How to avoid my bandwidth bombard with mp3 traffic Release 1 15th December 2002 Preface: Sometimes it can be frustrate when it takes more than one minute to get a text page, hours to get a new security patch or hours to download a tool for your work (assumed it is a "optimal/prof" web server we are connecting to).
What happening: a sniffing networking guy with a smart tool will quickly tell you, your network is bombed with mp3 and avi missiles. Oh no it is not fair, if they want mp3 they must do it in Iraq (oh no, I mean after working hours :-) ).
Is there a way to get out of this mess: Luckily there were some smart guys who has created a tool for it some time ago. May I introduce the one and only SQUID, we often hear it as a proxy.
With the right setup squid can use as a bandwidth control for different departments, different file-types. Let have an example, we want reduce the bandwidth (let say 100bytes/s; meaning it takes more than 11h to download a mp3 file :-). Ok we are not so straight, we drop the bandwidth-limiting after 5pm, at this time I think
they deserve some goodies from the company) when a user downloads a mp3 file or an iso file, but not the other file types, just like text or html etc. And we want to make an exception for all those hardworking developers, they must not suffer when they download tools from the internet.
And what more we want: We want to make sure all the browsers/clients go through the proxy (called a transparent proxy), even thought we don't bother to configure in each browser or if a smart user turn off the proxy setting in his browser.
Is it easy: It is very easy to use and work with squid if you have an understand in filter. But don't worry there are plenty of stuff about iptables on the net.
Assumption and What do you need: You may have a working Apache and a working
masquerading iptables (you can use firestarter or one of the many products from the net). And let assuming you have two network segments 192.168.0.0 and 192.168.1.0 (this segment is for the development department) and on the linux server (with apache, iptables and squid) you have two net-card eth0 and eth1. Eth0 is assigned with a public IP address 168.24.5.99 to the 1024kbits (128Kbytes/s) internet and eth1 has 192.168.0.1 connecting to your internal network.
Let turn on the music: Let install squid from the RPM package from Redhat8. The package is already compile with all those special options we need (filter and delay-pool; see squid.spec from the source package).
You need the following directives, configuring them into /etc/squid/squid.conf:
To get the transparent proxy working (see above if you don't remember what it is), add the following lines
too:
Let add the rules (at the bottom of the squid.conf), the numbers in front are only for the below explanation.
1. acl day time 09:00-16:59
Line 1 defines the time we want to turn on the bandwidth-limiting, line 2 defines the file types we want to reduce the bandwidth usage with. Line 3 and 4 are for access control list, in this case two different groups, one for the developer and the other for the rest of the company. Delay_pool is a directive to turn on the
bandwidth-limiting function in SQUID, we create one delay pool on line 5.
There are 3 classes for a pool, class1 for a single aggregate bucket, class2 is as class1 with an individual bucket append to, class3 is as class2 with a network bucket (from bit 17-24 of an IP address) append to. We choose class 2 (line 6). Line 7 has 4 columns, column one is the directive, column two is for the one class we
have from line 5, columns three & four are the class2 parameters, which defines the bandwidth we wish to use.
Let look at column four on line 7: 100/6000 means the output from this individual bucket is ONLY 100bytes/s, and inside the bucket we get/have/download maximum 6000bytes (it is enough for 60min, and we can use the bandwidth for something else in the meantime). -1/-1 means unlimited, in our case if the file we download is not belong to the file types we have defined at line 2, the download stream to the user's browser
will come unlimited from this bucket with the max speed of 128Kbytes/s (our bandwidth to the internet, see the assumption).
Line 8 is the heart of the bandwidth-limiting, use this directive to turn on the limit. Column two is for the only one pool we have. Columns 3,4,5 and 6 contains the definitions we have from the other lines. It works like an AND operand, so line 8 is only valid/true IF all the four conditions are true. Notice I don't need to use line 4, the definition for the development department.
Before we can start the service squid, execute the next line on a console. The line is for transparent proxy. It configure with the interface facing against the intranet, from the assumption it is the eth1.
Start squid with:
Testing & troubleshooting: Do remember to change the configuration above with the one from your network. When testing the bandwidth-limiting you need do it from an another PC, not on the one running squid. Use tcpdump or snort to troubleshoot if you can't "feel" the limit. Below is the first packet from a client
(192.168.0.122) to a web site 123.45.6.77, the packet goes through the proxy server (168.24.5.99, it is our public IP address) port 3128.
When you are satified with the configuration, you can run squid with: service squid start or use chkconfig to get it run at boot.
For tuning your proxy and howto use many of the other options, please read SQUID FAQ (at the /usr/share/doc), Tomasz Chmielewski's "Bandwidth Limiting HOWTO" and Daniel Kiracofe's "Transparent Proxy with Linux and Squid mini-HOWTO" from HOWTO, the missing link.
Enjoy and have an unlimited luck Copenhagen December 2002, Tuan Nguyen
acl localnet src 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
http_access allow localnet (this line must appear BEFORE the line "http_access deny all")
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
2. acl filetype url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso
.raw .wav .mov
3. acl user src 192.168.0.0/24
4. acl superuser src 192.168.1.0/24
5. delay_pools 1
6. delay_class 1 2
7. delay_parameters 1 -1/-1 100/6000
8. delay_access 1 allow day filetype user
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
This line can put inside the file /etc/rc.d/rc.local, so it can be run at the next reboot.
squid -z
and then squid -NCd1
12/14-12:50:09.760925 01:0:AD:82:76:A9 -> 0C:4:A2:0:BD:71 type:0x800 len:0x4A
192.168.0.122:1182 -> 168.24.5.99:3128 TCP TTL:64 TOS:0x0 ID:46585 DF
**S***** Seq: 0xB4A56109 Ack: 0x0 Win: 0x16D0
TCP Options => MSS: 1460 SackOK TS: 3265776 0 NOP WS: 0