Thursday, March 17, 2011

Bandwidth Control in Linux

There are several ways to control / shape / manage bandwidth in Linux.


Simple approach. Install wondershaper:

#apt-get install wondershaper

Configure it using kilobits (change eth1 according to yours):
from manual "wondershaper [ interface ] [ downlink ] [ uplink ]"
#wondershaper eth1 2048 2048
If you want to clear simply run:
#wondershaper clear eth1


We will control the bandwidth using a tool "tc", which is a part of "iproute" package in Debian.
tc - show / manipulate traffic control settings

Simple, classless Queueing Disciplines:

The Token Bucket Filter (TBF) - Simple and easy, for slowing an interface down. 

qdisc - queuing discipline 
latency - number of bytes that can be queued waiting for tokens to become available.
burst - Size of the bucket, in bytes.
rate - speedknob

#tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540
click here for more information on TBF.


Stochastic Fairness Queueing (SFQ) - round robin type, provide each session the chance to send data in turn. It changes its hashing algorithm within an interval.

qdisc - queuing discipline 
perturb - Reconfigure hashing once this many seconds.
#tc qdisc add dev eth1 root sfq perturb 10
click here for more information on SFQ.



To check the status run:
#tc -s -d qdisc show dev eth1
To remove it:
#tc qdisc del dev eth1 root



Classful Queueing Disciplines:

CBQ (Class Based Queueing) - A Classful Queueing
HTB - Another classful Queueing. (we will use it.)

Example classful qdisc



Let assume we want to create some rules for a small office using HTB.
eth0 - external interface - PUBLIC_IP 
eth1 - internal interface - LOCAL_IP 
Email will get the highest priority
General/Other will get the medium priority.
Video streaming will get the lowest priority.


Creating root 1: and 1:1 using HTB (default 6 means follow 1:6 if no rule matched)
#tc qdisc add dev eth1 root handle 1: htb default 6
#tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit ceil 2mbit

Creating leaf class 1:5 (prio represents priority, and 0 means high priority)
#tc class add dev eth1 parent 1:1 classid 1:5 htb rate 1mbit ceil 1.5mbit
#tc filter add dev eth1 protocol ip parent 1:0 prio 0 u32 match ip src YOUR_MAIL_SERVER_IP/32 flowid 1:5
#tc filter add dev eth1 protocol ip parent 1:0 prio 0 u32 match ip sport 22 0xffff flowid 1:5

Creating leaf class 1:6 (It is set as default in root qdisc, so we are not setting any rules)
#tc class add dev eth1 parent 1:1 classid 1:6 htb rate 0.5mbit ceil 1.5mbit

Creating leaf class 1:7 (use /32 for specific IP, /24 for that series. Priority low - prio 5. You can get the IP address using "iptraf" tool)
#tc class add dev eth1 parent 1:1 classid 1:7 htb rate 0.2mbit ceil 1mbit
#tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 match ip src VIDEO_STREAM_IP/32 flowid 1:7


Optionally we can also add discipline with leaf (for an example we are adding SFQ with leaf class 1:5)
#tc qdisc add dev eth1 parent 1:5 handle 20: sfq perturb 10

To remove it:
#tc qdisc del dev eth1 root handle 1: htb


Click here for more information on HTB.


This document is written to describe a basic of bandwidth controlling/shaping for the new users. Please check the details documentation for advance options.

source:
http://lartc.org/howto/index.html
http://www.opalsoft.net/qos/DS.htm
http://blog.edseek.com/~jasonb/articles/traffic_shaping/index.html
HTB user guide:
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm
Filter:
http://lartc.org/howto/lartc.qdisc.filters.html
http://linux-ip.net/articles/Traffic-Control-HOWTO/index.html

Friday, March 11, 2011

FreeBSD with Debian GRUB


I have installed FreeBSD 8.2 amd64 in my PC for testing.

If you want to boot FreeBSD using GRUB, simply edit 
/etc/grub.d/40_customized

In the other section add the following line:
(change the partition according to yours)
menuentry 'FreeBSD 8.2 amd64' {
        set root='(hd0,X)'
        chainloader +1
}

Update the grub.cfg
#update-grub

FreeBSD should appear in your grub menu while booting...

Friday, March 04, 2011

Encrypted folder in Linux

We are using EncFS. It provides an encrypted filesystem in user-space.

You may need to load fuse module:

#modprobe fuse

Install encfs:
#apt-get install encfs

Optionally you may install (EncFS system tray applet for GNOME):
#apt-get install cryptkeeper

encfs [options] rootDir mountPoint
Here I am creating a root folder name encrypt for storing encrypted files.
Also creating a mount point folder named decrypt, which we will use to read/write files.
$encfs ~/.encrypt ~/decrypt

It will ask permission for creating the directory - type y here.
Now, it will ask for expert or pre-configured mode - use pre-configured - type p here.

It will ask for a password. Use a secure password here.

done! now you can use decrypt folder as an encrypted folder.

The actual data will be stored under .encrypt folder, and will be available via decrypt folder after mounting via encfs.


You may unmount it using:
$fusermount -u ~/decrypt

source:
http://www.debian-administration.org/articles/204
http://ubuntuforums.org/showthread.php?t=148600

Encrypted partition in Linux

To create encrypted disks we are using cryptsetup

#apt-get install cryptsetup

Backup your data and optionally clean it:
#shred -n1 -v /dev/sdaX

Initializes a LUKS partition (warning!):
#cryptsetup luksFormat /dev/sdaX

 Type "YES". It will ask for a password for filesystem. Use a secure password, otherwise encryption wont help you.
There is other options for securing. Check the cryptsetup manual for details.


Open and sets up a mapping for LUKS partition:
#cryptsetup luksOpen /dev/sdaX your_map_name

Format the LUKS partition using the mapping:
#mkfs.ext3 /dev/mapper/your_map_name

Now you can mount it:
#mount /dev/mapper/your_map_name /mnt/your_mount_name


Optionally you can umount and (removes mapping) lock the LUKS again:
#umount  /mnt/your_mount_name
#cryptsetup luksClose your_map_name

I have tested this in Debian 6.0.0.
You may need to load module (optionally you may add in /etc/modules):
modprobe dm_mod


Edit /etc/crypttab
# <target name="">  <source device="">         <key file="">      <options>
your_map_name            /dev/sdaX               none            luks


Edit /etc/fstab
# <file system=""> <mount point="">nbsp;  <type>   <options>       <dump>   <pass>
/dev/mapper/your_map_name      /mnt/your_mount_name  ext3    user,auto       0       0


You can reboot. It will ask for the password while booting.


source:
http://www.debian-administration.org/article/Encrypting_an_existing_Debian_lenny_installation
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3683011/Protect-Your-Stuff-With-Encrypted-Linux-Partitions.htm
http://www.linuxconfig.org/Partition_Encryption