LDP Home
Manifesto
History
Stable HOWTOs

http://www.tldp.org/images/ldp.gif

LDP wiki
MembersPage
AuthorsPage
VisitorsPage
TranslatorsPage
Wiki HOWTOs

Bandwidth Limiting HOWTO

TomaszChmielewski Email: tch@metalab.unc.edu

Revision History:

||0.9||2001-11-20||tc||0.92001-11-20tcThis document describes how to set up your Linux server to limit download bandwidth or incoming traffic and how to use your internet link more efficiently.This document describes how to set up your Linux server to limit download bandwidth or incoming traffic and how to use your internet link more efficiently.

Introduction

The purpose of this guide is to provide an easy solution for limiting incomingtraffic, thus preventing our LANusers from consuming all the bandwidth of our internet link.The purpose of this guide is to provide an easy solution for limiting incoming traffic, thus preventing our LAN users from consuming all the bandwidth of our internet link.This is useful when our internet link is slow or our LAN usersdownload tons of mp3s and the newest Linux distro's *.iso files.This is useful when our internet link is slow or our LAN users download tons of mp3s and the newest Linux distro's *.iso files.

New versions of this document

You can always view the latest version of this document on the WorldWide Web at the URL http://www.linuxdoc.org.You can always view the latest version of this document on the World Wide Web at the URL [http://www.linuxdoc.org http://www.linuxdoc.org] http://www.linuxdoc.org.New versions of this document will also be uploaded to various LinuxWWW and FTP sites, including the LDP home page athttp://www.linuxdoc.org.New versions of this document will also be uploaded to various Linux WWW and FTP sites, including the LDP home page at

[http://www.linuxdoc.org http://www.linuxdoc.org] http://www.linuxdoc.org.

Disclaimer

Neither the author nor the distributors, or any other contributor ofthis HOWTO are in any way responsible for physical, financial, moral or anyother type of damage incurred by following the suggestions in this text.Neither the author nor the distributors, or any other contributor of this HOWTO are in any way responsible for physical, financial, moral or any other type of damage incurred by following the suggestions in this text.

This document is copyright 2001 by Tomasz Chmielewski, and is released under the terms of the GNU Free Documentation License,which is hereby incorporated by reference. This document is copyright 2001 by Tomasz Chmielewski, and is released under the terms of the GNU Free Documentation License, which is hereby incorporated by reference.

Feedback and corrections

If you have questions or comments about this document, please feel freeto mail Tomasz Chmielewski at tch@metalab.unc.edu. I welcome any suggestionsor criticisms. If you find a mistake or a typo in this document (and you willfind a lot of them, as English is not my native language), please let me knowso I can correct it in the next version. Thanks.If you have questions or comments about this document, please feel free to mail Tomasz Chmielewski at [mailto:tch@metalab.unc.edu tch@metalab.unc.edu]

tch@metalab.unc.edu . I welcome any suggestions or criticisms. If you find a mistake or a typo in this document (and you will find a lot of them, as English is not my native language), please let me know so I can correct it in the next version. Thanks.

Thanks

I would like to thank Ami M. Echeverri lula@pollywog.com who helped me toconvert the HOWTO into SGML format and corrected some mistakes. I also want tothank Ryszard Prosowicz prosowicz@poczta.fm for useful suggestions.I would like to thank Ami M. Echeverri lula@pollywog.com who helped me to convert the HOWTO into SGML format and corrected some mistakes. I also want to thank Ryszard Prosowicz prosowicz@poczta.fm for useful suggestions.

Before We Start

Let's imagine the following situation:Let's imagine the following situation:We have 115,2 kbits/s ppp (modem) internet link (115,2/10= 11,5 kbytes/s). Note: with eth connections(network card) we would divide 115,2 by 8; with ppp we divide by 10, becauseof start/stop bits (8 + 1 + 1 = 10).We have 115,2 kbits/s ppp (modem) internet link (115,2/10 = 11,5 kbytes/s). Note: with eth connections (network card) we would divide 115,2 by 8; with ppp we divide by 10, because of start/stop bits (8 + 1 + 1 = 10).We have some LAN stations and their users are doing bulk downloadsall the time.We have some LAN stations and their users are doing bulk downloads all the time.We want web pages to open fast, no matter how many dowloads are happening.We want web pages to open fast, no matter how many dowloads are happening.Our internet interface is ppp0.Our internet interface is .Our LAN interface is eth0.Our LAN interface is .Our network is 192.168.1.0/24Our network is 192.168.1.0/24

What do we need

Believe it or not, shaping the incoming traffic is an easytask and you don't have to read tons of books about routing or queuing algorithms.Believe it or not, shaping the incoming traffic is an easy task and you don't have to read tons of books about routing or queuing algorithms. To make it work, we need at least Squid proxy; if we want to fine tuneit, we will have to get familiar with ipchains or iptables and CBQ.To make it work, we need at least Squid proxy; if we want to fine tune it, we will have to get familiar with ipchains or iptables and CBQ.To test our efforts, we can install IPTraf.To test our efforts, we can install IPTraf.

How does it work?

Squid is probably the most advanced HTTP proxy server available for Linux.It can help us save bandwidth in two ways:Squid is probably the most advanced HTTP proxy server available for Linux. It can help us save bandwidth in two ways:The first is a main characteristic of proxy servers -- they keep downloaded web pages, pictures, and other objects in memory or on a disk. So, if two people are requesting the same web page, it isn't downloaded from the internet,but from the local proxy. The first is a main characteristic of proxy servers -- they keep downloaded web pages, pictures, and other objects in memory or on a disk. So, if two people are requesting the same web page, it isn't downloaded from the internet, but from the local proxy. Apart from normal caching, Squid has a special feature called delaypools. Thanks to delay pools, it is possible to limit internet traffic in areasonable way, depending on so-called 'magic words', existing in any givenURL. For example, a magic word could be '.mp3', '.exe' or '.avi', etc.Any distinct part of a URL (such as .avi) can be defined as a magic word.Apart from normal caching, Squid has a special feature called delay pools. Thanks to delay pools, it is possible to limit internet traffic in a reasonable way, depending on so-called 'magic words', existing in any given URL. For example, a magic word could be '.mp3', '.exe' or '.avi', etc.

Any distinct part of a URL (such as .avi) can be defined as a magic word.With that, we can tell the Squid to download these kinds of files at aspecified speed (in our example, it will be about 5 kbytes/s). If ourLAN users download files at the same time, they will be downloadedat about 5 kbytes/s altogether, leaving remaining bandwidth for web pages,e-mail, news, irc, etc.With that, we can tell the Squid to download these kinds of files at a specified speed (in our example, it will be about 5 kbytes/s). If our LAN users download files at the same time, they will be downloaded at about 5 kbytes/s altogether, leaving remaining bandwidth for web pages, e-mail, news, irc, etc.Of course, the Internet is not only used for downloading files via webpages (http or ftp). Later on, we will deal with limiting bandwidth for Napster,Realaudio, and other possibilities.Of course, the Internet is not only used for downloading files via web pages (http or ftp). Later on, we will deal with limiting bandwidth for Napster, Realaudio, and other possibilities.

Installing and Configuring Necessary Software

Here, I will explain how to install the necessary softwareso that we can limit and test the bandwidth usage.Here, I will explain how to install the necessary software so that we can limit and test the bandwidth usage.

Installing Squid with the delay pools feature

As I mentioned before, Squid has a feature called delay pools, whichallows us to control download bandwidth. Unfortunately, in most distributions,Squid is shipped without that feature.As I mentioned before, Squid has a feature called delay pools, which allows us to control download bandwidth. Unfortunately, in most distributions, Squid is shipped without that feature.So if you have Squid already installed, I must disappoint you -- youneed to uninstall it and do it once again with delay pools enabled in theway I explain below. So if you have Squid already installed, I must disappoint you -- you need to uninstall it and do it once again with delay pools enabled in the way I explain below.

Configuring Squid to use the delay pools feature

Solving remaining problems

OK, we have installed Squid and configured it to use delay pools. Ibet nobody wants to be restricted, especially our clever LAN users. They willlikely try to avoid our limitations, just to download their favourite mp3sa little faster (and thus causing your headache).OK, we have installed Squid and configured it to use delay pools. I bet nobody wants to be restricted, especially our clever LAN users. They will likely try to avoid our limitations, just to download their favourite mp3s a little faster (and thus causing your headache).I assume that you use IP-masquerade on your LAN so that your userscould use IRC, ICQ, e-mail, etc. That's OK, but we must makesure that our LAN users will use our delay pooled Squid to access web pagesand use ftp.I assume that you use IP-masquerade on your LAN so that your users could use IRC, ICQ, e-mail, etc. That's OK, but we must make sure that our LAN users will use our delay pooled Squid to access web pages and use ftp .We can solve most of these problems by using ipchains (Linux2.2.x kernels) or iptables (Linux 2.4.x kernels).We can solve most of these problems by using ipchains

2.2.x kernels) or iptables

Linux 2.2.x kernels (ipchains)

We must make sure that nobody will try to cheat and use a proxyserver other than ours. Public proxies usually run on 3128 and 8080 ports:We must make sure that nobody will try to cheat and use a proxy server other than ours. Public proxies usually run on 3128 and 8080 ports:/sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 3128-p TCP -j REJECT/sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 8080-p TCP -j REJECTWe must also make sure that nobody will try to cheat and connect to theinternet directly (IP-masquerade) to download web pages:We must also make sure that nobody will try to cheat and connect to the internet directly (IP-masquerade) to download web pages:/sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 80-p TCP -j REDIRECT 8080If everything is working, we add these lines to the end of our initializingscripts. Usually, it can be /etc/rc.d/rc.local.If everything is working, we add these lines to the end of our initializing scripts. Usually, it can be .We might think to block ftp traffic (ports20 and 21) to force our LAN users to use Squid, but it's not a good ideafor at least two reasons:We might think to block ftp

20 and 21) to force our LAN users to use Squid, but it's not a good idea for at least two reasons:Squid is a http proxy with ftp support,not a real ftp proxy. It can download from ftp, it can also upload to some ftp, but itcan't delete/change name of files on remote ftp servers.Squid is a http proxy with ftp

not a real ftp

ftp , it can also upload to some ftp , but it can't delete/change name of files on remote ftp

When we block ports 20 and 21, we won't be able to delete/change nameof files on remote ftp servers.When we block ports 20 and 21, we won't be able to delete/change name of files on remote ftp

ftp

via IP-masquerade.When we block ports 20 and 21, we won't be able to browse through ftp directories, using IE5.5.When we block ports 20 and 21, we won't be able to browse through ftp

ftp

downloads using other methods. We will deal with it in chapter 4.

Linux 2.4.x kernels (iptables)

We must make sure that nobody will try to cheat and use a proxyserver other than ours. Public proxies usually run on 3128 and 8080 ports:We must make sure that nobody will try to cheat and use a proxy server other than ours. Public proxies usually run on 3128 and 8080 ports:/sbin/iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 --dport 3128-p TCP -j DROP/sbin/iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 --dport 8080-p TCP -j DROPWe must also make sure that nobody will try to cheat and connect to theinternet directly (IP-masquerade) to download web pages:We must also make sure that nobody will try to cheat and connect to the internet directly (IP-masquerade) to download web pages:/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080If everything is working, we add these lines to the end of our initializingscripts. Usually, it can be /etc/rc.d/rc.local.If everything is working, we add these lines to the end of our initializing scripts. Usually, it can be .We might think to block ftp traffic (ports20 and 21) to force our LAN users to use Squid, but it's not a good ideafor at least two reasons:We might think to block ftp

20 and 21) to force our LAN users to use Squid, but it's not a good idea for at least two reasons:Squid is a http proxy with ftp support,not a real ftp proxy. It can download from ftp, it can also upload to some ftp, but itcan't delete/change name of files on remote ftp servers.Squid is a http proxy with ftp

not a real ftp

ftp , it can also upload to some ftp , but it can't delete/change name of files on remote ftp

When we block ports 20 and 21, we won't be able to delete/change nameof files on remote ftp servers.When we block ports 20 and 21, we won't be able to delete/change name of files on remote ftp

to retrieve the ftp

via IP-masquerade.When we block ports 20 and 21, our LAN users won't be able to browsethrough ftp directories, using IE5.5.When we block ports 20 and 21, our LAN users won't be able to browse through ftp

ftp

downloads using other methods. We will deal with it in chapter 4.

Dealing with Other Bandwidth-consuming Protocols Using CBQ

We must remember that our LAN users can spoil our efforts from chapter3, if they use Napster, Kazaa or Realaudio. We must also remember that we didn'tblock ftp traffic in section 3.3.We must remember that our LAN users can spoil our efforts from chapter 3, if they use Napster, Kazaa or Realaudio. We must also remember that we didn't block ftp

but rather, indirectly. If our internet device is and LAN device is , we will limit outgoing traffic on interface , and thus, limit incoming traffic to .To do it, we will get familiar with CBQ and cbq.initscript. You can obtain it from ftp://ftp.equinox.gu.net/pub/linux/cbq/. Download cbq.init-v0.6.2 and put it in /etc/rc.d/.To do it, we will get familiar with CBQ and cbq.init

script. You can obtain it from [ftp://ftp.equinox.gu.net/pub/linux/cbq/ ftp://ftp.equinox.gu.net/pub/linux/cbq/]

ftp://ftp.equinox.gu.net/pub/linux/cbq/. Download cbq.init-v0.6.2

/etc/rc.d/ .You will also need iproute2 installed. It comeswith every Linux distribution.You will also need iproute2

with every Linux distribution.Now look in your /etc/sysconfig/cbq/ directory.There, you should have an example file, which should work with cbq.init. If it isn't there, you probably don't have it compiled in yourkernel nor it isnt't present as modules. Well, in any case, just make thatdirectory, put example files provided below, and seeif it'd work for you.Now look in your /etc/sysconfig/cbq/

There, you should have an example file, which should work with cbq.init . If it isn't there, you probably don't have it compiled in your kernel nor it isnt't present as modules. Well, in any case, just make that directory, put example files provided below, and see if it'd work for you.

FTP

In chapter 3, we didn't block ftp for two reasons -- so that we could do uploads, and sothat users with buggy IE5.5 could browse through ftpdirectories. In all, our web browsers and ftp programsshould make downloads via our Squid proxy and ftp uploads/renaming/deletingshould be made via IP-masquerade.In chapter 3, we didn't block ftp for two reasons -- so that we could do uploads, and so that users with buggy IE5.5 could browse through ftp

directories. In all, our web browsers and ftp

should make downloads via our Squid proxy and ftp

should be made via IP-masquerade.We create a file called cbq-10.ftp-network in the /etc/sysconfig/cbq/ directory:We create a file called cbq-10.ftp-network

/etc/sysconfig/cbq/

 DEVICE=eth0,10Mbit,1Mbit RATE=15Kbit WEIGHT=1Kbit PRIO=5 RULE=:20,192.168.1.0/24 RULE=:21,192.168.1.0/24  You will find the description of thses lines in cbq.init-v0.6.2 file.You will find the description of thses lines in cbq.init-v0.6.2

/etc/rc.d/cbq.init-v0.6.2

it will read your configuration, which is placed in /etc/sysconfig/cbq/ : # /etc/rc.d/cbq.init-v0.6.2 startIf everything is working, we add /etc/rc.d/cbq.init-v0.6.2 start to the end of your initializing scripts. Usually, it canbe /etc/rc.d/rc.local.If everything is working, we add /etc/rc.d/cbq.init-v0.6.2 start

be /etc/rc.d/rc.local .Thanks to this command, your server will not send ftp datathrough eth0 faster than about 15kbits/s, and thus will notdownload ftp data from the internet faster than 15kbits/s.Your LAN userswill see that it's more efficient to use Squid proxy for doing ftp downloads. They will be also able to browse ftpdirectories using their buggy IE5.5.Thanks to this command, your server will not send ftp

through eth0

download ftp

will see that it's more efficient to use Squid proxy for doing ftp

ftp

directories using their buggy IE5.5.There is also another bug in IE5.5 - when you right click on a filein a ftp directory then select 'Copy To Folder',the file is downloaded not through proxy, but directly through IP-masquerade,thus omitting Squid with delay pools.There is also another bug in IE5.5 - when you right click on a file in a ftp

the file is downloaded not through proxy, but directly through IP-masquerade, thus omitting Squid with delay pools.

Napster, Realaudio, Windows Media and other issues

Here, the idea is the same as with ftp; we justadd another port and set a different speed.Here, the idea is the same as with ftp ; we just add another port and set a different speed.We create file called cbq-50.napster-network in the /etc/sysconfig/cbq/ directory:We create file called cbq-50.napster-network

/etc/sysconfig/cbq/

 DEVICE=eth0,10Mbit,1Mbit RATE=35Kbit WEIGHT=3Kbit PRIO=5 #Windows Media Player. RULE=:1755,192.168.1.0/24 #Real Player uses TCP port 554, for UDP it uses different ports, #but generally RealAudio in UDP doesn't consume much bandwidth. RULE=:554,192.168.1.0/24 RULE=:7070,192.169.1.0/24 #Napster uses ports 6699 and 6700, maybe some other? RULE=:6699,192.168.1.0/24 RULE=:6700,192.168.1.0/24 #Audiogalaxy uses ports from 41000 to as high as probably 41900, #there are many of them, so keep in mind I didn't list all of #them here. Repeating 900 nearly the same lines would be of course #pointless. We will simply cut out ports 410031-41900 using #ipchains or iptables. RULE=:41000,192.168.1.0/24 RULE=:41001,192.168.1.0/24 #continue from 41001 to 41030 RULE=:41030,192.168.1.0/24 #Some clever users can connect to SOCKS servers when using Napster, #Audiogalaxy etc.; it's also a good idea to do so #when you run your own SOCKS proxy RULE=:1080,192.168.1.0/24 #Add any other ports you want; you can easily check and track #ports that programs use with IPTraf #RULE=:port,192.168.1.0/24  Don't forget to cut out remaining Audiogalaxy ports (41031-41900), using ipchains(kernels 2.2.x or iptables (kernels 2.4.x).Don't forget to cut out remaining Audiogalaxy ports (41031-41900), using ipchains (kernels 2.2.x or iptables (kernels 2.4.x).Kernels 2.2.x.Kernels 2.2.x./sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 41031:41900 -p TCP -j REJECTKernels 2.4.x.Kernels 2.4.x./sbin/iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 --dport 41031:41900 -p TCP -j REJECTDon't forget to add a proper line to your initializing scripts.Don't forget to add a proper line to your initializing scripts.

Frequently Asked Questions

Is it possible to limit bandwidth on a per-user basis with delay pools?

Yes. Look inside the original squid.conf file andcheck the Squid documentation on http://www.squid-cache.orgYes. Look inside the original squid.conf

check the Squid documentation on [http://www.squid-cache.org http://www.squid-cache.org] http://www.squid-cache.org

How do I make wget work with Squid?

It's simple. Create a file called .wgetrc and put it in your home directory.Insert the following lines in it and that's it!It's simple. Create a file called .wgetrc

Insert the following lines in it and that's it!  HTTP_PROXY=192.168.1.1:8080 FTP_PROXY=192.168.1.1:8080  You can make it work globally for all users, type man wget to learn how.You can make it work globally for all users, type man wget

to learn how.

I set up my own SOCKS server listening on port 1080, and now I'm not able to connect to any irc server.

There can be two issues here.There can be two issues here.One is when your SOCKS proxy is open relay, that means everyone can use it from any place in the world.It is a security issue and you should check your SOCKS proxy configuration again - generally irc servers don't allow open relay SOCKS servers to connect to them.One is when your SOCKS proxy is open relay, that means everyone can use it from any place in the world. It is a security issue and you should check your SOCKS proxy configuration again - generally irc servers don't allow open relay SOCKS servers to connect to them.If you are sure your SOCKS server isn't open relay, you may be still disallowed to connect to some of the irc servers - it's because mostly they just check if SOCKS server is running on port 1080 of a clientthat is connecting. In that case just reconfigure your SOCKS to work on a different port. You will also have toreconfigure your LAN software to use a proper SOCKS server and port.If you are sure your SOCKS server isn't open relay, you may be still disallowed to connect to some of the irc servers - it's because mostly they just check if SOCKS server is running on port 1080 of a client that is connecting. In that case just reconfigure your SOCKS to work on a different port. You will also have to reconfigure your LAN software to use a proper SOCKS server and port.

I don't like when Kazaa or Audiogalaxy is filling up all my upload bandwidth.

Indeed that can be painful, but it's simple to be solved.Indeed that can be painful, but it's simple to be solved.Create a file called for example /etc/sysconfig/cbq/cbq-15.ppp.Create a file called for example /etc/sysconfig/cbq/cbq-15.ppp .Insert the following lines into it, and Kazaa or Audiogalaxy will upload not faster thanabout 15 kbits/s. I assume that your outgoing internet interface is ppp0.Insert the following lines into it, and Kazaa or Audiogalaxy will upload not faster than about 15 kbits/s. I assume that your outgoing internet interface is ppp0.  DEVICE=ppp0,115Kbit,11Kbit RATE=15Kbit WEIGHT=2Kbit PRIO=5 TIME=01:00-07:59;110Kbit/11Kbit RULE=,:21 RULE=,213.25.25.101 RULE=,:1214 RULE=,:41000 RULE=,:41001 #And so on till :41030 RULE=,:41030 

My outgoing mail server is eating up all my bandwidth.

You can limit your SMTP, Postfix, Sendmail, or whatever, in a way similar to the question above.Just change or add one rule:You can limit your SMTP, Postfix, Sendmail, or whatever, in a way similar to the question above. Just change or add one rule:  RULE=,:25  Moreover, if you have an SMTP server, you can force your local LAN users to use it,even though they have set up their own SMTP servers to smtp.some.server! We'll do it in atransparent way we did before with Squid.Moreover, if you have an SMTP server, you can force your local LAN users to use it, even though they have set up their own SMTP servers to smtp.some.server! We'll do it in a transparent way we did before with Squid.

Can I limit my own FTP or WWW server in a manner similar it is shown in the question above?

Generally you can, but usually these servers have got their own bandwidth limitingconfigurations, so you will probably want to look into their documentation.Generally you can, but usually these servers have got their own bandwidth limiting configurations, so you will probably want to look into their documentation.2.2.x Kernels2.2.x Kernels/sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 25 -p TCP -j REDIRECT 252.4.x Kernels2.4.x Kernels/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 25Don't forget to add a proper line to your initializing scripts.Don't forget to add a proper line to your initializing scripts.

Is it possible to limit bandwidth on a per-user basis with cbq.init script?

Yes. Look inside this script; there are some examples.Yes. Look inside this script; there are some examples.

Whenever I start cbq.init, it says sch_cbq is missing.

Probably you don't have CBQ as modules in your system. If you have compiled CBQ into your kernel, comment out thefollowing lines in your cbq.init-v0.6.2 script.Probably you don't have CBQ as modules in your system. If you have compiled CBQ into your kernel, comment out the following lines in your cbq.init-v0.6.2

 ### If you have cbq, tbf and u32 compiled into kernel, comment it out #for module in sch_cbq sch_tbf sch_sfq sch_prio cls_u32; do # if ! modprobe $module; then # echo "**CBQ: could not load module $module" # exit # fi #done 

CBQ sometimes doesn't work for no reason.

Generally it shouldn't occur. Sometimes, you can observe mass downloads, though you think you have blocked all ports Napster or Audiogalaxy uses. Well, there is always one moreport open for mass downloads. To find it, you can use IPTraf. As there can be possiblythousands of such ports, it can be really hard task for you.To make it easier, you can consider running your own SOCKS proxy - Napster, Audiogalaxyand many programs can use SOCKS proxies, so it's much easier to deal with just one port, than to do so with thousands of possibilites (standard SOCKS port is 1080, if you run your own SOCKS proxy server, you will be ableto set it up differently, or run multiple instances of SOCKS proxy listening ondifferent ports). Don't forget to close all ports for traffic,and leave open ports like 25 and 110 (SMTP and POP3), and other you think might be useful. You willfind a link to awesome Nylon socks proxy server at the end of this HOWTO.Generally it shouldn't occur. Sometimes, you can observe mass downloads, though you think you have blocked all ports Napster or Audiogalaxy uses. Well, there is always one more port open for mass downloads. To find it, you can use IPTraf. As there can be possibly thousands of such ports, it can be really hard task for you. To make it easier, you can consider running your own SOCKS proxy - Napster, Audiogalaxy and many programs can use SOCKS proxies, so it's much easier to deal with just one port, than to do so with thousands of possibilites (standard SOCKS port is 1080, if you run your own SOCKS proxy server, you will be able to set it up differently, or run multiple instances of SOCKS proxy listening on different ports). Don't forget to close all ports for traffic, and leave open ports like 25 and 110 (SMTP and POP3), and other you think might be useful. You will find a link to awesome Nylon socks proxy server at the end of this HOWTO.

Delay pools are stupid; why can't I download something at full speed when the network is used only by me?

Unfortunately, you can't do much about it.Unfortunately, you can't do much about it.The only thing you can do is to use cron and reconfigureit, for example, at 1.00 am, so that Squid won't use delay pools, then reconfigureit again, let's say at 7.30 am, to use delay pools.The only thing you can do is to use and reconfigure it, for example, at 1.00 am, so that Squid won't use delay pools, then reconfigure it again, let's say at 7.30 am, to use delay pools.To do this, create two separate config files, called for example squid.conf-day and squid.conf-night, and put them into/opt/squid/etc/.To do this, create two separate config files, called for example

squid.conf-day

squid.conf-night , and put them into

/opt/squid/etc/ .squid.conf-day would be the exact copy of a config we created earlier squid.conf-day

squid.conf-night , on the contrary, would not have any delay pool lines, so all you have to do is to comment them out.Next thing you have to do is to set up /etc/crontab entries correctly.Next thing you have to do is to set up /etc/crontab

/etc/crontab

 #SQUID - night and day config change 01 9 * * * root /bin/cp -f /opt/squid/etc/squid.conf-day /opt/squid/etc/squid.conf; /opt/squid/bin/squid -k reconfigure 59 23 * * * root /bin/cp -f /opt/squid/etc/squid.conf-night /opt/squid/etc/squid.conf; /opt/squid/bin/squid -k reconfigure 

My downloads break at 23:59 with "acl day time 09:00-23:59" in squid.conf. Can I do something about it?

You can achieve by removing that acl from your squid.conf, and "delay_access 2 allow dziendelay_access 2 deny !dzien" as well.You can achieve by removing that acl from your squid.conf, and "delay_access 2 allow dzien delay_access 2 deny !dzien" as well.Then try to do it with cron as in the question above.Then try to do it with as in the question above.

Squid's logs grow and grow very fast, what can I do about it?

Indeed, the more users you have, the more - sometimes useful - informationwill be logged.Indeed, the more users you have, the more - sometimes useful - information will be logged.The best way to eradicate it would be to use logrotate, but you'd haveto do a little trick to make it work with Squid: proper cron and logrotate entries.The best way to eradicate it would be to use , but you'd have to do a little trick to make it work with Squid: proper and

/etc/crontab

 #SQUID - logrotate 01 4 * * * root /opt/squid/bin/squid -k rotate; /usr/sbin/logrotate /etc/logrotate.conf; /bin/rm -f /var/log/squid/*.log.0  Here we have caused logrotate to start daily at 04:01 am, so removeany remaining logrotate starting points, for example from /etc/cron.daily/.Here we have caused to start daily at 04:01 am, so remove any remaining starting points, for example from /etc/cron.daily/ ./etc/logrotate.d/syslog entries: /etc/logrotate.d/syslog

 #SQUID logrotate - will keep logs for 40 days /var/log/squid/*.log.0 { rotate 40 compress daily postrotate /usr/bin/killall -HUP syslogd endscript } 

CBQ is stupid; why can't I download something at full speed when the network is used only be me?

Lucky you, it's possible!Lucky you, it's possible!There are to ways to achieve it.There are to ways to achieve it.The first is the easy one, similar to the solution we've made with Squid. Insert a linesimilar to the one below to your CBQ config files placed in/etc/sysconfig/cbq/:The first is the easy one, similar to the solution we've made with Squid. Insert a line similar to the one below to your CBQ config files placed in

/etc/sysconfig/cbq/ :  TIME=00:00-07:59;110Kbit/11Kbit  You can have multiple TIME parameters in your CBQ config files.You can have multiple TIME parameters in your CBQ config files. Be careful though, because there is a small bug in that cbq.init-v0.6.2 script - it won't let you set certain times, for example 00:00-08:00! To make sure if everything is working correctly, start cbq.init-v0.6.2, and then within the time you set, type/etc/rc.d/cbq.init-v0.6.2 timecheckThis is the example how the proper output should look like:[root@mangoo rc.d]# ./cbq.init start; ./cbq.init timecheck**CBQ: 3:44: class 10 on eth0 changed rate (20Kbit -> 110Kbit)**CBQ: 3:44: class 40 on ppp0 changed rate (15Kbit -> 110Kbit)**CBQ: 3:44: class 50 on eth0 changed rate (35Kbit -> 110Kbit)In this example something went wrong, probably in the second config file placed in/etc/sysconfig/cbq/; second counting from the lowest number in its name:[root@mangoo rc.d]# ./cbq.init start; ./cbq.init timecheck**CBQ: 3:54: class 10 on eth0 changed rate (20Kbit -> 110Kbit)./cbq.init: 08: value too great for base (error token is "08")The second way to make CBQ more intelligent is harder - it doesn't depend on time. You can read about it in the Linux2.4 Advanced Routing HOWTO, and play with tc command.Be careful though, because there is a small bug in that cbq.init-v0.6.2

set certain times, for example 00:00-08:00! To make sure if everything is working correctly, start cbq.init-v0.6.2 , and then within the time you set, type /etc/rc.d/cbq.init-v0.6.2 timecheckThis is the example how the proper output should look like:This is the example how the proper output should look like:[root@mangoo rc.d]# ./cbq.init start; ./cbq.init timecheck**CBQ: 3:44: class 10 on eth0 changed rate (20Kbit -> 110Kbit)**CBQ: 3:44: class 40 on ppp0 changed rate (15Kbit -> 110Kbit)**CBQ: 3:44: class 50 on eth0 changed rate (35Kbit -> 110Kbit)In this example something went wrong, probably in the second config file placed in/etc/sysconfig/cbq/; second counting from the lowest number in its name:In this example something went wrong, probably in the second config file placed in

/etc/sysconfig/cbq/ ; second counting from the lowest number in its name:[root@mangoo rc.d]# ./cbq.init start; ./cbq.init timecheck**CBQ: 3:54: class 10 on eth0 changed rate (20Kbit -> 110Kbit)./cbq.init: 08: value too great for base (error token is "08")The second way to make CBQ more intelligent is harder - it doesn't depend on time. You can read about it in the Linux2.4 Advanced Routing HOWTO, and play with tc command.The second way to make CBQ more intelligent is harder - it doesn't depend on time. You can read about it in the Linux 2.4 Advanced Routing HOWTO, and play with tc

Miscellaneous

Useful resources

Squid Web Proxy CacheSquid Web Proxy Cachehttp://www.squid-cache.org [http://www.squid-cache.org http://www.squid-cache.org] http://www.squid-cache.orgSquid 2.4 Stable 1 Configuration manualSquid 2.4 Stable 1 Configuration manualhttp://www.visolve.com/squidman/Configuration%20Guide.html [http://www.visolve.com/squidman/Configuration%20Guide.html http://www.visolve.com/squidman/Configuration%20Guide.html]

http://www.visolve.com/squidman/Configuration%20Guide.htmlhttp://www.visolve.com/squidman/Delaypool%20parameters.htm [http://www.visolve.com/squidman/Delaypool%20parameters.htm http://www.visolve.com/squidman/Delaypool%20parameters.htm]

http://www.visolve.com/squidman/Delaypool%20parameters.htmSquid FAQSquid FAQhttp://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8 [http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8 http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8]

http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#ss19.8cbq-init scriptcbq-init scriptftp://ftp.equinox.gu.net/pub/linux/cbq/ [ftp://ftp.equinox.gu.net/pub/linux/cbq/ ftp://ftp.equinox.gu.net/pub/linux/cbq/] ftp://ftp.equinox.gu.net/pub/linux/cbq/ Linux 2.4 Advanced Routing HOWTOLinux 2.4 Advanced Routing HOWTOhttp://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html [http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html]

http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html Traffic control (in Polish)Traffic control (in Polish)http://ceti.pl/~kravietz/cbq/ [http://ceti.pl/~kravietz/cbq/ http://ceti.pl/~kravietz/cbq/] http://ceti.pl/~kravietz/cbq/ Securing and Optimizing Linux Red Hat Edition - A Hands on GuideSecuring and Optimizing Linux Red Hat Edition - A Hands on Guidehttp://www.linuxdoc.org/guides.html [http://www.linuxdoc.org/guides.html http://www.linuxdoc.org/guides.html] http://www.linuxdoc.org/guides.html IPTrafIPTrafhttp://cebu.mozcom.com/riker/iptraf/ [http://cebu.mozcom.com/riker/iptraf/ http://cebu.mozcom.com/riker/iptraf/] http://cebu.mozcom.com/riker/iptraf/ IPCHAINSIPCHAINShttp://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html [http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html]

http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Nylon socks proxy serverNylon socks proxy serverhttp://mesh.eecs.umich.edu/projects/nylon/ [http://mesh.eecs.umich.edu/projects/nylon/ http://mesh.eecs.umich.edu/projects/nylon/]

http://mesh.eecs.umich.edu/projects/nylon/ Indonesian translation of this HOWTO by Rahmat Rafiudin mjl_id@yahoo.comIndonesian translation of this HOWTO by Rahmat Rafiudin [mailto:mjl_id@yahoo.com mjl_id@yahoo.com]

mjl_id@yahoo.com http://raf.unisba.ac.id/resources/BandwidthLimitingHOWTO/index.html [http://raf.unisba.ac.id/resources/BandwidthLimitingHOWTO/index.html http://raf.unisba.ac.id/resources/BandwidthLimitingHOWTO/index.html]

http://raf.unisba.ac.id/resources/BandwidthLimitingHOWTO/index.html

Bandwidth_Limiting_HOWTO (last edited 2008-09-18 17:22:00 by SvetoslavChukov)