora Core 1. I think I need *five* 
> Ethernet adapters in the server (eth0 to the ISP, and eth1-eth4 to the 
> four tenants) so that each client is properly isolated into their own 
> network and cannot access the other clients' computers. If there is a 
> way to do this securely and safely without a gaggle of Ethernet cards, 
> please do tell! I can think of doing this with 801.2q VLAN tagging, 
> but that requires a managed switch which is far more expensive. It 
> seems to me that multiple Ethernet cards are the simplest *and* 
> cheapest way to do it.

Not necessary to use that many adapters,  It can easily be done on 2, 
 one for the internet and one for the LAN.

Linux can run multiple IPs on a single adapter by using aliases in the 
config, and then using the traffic shaper utils you can set bandwidth 
for each.  
The only real problem will come in if they decide to snoop and since 
with this method they would all be on the same physical network they 
might find the other machines.

You could thus use 192.168.2.X for one, 192.168.3.X for another, etc.
The command to set up an alias (virtual interface) on a nic is simple.
Use the same ifconfig command you would otherwise use but the interface 
is listed as eth0:1, eth0:2, etc.
The files in /etc/sysconfig/network-scripts can be configured for each 
virtual interface you use, or it can be put in /etc/rc.local if you want.

Then the firewall with iptables can be used to handle NAT, forwarding, 
and with the options for specifying the mac address of a connection you 
can even make sure you do not yourself allow them to communicate 
directly and you would know if they tried to add additional machines..

>
> I know how to provide masquerading, firewall, gateway, DNS, DHCP, NTP, 
> and other services. What I don't know how to do is the following:
>
>         1. Required: Limit the total bandwidth a client can use to 
> either 128 Kbps or 256 Kbps.
>
>         2. Optional: Allow each client to exceed their limit if no one 
> else is using the space. That is, a customer who stays late when all 
> other offices are gone for the night, or someone who gets lucky that 
> no one else is using the Net at that particular moment, could get 
> access to the entire Internet connection (say, 512 Kbps). But if 
> everyone is using the bandwidth simultaneously, then each would get 
> their fair share (what they paid for and I provide, proportionately).

The traffic shaper tools can do this AFAIK.

>
>         3. Optional: Even though traffic *through* the server (client 
> connecting to Internet) should be throttled and limited, it would be 
> ideal for traffic *to* the server (client connecting to the firewall) 
> to have full 100 Mbps link speed. This would allow me to download the 
> FC2 ISO images to the server at night, for example, and then let 
> clients grab them at 100 Mbps over the internal network instead of 
> having that internal download also throttled to 256 Kbps.

Someone else will have to answer this

>
>         4. Optional: Provide each tenant with an FTP-served directory 
> on the server which can *only* be accessed from their network. So if 
> they pull down the confidential something or their wife's nude 
> pictures, other tenants cannot get at that information.

provide each user/client with an ftp directory they can log into as a 
user.  by default vsftp provides a chroot jail for them.

>
> Can someone offer some hints, pointers, suggestions, or magic beans?
>
> Thanks in advance!
>
>

More information about the fedora-list mailing list