Re: Throttle Users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I'm not very familiar with IOS but i think you can do a port 80 redirect for certain ACLs fairly easy, then you will only need a working apache/thttpd box. Much more simpler setup.

--Adrian.

At 03:01 PM 11/29/2005, David Ziggy Lubowa wrote:

All sounds good ... but this will be a separate box meaning i could do Policy
routing off the router with a route-map  then it hits box X ,  after that the
policies below fall into place ...does that work ....????


cheers


On Tuesday 29 November 2005 13:34, Adrian C. wrote:
> Hello.
>
> On linux you could do
> iptables -t nat -I PREROUTING -p tcp --dport 80 -s source_ip -j DNAT
> --to-destination apache_running_machine:80
> iptables -I FORWARD -s source_ip -p tcp --dport 53 -j ACCEPT
> iptables -I FORWARD -s source_ip -p udp --dport 53 -j ACCEPT
>
> considering you don't have a DROP policy or else you're gonna need to
> pass DNS both ways. Without DNS resolving i had problems reaching the
> page. For example: client tries to reach google.com, browser just
> hits timeout -> page cannot be reached. The request won't reach
> redirect if DNS is blocked.
>
> on *BSD running ipf
> rdr fxp0  source_ip/32 port 80 -> apache_running_machine port 80
>
> or if using ipfw
> ipfw add 200 divert 80 tcp from source_ip to apache_running_machine
> 80 via whateverif0
>
> Again make sure firewall rules do not block client's DNS requests.
>
> For the bandwidth shaping you need a queue with very tiny bandwidth
> figures and just throw every bad payer in. Look for ALTQ on
> Open/NetBSD or dummynet on FreeBSD, cbq/htb on linux.
>
>
> --Adrian.
>
> At 11:56 AM 11/29/2005, you wrote:
> >Hey guys ..
> >
> >
> >Anyone got any ideas on this ,   would like in the most primitive way for
> > now be able to  have users who have not paid there bill be redirected to
> > a page and also not be able to use any of my bandwidth say put a minimum
> > of 8k  , anyone got any ideas.
> >
> >
> >i have PIX 515E, Packeteer and a few cisco routers and *nix boxes to play
> >with ,  which would be appropriate.
> >
> >cheers
> >
> >
> >
> >
> >--
> >
> >  --
> >Fanaticism consists of redoubling your effort when you have forgotten your
> >aim.
> >           -- George Santayana
> >-
> >: send the line "unsubscribe linux-admin" in
> >the body of a message to majordomo@xxxxxxxxxxxxxxx
> >More majordomo info at  http://vger.kernel.org/majordomo-info.html

--

 --
Fanaticism consists of redoubling your effort when you have forgotten your
aim.
          -- George Santayana


-
: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux