Something that I've found in FC1 is cbq, part of the shapecfg package
(and needs iproute I believe). Basically it uses tc to control
traffic. It may help out with much of this without having to grab/find
other software, allowing you to keep it updated with existing fc1
repositories.

I've begun playing with it myself in my spare time and suggest you read
/sbin/cbq (large, fairly well documented bash script). Can't provide
any help yet though.

Ron

Rodolfo J. Paiz kirjoitti viestiss??n (l?hetysaika keskiviikko,
If running out of PCI slots is the problem, there are dual and
quad port Ethernet adapters, e.g from Intel:
http://www.intel.com/network/connectivity/products/pro100dport_adapter.htm
http://www.intel.com/network/connectivity/products/pro1000mt_quad_server_adapter.htm

However, five regular adapters will be cheaper.

Not necessary to use that many adapters, It can easily be done on 2,
one for the internet and one for the LAN.

Linux can run multiple IPs on a single adapter by using aliases in the
config, and then using the traffic shaper utils you can set bandwidth
for each.
The only real problem will come in if they decide to snoop and since
with this method they would all be on the same physical network they
might find the other machines.

You could thus use 192.168.2.X for one, 192.168.3.X for another, etc.
The command to set up an alias (virtual interface) on a nic is simple.
Use the same ifconfig command you would otherwise use but the interface
is listed as eth0:1, eth0:2, etc.
The files in /etc/sysconfig/network-scripts can be configured for each
virtual interface you use, or it can be put in /etc/rc.local if you want.

Then the firewall with iptables can be used to handle NAT, forwarding,
and with the options for specifying the mac address of a connection you
can even make sure you do not yourself allow them to communicate
directly and you would know if they tried to add additional machines..
The traffic shaper tools can do this AFAIK.
Someone else will have to answer this
provide each user/client with an ftp directory they can log into as a
user. by default vsftp provides a chroot jail for them.

Why not just use a router / switch?
Thus it reduces the nic's down to two: one for the wan and one for the lan.
Jay
Rodolfo J. Paiz kirjoitti viestiss??n (l?hetysaika keskiviikko,

You should try ProFTPd (http://www.proftpd.org/). There configuration is
similar to apache where you can create virtual FTP servers for each IP
address. I've been using this program for years on my office network and it
is always running perfect.

Hey...

I have no idea of which FM to R here, so I will happily accept pointers to
good documentation and HOWTO documents. Any other help is also welcome, as
I will need to solve this problem very soon. The problem is this:

My small business is one of four tenants in a small building. The other
three have agreed to allow me to buy one big connection and then resell
service to them, such that they get a better price and I get to subsidize
my own Internet service. However, while I *could* set this up quickly
without any controls, they each want different service levels and amounts
of bandwidth and will be paying different prices, so I want to do this
properly.

The firewall/gateway will run Fedora Core 1. I think I need *five* Ethernet
adapters in the server (eth0 to the ISP, and eth1-eth4 to the four tenants)
so that each client is properly isolated into their own network and cannot
access the other clients' computers. If there is a way to do this securely
and safely without a gaggle of Ethernet cards, please do tell! I can think
of doing this with 801.2q VLAN tagging, but that requires a managed switch
which is far more expensive. It seems to me that multiple Ethernet cards
are the simplest *and* cheapest way to do it.

I know how to provide masquerading, firewall, gateway, DNS, DHCP, NTP, and
other services. What I don't know how to do is the following:

1. Required: Limit the total bandwidth a client can use to either
128 Kbps or 256 Kbps.

2. Optional: Allow each client to exceed their limit if no one
else is using the space. That is, a customer who stays late when all other
offices are gone for the night, or someone who gets lucky that no one else
is using the Net at that particular moment, could get access to the entire
Internet connection (say, 512 Kbps). But if everyone is using the bandwidth
simultaneously, then each would get their fair share (what they paid for
and I provide, proportionately).

3. Optional: Even though traffic *through* the server (client
connecting to Internet) should be throttled and limited, it would be ideal
for traffic *to* the server (client connecting to the firewall) to have
full 100 Mbps link speed. This would allow me to download the FC2 ISO
images to the server at night, for example, and then let clients grab them
at 100 Mbps over the internal network instead of having that internal
download also throttled to 256 Kbps.

4. Optional: Provide each tenant with an FTP-served directory on
the server which can *only* be accessed from their network. So if they pull
down the confidential something or their wife's nude pictures, other
tenants cannot get at that information.

Can someone offer some hints, pointers, suggestions, or magic beans?

Thanks in advance!

Something that I've found in FC1 is cbq, part of the shapecfg package
(and needs iproute I believe). Basically it uses tc to control
traffic. It may help out with much of this without having to grab/find
other software, allowing you to keep it updated with existing fc1
repositories.

I've begun playing with it myself in my spare time and suggest you read
/sbin/cbq (large, fairly well documented bash script). Can't provide
any help yet though.

Ron

Rodolfo J. Paiz kirjoitti viestiss??n (l?hetysaika keskiviikko,
If running out of PCI slots is the problem, there are dual and
quad port Ethernet adapters, e.g from Intel:
http://www.intel.com/network/connectivity/products/pro100dport_adapter.htm
http://www.intel.com/network/connectivity/products/pro1000mt_quad_server_adapter.htm

However, five regular adapters will be cheaper.

Not necessary to use that many adapters, It can easily be done on 2,
one for the internet and one for the LAN.

Linux can run multiple IPs on a single adapter by using aliases in the
config, and then using the traffic shaper utils you can set bandwidth
for each.
The only real problem will come in if they decide to snoop and since
with this method they would all be on the same physical network they
might find the other machines.

You could thus use 192.168.2.X for one, 192.168.3.X for another, etc.
The command to set up an alias (virtual interface) on a nic is simple.
Use the same ifconfig command you would otherwise use but the interface
is listed as eth0:1, eth0:2, etc.
The files in /etc/sysconfig/network-scripts can be configured for each
virtual interface you use, or it can be put in /etc/rc.local if you want.

Then the firewall with iptables can be used to handle NAT, forwarding,
and with the options for specifying the mac address of a connection you
can even make sure you do not yourself allow them to communicate
directly and you would know if they tried to add additional machines..
The traffic shaper tools can do this AFAIK.
Someone else will have to answer this
provide each user/client with an ftp directory they can log into as a
user. by default vsftp provides a chroot jail for them.

Why not just use a router / switch?
Thus it reduces the nic's down to two: one for the wan and one for the lan.
Jay
Rodolfo J. Paiz kirjoitti viestiss??n (l?hetysaika keskiviikko,

You should try ProFTPd (http://www.proftpd.org/). There configuration is
similar to apache where you can create virtual FTP servers for each IP
address. I've been using this program for years on my office network and it
is always running perfect.

I didn't see the start of this thread, but here's my $0.02 ...

The DHCP server shouldn't care what interface the request came in on, rather
it looks at the source network of the request.

So you server could support many different ranges, provided there was
suitable separation (i.e. a router) between the subnets and the server.

In your case, the server is acting as the router, but having separate
interfaces on the server itself is not a requirement (of any DHCP server I
know of)

regards,
Matt.

_________________________________________________________________
Get Extra Storage in 10MB, 25MB, 50MB and 100MB options now! Go to
http://join.msn.com/?pgmarket=en-au&page=hotmail/es2

Okay, it's been awhile since I set up our dhcp at work, but if I remember
correctly, dhcp requests don't usually route. I believe that we had to
set up our central router (a Cisco Catalyst 3550 set up to route instead
of switch) to forward the dhcp requests to the dhcp server on our server
subnet. Otherwise we'd have had to have had a dhcp server on each subnet.

Ben

Correct. DHCP is a broadcast. Routers don't normally forward broadcasts.
Configuring the router (with "ip helper-address") causes it to send a
unicast to the chosen DHCP server. Source address in the packet allows the
server to respond with an address for the correct subnet.

Just wanted to point out that it's not necessary to have more than one NIC
in the server to support multiple subnets. Of course, if the server is
routing for those subnets then there's nothing wrong with that either.

Regards,
Matt.

_________________________________________________________________
Get a Credit Card - 60 sec online response:
http://ad.au.doubleclick.net/clk;8097459;9106288;b?http://www.anz.com/aus/promo/qantas5000ninemsn
[AU only]

If I recall correctly, (and mind, I haven't seen all of this thread),
Rodolfo started his quest in another thread. He was trying to act as a
quasi-ISP for others in his building, so that they could all share the
costs of a high-speed internet line. IIRC, he wanted to be hands-off,
such that his "clients" could just plug in and deal with their own IT
issues. If he had gone with MAC-based DHCP, he'd have become their
de-facto IT/SA shop. I don't think that he wants the additional burden.
:)

Ben

I didn't see the start of this thread, but here's my $0.02 ...

The DHCP server shouldn't care what interface the request came in on, rather
it looks at the source network of the request.

So you server could support many different ranges, provided there was
suitable separation (i.e. a router) between the subnets and the server.

In your case, the server is acting as the router, but having separate
interfaces on the server itself is not a requirement (of any DHCP server I
know of)

regards,
Matt.

_________________________________________________________________
Get Extra Storage in 10MB, 25MB, 50MB and 100MB options now! Go to
http://join.msn.com/?pgmarket=en-au&page=hotmail/es2

Okay, it's been awhile since I set up our dhcp at work, but if I remember
correctly, dhcp requests don't usually route. I believe that we had to
set up our central router (a Cisco Catalyst 3550 set up to route instead
of switch) to forward the dhcp requests to the dhcp server on our server
subnet. Otherwise we'd have had to have had a dhcp server on each subnet.

Ben

Correct. DHCP is a broadcast. Routers don't normally forward broadcasts.
Configuring the router (with "ip helper-address") causes it to send a
unicast to the chosen DHCP server. Source address in the packet allows the
server to respond with an address for the correct subnet.

Just wanted to point out that it's not necessary to have more than one NIC
in the server to support multiple subnets. Of course, if the server is
routing for those subnets then there's nothing wrong with that either.

Regards,
Matt.

_________________________________________________________________
Get a Credit Card - 60 sec online response:
http://ad.au.doubleclick.net/clk;8097459;9106288;b?http://www.anz.com/aus/promo/qantas5000ninemsn
[AU only]

If I recall correctly, (and mind, I haven't seen all of this thread),
Rodolfo started his quest in another thread. He was trying to act as a
quasi-ISP for others in his building, so that they could all share the
costs of a high-speed internet line. IIRC, he wanted to be hands-off,
such that his "clients" could just plug in and deal with their own IT
issues. If he had gone with MAC-based DHCP, he'd have become their
de-facto IT/SA shop. I don't think that he wants the additional burden.
:)

Ben