YABMAS - MAC address authentication and bandwidth control for WISPs Release date: 27th June 2002 Author: gavin@raha.com Status: alpha Release: 0.0.2 Introduction. When running a large client base on ethernet and a satellite uplink, there are two main problems. The first is that anyone can plug a cable into one of your hubs and get online, or string a cable up the street and wire up their friends. Ethernet was not designed for subscription based services, so things like PPPoE have to be employed for authentication etc. However, I don't like PPPoE. The second problem is that while your satellite link may be a glorious 10Mbit incoming, each one of your clients can quite happily fit 100Mbit through their NIC. Modems, at least, are self limiting. We decided to come up with a cheap solution based on the linux kernel's netfilter and tc queuing abilities. Ideal network plan. satellite-------gateway--------BM box---------Clients, server providers router as you can see, the BM box sits between your client base and the internet. It is important that all traffic between any machines on your network and the outside world goes through the BM box. If you wish, you can put a transparent squid box between the BM box and your gateway. Requirements. You will need a linux machine with two NICs, with the kernel and iproute2 (tc binary) patched for htb. I am using RH7.2 with a 2.4.9-31 kernel. You can find instructions on patching, some excellent documentation and various other goodies at http://www.docum.org/stef.coene/qos/faq/ You will also need Lubomir Bulej's htb.init installed - project homepage is at http://freshmeat.net/projects/htb.init Input. The BM.sh script takes a CSV input file, called acc-csv. The format of the CSV is: STATUS,MAC ADDRESS,IP ADRESS,RATE,EMAIL STATUS: Must be either a 0 or 1. This indicates wether a particular MAC address should be allowed through or not. 0=no, 1=yes. MAC ADDRESS: The physical address of the client machine. Must be in the format xx:xx:xx:xx:xx:xx - note that :0: must be written as :00: IP ADDRESS: (optional) If given, this IP address is matched to this MAC address in iptables. RATE: (optional) a rate, in kbps. This is ignored if no IP address is present. This is used as the RATE directive in htb.init. The CEIL is figured as follows: RATE CEIL 8Kbit 64Kbit 16Kbit 64Kbit 32Kbit 64Kbit 64Kbit 128Kbit 128Kbit 256Kbit 256Kbit 512Kbit MAIL: (optional) Either a literal %, meaning client is only allowed to forward on ports 25 and 110, or nothing. Examples: 1,00:01:02:03:04:05,, - this will enable traffic for this machine, with any IP address. No rate is assigned, so the machine will fall into the default pool. 0,00:01:02:03:04:05,, - this will disable traffic for this machine 1,01:02:03:04:05,172.16.1.1, - this will enable traffic for this machine using this IP address. 1,01:02:03:04:05,172.16.1.1,16 - this enables traffic for this machine using this IP address, and restricts it to 16Kbit CIR, 64Kbit MIR. with each run of the BM.sh script, each record will be compared to the existing iptables and htb rules. If there have been any changes since the last run of the script, appropriate changes are made. I get this csv by running sql queries against our Rodopi server, then dumping the csv to disk on the rodopi machine and ftp'ing it over to the BM machine. The BM-subnet.sh takes another csv input file, net-csv, thus: STATE,NETWORK ADDRESS/RANGE,RATE eg. 1,192.168.230.0/24,128 - this would allow 128Kbit to be shared among any machines using this range. NOTE: Any machines wanting to connect will need a MAC/IP address entry in BM.sh Installation. After patching your machine, you need to fiddle around with a few things: 1. copy the manager directory to /usr/local 2. copy the htb directory to /etc/sysconfig - edit the files in it to match your system. The htb.init script contains excellent directions on how to do this. 3. edit BM.conf to suit your system 4. modify and run the fwscript, which basically just sets INPUT and FORWARD to DROP policy If you have any difficulties, please feel free to mail me at gavin@raha.com Usage. You can put control.sh in your crontab, to run as often as you want to update. Note that you will have to set up your billing system to dump the csv a minute of so before the control.sh runs. This project had been released under the GPL