Routing and bandwidth problem

Jason Huddleston huddlesj at otc.edu
Wed May 5 13:48:52 UTC 2004 

Rodolfo,

Think that the following option in iptables should help you set this up
right:

  limit
       This module matches at a limited rate using a token bucket
       filter.  A rule using this extension will match until this
       limit is reached (unless the `!' flag is used).  It can be
       used in combination with the LOG target  to  give  limited
       logging, for example.

       --limit rate
              Maximum  average matching rate: specified as a num-
              ber,  with  an   optional   `/second',   `/minute',
              `/hour', or `/day' suffix; the default is 3/hour.

       --limit-burst number
              Maximum  initial  number  of packets to match: this
              number gets recharged by one every time  the  limit
              specified  above is not reached, up to this number;
              the default is 5.


--
Jason Huddleston, CCSA
Network Security Admin, Firewall Technician
Ozarks Technical Community College
huddlesj at otc.edu
417-895-7798

-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of Rodolfo J. Paiz
Sent: Tuesday, May 04, 2004 9:36 PM
To: fedora-list at redhat.com; redhat-list at redhat.com
Subject: Routing and bandwidth problem

Hey...

I have no idea of which FM to R here, so I will happily accept pointers to 
good documentation and HOWTO documents. Any other help is also welcome, as 
I will need to solve this problem very soon. The problem is this:

My small business is one of four tenants in a small building. The other 
three have agreed to allow me to buy one big connection and then resell 
service to them, such that they get a better price and I get to subsidize 
my own Internet service. However, while I *could* set this up quickly 
without any controls, they each want different service levels and amounts 
of bandwidth and will be paying different prices, so I want to do this 
properly.

The firewall/gateway will run Fedora Core 1. I think I need *five* Ethernet 
adapters in the server (eth0 to the ISP, and eth1-eth4 to the four tenants) 
so that each client is properly isolated into their own network and cannot 
access the other clients' computers. If there is a way to do this securely 
and safely without a gaggle of Ethernet cards, please do tell! I can think 
of doing this with 801.2q VLAN tagging, but that requires a managed switch 
which is far more expensive. It seems to me that multiple Ethernet cards 
are the simplest *and* cheapest way to do it.

I know how to provide masquerading, firewall, gateway, DNS, DHCP, NTP, and 
other services. What I don't know how to do is the following:

         1. Required: Limit the total bandwidth a client can use to either 
128 Kbps or 256 Kbps.

         2. Optional: Allow each client to exceed their limit if no one 
else is using the space. That is, a customer who stays late when all other 
offices are gone for the night, or someone who gets lucky that no one else 
is using the Net at that particular moment, could get access to the entire 
Internet connection (say, 512 Kbps). But if everyone is using the bandwidth 
simultaneously, then each would get their fair share (what they paid for 
and I provide, proportionately).

         3. Optional: Even though traffic *through* the server (client 
connecting to Internet) should be throttled and limited, it would be ideal 
for traffic *to* the server (client connecting to the firewall) to have 
full 100 Mbps link speed. This would allow me to download the FC2 ISO 
images to the server at night, for example, and then let clients grab them 
at 100 Mbps over the internal network instead of having that internal 
download also throttled to 256 Kbps.

         4. Optional: Provide each tenant with an FTP-served directory on 
the server which can *only* be accessed from their network. So if they pull 
down the confidential something or their wife's nude pictures, other 
tenants cannot get at that information.

Can someone offer some hints, pointers, suggestions, or magic beans?

Thanks in advance!


-- 
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list