Using Iprelay To Shape Connections

Full Version: Using Iprelay To Shape Connections

GovernmentSecurity.org > System Security > Linux & Unix Systems

myth

Jun 28 2005, 02:52 AM

Due to reasons beyond our control, myself and my housemates are pulled back to dial-up for awhile (yuck), so keeping up-to-date has proven to be a task. I'm going to quickly show you how i used iprelay as a proxy to shape my outgoing connections.

Needed is a client/server based setup, but can all be done using localhost and just the one machine, or to help proxy (and then shape) an entire network...

iprelay is pretty simple to use, read the man pages aswell, some good examples.

Basically, I have two connections to shape. My debian machines, apt-get updates/upgrades and Windows's Manual Update (not auto-update just yet).

Basically, this program listens on 0.0.0.0 and the port number you choose. Then once a connection is made with that port, all future connections will be throttled down to the speed you specify. Also, iprelay has an interactive mode, im not going into that here.

Using my apt examples, I have two machines both need updates (im not getting into the apt-proxy-server program either - i am aware of it), Glitch and RT001. RT001 is already proxy'ing most of my connections anyway so im going to run iprelay on that computer.

There are usually only two different places debian gets updates. Your local mirror and debian's security update mirror. So im going to need to run two instances of iprelay on two different ports.

Choosing port 5000 for the local port forwarding to debian mirror 61.8.0.17 and port 5001 for debian security mirror local port forward to 194.109.137.218

CODE

$ iprelay -d 5000:61.8.0.17:80 && iprelay -d 5001:194.109.137.218:80

The first iprelay forwarder starts running then escapes into daemon mode (-d) and then the second shortly follows.

However, this hasnt limited any bandwidth, its only proxy'ing the connections...

This is the -b argument we need to pass, followed by the bytes/second shape that being applied. Have given it 1kb/s for apt-get updates.

CODE

$ iprelay -d -b 1024 5000:61.8.0.17:80 && iprelay -d -b 1024 5001:194.109.137.218:80

Also, check if those ports are open on your firewall first, depending on what your forwarding tcp/udp may need to be open. Now, to the client (I had to do it on Glitch and RT001), edit /etc/apt/sources.list to reflect the new changes,

QUOTE

deb http://192.168.13.51:5000/debian/ testing main
deb-src http://192.168.13.51:5000/debian/ testing main

deb http://192.168.13.51:5001/ testing/updates main

Thats what mine turned out to be, 127.0.0.1 on RT001, but yeah, or use DNS Names.

That should work then, if the firewall rules are correct, run apt-get update on one of the clients and

CODE

glitch:/etc/apt# apt-get update
Get:1 http://192.168.13.51 testing/main Packages [3430kB]
60% [1 Packages 2079873/3430kB 60%] 1000B/s 22m30s

and there we go... Not shaped to the byte, but good enough....

One note, if 100 computers tried to use 192.168.13.51:5000 for updates, EVERYONE is shaped to 1b/s... And your not going anywhere....

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Using Iprelay To Shape Connections GovernmentSecurity.org > System Security > Linux & Unix Systems myth Jun 28 2005, 02:52 AM Due to reasons beyond our control, myself and my housemates are pulled back to dial-up for awhile (yuck), so keeping up-to-date has proven to be a task. I'm going to quickly show you how i used iprelay as a proxy to shape my outgoing connections. Needed is a client/server based setup, but can all be done using localhost and just the one machine, or to help proxy (and then shape) an entire network... iprelay is pretty simple to use, read the man pages aswell, some good examples. Basically, I have two connections to shape. My debian machines, apt-get updates/upgrades and Windows's Manual Update (not auto-update just yet). Basically, this program listens on 0.0.0.0 and the port number you choose. Then once a connection is made with that port, all future connections will be throttled down to the speed you specify. Also, iprelay has an interactive mode, im not going into that here. Using my apt examples, I have two machines both need updates (im not getting into the apt-proxy-server program either - i am aware of it), Glitch and RT001. RT001 is already proxy'ing most of my connections anyway so im going to run iprelay on that computer. There are usually only two different places debian gets updates. Your local mirror and debian's security update mirror. So im going to need to run two instances of iprelay on two different ports. Choosing port 5000 for the local port forwarding to debian mirror 61.8.0.17 and port 5001 for debian security mirror local port forward to 194.109.137.218 CODE $ iprelay -d 5000:61.8.0.17:80 && iprelay -d 5001:194.109.137.218:80 The first iprelay forwarder starts running then escapes into daemon mode (-d) and then the second shortly follows. However, this hasnt limited any bandwidth, its only proxy'ing the connections... This is the -b argument we need to pass, followed by the bytes/second shape that being applied. Have given it 1kb/s for apt-get updates. CODE $ iprelay -d -b 1024 5000:61.8.0.17:80 && iprelay -d -b 1024 5001:194.109.137.218:80 Also, check if those ports are open on your firewall first, depending on what your forwarding tcp/udp may need to be open. Now, to the client (I had to do it on Glitch and RT001), edit /etc/apt/sources.list to reflect the new changes, QUOTE deb http://192.168.13.51:5000/debian/ testing main deb-src http://192.168.13.51:5000/debian/ testing main deb http://192.168.13.51:5001/ testing/updates main Thats what mine turned out to be, 127.0.0.1 on RT001, but yeah, or use DNS Names. That should work then, if the firewall rules are correct, run apt-get update on one of the clients and CODE glitch:/etc/apt# apt-get update Get:1 http://192.168.13.51 testing/main Packages [3430kB] 60% [1 Packages 2079873/3430kB 60%] 1000B/s 22m30s and there we go... Not shaped to the byte, but good enough.... One note, if 100 computers tried to use 192.168.13.51:5000 for updates, EVERYONE is shaped to 1b/s... And your not going anywhere.... This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.