LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Dealing with Other Bandwidth-consuming Protocols Using CBQ

4. Dealing with Other Bandwidth-consuming Protocols Using CBQ

We must remember that our LAN users can spoil our efforts from chapter 3, if they use Napster, Kazaa or Realaudio. We must also remember that we didn't block ftp traffic in section 3.3.

We will achieve it in a different way -- not by limiting downloading directly, but rather, indirectly. If our internet device is ppp0 and LAN device is eth0, we will limit outgoing traffic on interface eth0, and thus, limit incoming traffic to ppp0.

To do it, we will get familiar with CBQ and cbq.init script. You can obtain it from ftp://ftp.equinox.gu.net/pub/linux/cbq/. Download cbq.init-v0.6.2 and put it in /etc/rc.d/.

You will also need iproute2 installed. It comes with every Linux distribution.

Now look in your /etc/sysconfig/cbq/ directory. There, you should have an example file, which should work with cbq.init. If it isn't there, you probably don't have it compiled in your kernel nor it isnt't present as modules. Well, in any case, just make that directory, put example files provided below, and see if it'd work for you.

4.1. FTP

In chapter 3, we didn't block ftp for two reasons -- so that we could do uploads, and so that users with buggy IE5.5 could browse through ftp directories. In all, our web browsers and ftp programs should make downloads via our Squid proxy and ftp uploads/renaming/deleting should be made via IP-masquerade.

We create a file called cbq-10.ftp-network in the /etc/sysconfig/cbq/ directory:

# touch /etc/sysconfig/cbq/cbq-10.ftp-network

We insert the following lines into it:

DEVICE=eth0,10Mbit,1Mbit
RATE=15Kbit
WEIGHT=1Kbit
PRIO=5
RULE=:20,192.168.1.0/24
RULE=:21,192.168.1.0/24

You will find the description of thses lines in cbq.init-v0.6.2 file.

When you start /etc/rc.d/cbq.init-v0.6.2 script, it will read your configuration, which is placed in /etc/sysconfig/cbq/:

# /etc/rc.d/cbq.init-v0.6.2 start

If everything is working, we add /etc/rc.d/cbq.init-v0.6.2 start to the end of your initializing scripts. Usually, it can be /etc/rc.d/rc.local.

Thanks to this command, your server will not send ftp data through eth0 faster than about 15kbits/s, and thus will not download ftp data from the internet faster than 15kbits/s.Your LAN users will see that it's more efficient to use Squid proxy for doing ftp downloads. They will be also able to browse ftp directories using their buggy IE5.5.

There is also another bug in IE5.5 - when you right click on a file in a ftp directory then select 'Copy To Folder', the file is downloaded not through proxy, but directly through IP-masquerade, thus omitting Squid with delay pools.

4.2. Napster, Realaudio, Windows Media and other issues

Here, the idea is the same as with ftp; we just add another port and set a different speed.

We create file called cbq-50.napster-network in the /etc/sysconfig/cbq/ directory:

# touch /etc/sysconfig/cbq/cbq-50.napsterandlive

Put these lines into that file:

DEVICE=eth0,10Mbit,1Mbit
RATE=35Kbit
WEIGHT=3Kbit
PRIO=5
#Windows Media Player.
RULE=:1755,192.168.1.0/24
#Real Player uses TCP port 554, for UDP it uses different ports,
#but generally RealAudio in UDP doesn't consume much bandwidth.
RULE=:554,192.168.1.0/24
RULE=:7070,192.169.1.0/24
#Napster uses ports 6699 and 6700, maybe some other?
RULE=:6699,192.168.1.0/24
RULE=:6700,192.168.1.0/24
#Audiogalaxy uses ports from 41000 to as high as probably 41900,
#there are many of them, so keep in mind I didn't list all of
#them here. Repeating 900 nearly the same lines would be of course
#pointless. We will simply cut out ports 410031-41900 using
#ipchains or iptables.
RULE=:41000,192.168.1.0/24
RULE=:41001,192.168.1.0/24
#continue from 41001 to 41030
RULE=:41030,192.168.1.0/24
#Some clever users can connect to SOCKS servers when using Napster,
#Audiogalaxy etc.; it's also a good idea to do so
#when you run your own SOCKS proxy
RULE=:1080,192.168.1.0/24
#Add any other ports you want; you can easily check and track
#ports that programs use with IPTraf
#RULE=:port,192.168.1.0/24

Don't forget to cut out remaining Audiogalaxy ports (41031-41900), using ipchains (kernels 2.2.x or iptables (kernels 2.4.x).

Kernels 2.2.x.

/sbin/ipchains -A input -s 192.168.1.1/24 -d ! 192.168.1.1 41031:41900 -p TCP -j REJECT

Kernels 2.4.x.

/sbin/iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 --dport 41031:41900 -p TCP -j REJECT

Don't forget to add a proper line to your initializing scripts.

    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Hacker Halted 2014: Johnny Long Calls for Hackers for Charity Volunteers
RIPS – Static Source Code Analysis For PHP Vulnerabilities
Finding a Video Poker Bug Made These Guys Rich—Then Vegas Made Them Pay
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.