On 2012/06/28 01:24, Jatin K wrote:

On 06/28/2012 01:33 PM, jdow wrote:

On 2012/06/27 23:27, Jatin K wrote:

On 06/28/2012 11:32 AM, Ed Greshko wrote:

On 06/28/2012 01:27 PM, Jatin K wrote:

well..... suppose I've 5 clients in my office ( say A,B, C, D, E ) and a
linux box
which is working as a router ( gateway ), I want to allow only 4 concurrent
pcs to
access the Internet, say if A,B,C,D is using internet then fifth client E can
not
access the internet until any of previous connected clients ( A,B,C, or D)
gets
disconnected/session ended

Define "access internet".....

Do you mean *all* protocols? So, you want to stop a 5th system from browsing,
ftp,
ssh, ntp, pop, imap, etc? So, if A, B, C, and D are using these
protocols...which
can happen without direct user input (pop/imap polls, facebook and rss feed
updates,
etc.) you want to block E for an indeterminate amount of time?

exactly



Seriously?

yes, its my client's requirement ...... I can understand its not the way to go
.... but he pays me for this ... I'm a service provider .. I have to do what
they said and want to do


I think you need to state the problem you are trying to solve....not ask for a
solution which really sounds wrong headed.

If A, B, C, and D are browsing CNN, MSNBC, ABC, and FoxNews is the limit on
E that he cannot browse CBS or that he cannot make an ftp file transfer or
his machine cannot attempt an NTP clock synchronization until one of the
others quits using the network?


if A,B,C and D are using Internet then E must not have Internet access , like
web-browsing, send/receive email, ftp Etc....

if it can be achieved by proxy (squid like) .. I can suggest them


In theory it can. In practice it cannot unless users are forcibly timed
out after X seconds of connect time and then locked off for a period to
prevent them from logging right back in. Without knowledge of precisely
what is wanted you cannot answer the homework question, Charlie.

{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 06/28/2012 01:49 PM, jdow wrote:



On 2012/06/28 00:02, Jatin K wrote:

On 06/28/2012 12:11 PM, Joe Zeff wrote:

On 06/27/2012 11:27 PM, Jatin K wrote:



how can you prove its wrong ... they need this kind of configurations,
and my duty is to provide the solutions what they need if its
possible....


I don't know the solution/configuration requirement to fulfill
their desire, thats why I'm asking the solutions to this list where so
many experts like you are available. If this is wrong then I'm
really sorry


About the only semi-feasible means of doing this might be to setup a
virtual lan through a proxy with a limited number of concurrent logins
permitted. That is subject to the hogging effect Mr. Greshko mentioned.
So you'd have to put an arbitrary logout on the proxy after X minutes
of inactivity. So the bozo logs into a news site that has pages that
automatically refresh every few minutes and you get hogging again.

You REALLY REALLY need to 1) walk away from this nonsense customer or
well I will go with option
1,...........................................thank s for your kind
support and guidelines ...


thanks again to all of you

Warm Regards

--
°v°
/(_)
^ ^ Jatin Khatri
RHCSA,RHCE,CCNA
Registerd Linux user No #501175
www.linuxcounter.net
No M$

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 06/28/2012 04:19 PM, jdow wrote:
> About the only semi-feasible means of doing this might be to setup a
> virtual lan through a proxy with a limited number of concurrent logins
> permitted.

What proxy would you recommend? I can't think of one that would proxy *all*
protocols. That's why I suggested the pptp connection. Seems a bit more simple to
set up....and has the same drawbacks as the earthlink dialup connection limiter. :-) :-)


--
Never be afraid to laugh at yourself, after all, you could be missing out on the joke
of the century. -- Dame Edna Everage
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 28 June 2012 11:29, Ed Greshko <Ed.Greshko@greshko.com> wrote:
> What proxy would you recommend? *I can't think of one that would proxy *all*
> protocols. *That's why I suggested the pptp connection. *Seems a bit more simple to
> set up....and has the same drawbacks as the earthlink dialup connection limiter. *:-) :-)
Doesn't have to be all protocols. The original request only specifies
"internet usage", these days it equals to web usage. It is quite
common to have companies to limit web access with transparent proxies
and a radius server. I can imagine (but not give concrete examples)
that it would be possible to set up a radius server with a total
number of users allowed limit. Squid and Freeradius2 might be enough.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 27 June 2012 07:57, Jatin K <ssh.fedora@gmail.com> wrote:
> Dear All
>
> I'm on FC 15 which is acting as a router for Cable Internet connection
> for 145 PC on the LAN, which works fine... But there is one question in
> my mind, How do I limit the maximum numbers of concurrent connections to
> router. i.e. if I want to allow only 90 concurrent connection to the
> router at the given time only 90 PCs can pass through the router or
> connect to the Internet other PCs/users have to wait until the connected
> PCs session is over.
>

Having read all the other replies I have to agree that your client is
either embarked on a philosophical exercise in traffic management or
has come to their own (likely incorrect) conclusion that this is the
best way to achieve something else. Best response is to engage and try
to find out why.

However, I don't see why it wouldn't be possible to use the kind of
access control that gets used on commercial or courtesy wifi systems
where all requests get redirected to a local server until the user
authenticates the machine (usually via a web browser to make payment
or agree to T&Cs). It does still have all the issues like background
connections (software updates, NTP etc.), but this is protocol
agnostic so far as I know. Look up captive portals (e.g. wifidog),
note I've never done this.

--
imalone
http://ibmalone.blogspot.co.uk
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Hakan Koseoglu <hakan@koseoglu.org> wrote:

>Doesn't have to be all protocols. The original request only specifies
>"internet usage", these days it equals to web usage. It is quite
>common to have companies to limit web access with transparent proxies
>and a radius server. I can imagine (but not give concrete examples)
>that it would be possible to set up a radius server with a total
>number of users allowed limit. Squid and Freeradius2 might be enough.

Well we don't know that it doesn't have to be all protocols. I don't like to make assumptions.
And the OP wasn't being specific.


--
Sent from my Android tablet with K-9 Mail.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On Thursday, 28. June 2012. 1.27.10 jdow wrote:
> On 2012/06/28 01:24, Jatin K wrote:
> > On 06/28/2012 01:33 PM, jdow wrote:
> >> On 2012/06/27 23:27, Jatin K wrote:
> >>> On 06/28/2012 11:32 AM, Ed Greshko wrote:
> >>>> On 06/28/2012 01:27 PM, Jatin K wrote:
> >>>>> well..... suppose I've 5 clients in my office ( say A,B, C, D, E ) and
> >>>>> a
> >>>>> linux box
> >>>>> which is working as a router ( gateway ), I want to allow only 4
> >>>>> concurrent pcs to
> >>>>> access the Internet, say if A,B,C,D is using internet then fifth
> >>>>> client E can not
> >>>>> access the internet until any of previous connected clients ( A,B,C,
> >>>>> or D)
> >>>>> gets
> >>>>> disconnected/session ended
> >>>>
> >>>> Define "access internet".....
> >
> > if it can be achieved by proxy (squid like) .. I can suggest them
>
> In theory it can. In practice it cannot unless users are forcibly timed
> out after X seconds of connect time and then locked off for a period to
> prevent them from logging right back in. Without knowledge of precisely
> what is wanted you cannot answer the homework question, Charlie.

Sorry for jumping in late into this thread, but did anyone suggest to use a
custom dhcp configuration?

For example:
(1) get the firewall configured so that only machines with IPs from the dhcp
pool get access to the net;
(2) having 5 machines (or more), configure dhcp to have a pool of only 4 IP
numbers;
(3) make the dhcp lease expire fast and refuse lease renewal from clients (ie.
force them to ask again for a new IP once their lease expired).

This should technically allow only 4 machines to access the internet at the
time, regardless of how many of them are hooked into the LAN. You can tweak
the lease validity time as you see fit (5 minutes, 1 hour, etc...) which gives
a definition to the term "accessing Internet".

The clients will be competing for IP numbers, and the choice who will have
access at a given moment will be pretty random. What you guarantee is that no
more than 4 machines are allowed access at a time.

Beware also that when the lease for a given machine expires, it will be cut off
the net possibly in the middle of some work, and even if it does immediately
get a new lease it will have to reestablish all open connections using the new
IP. This will break most of the stateful Internet traffic, like being logged
into gmail or similar. This will happen periodically, without the ability of
the user to have any control. So the Internet access will be jerky even for
those 4 machines that do get a lease from dhcp server.

Having said all that, I would personally kick out of my company any sysadmin
who would actually try to implement such an insane configuration. But for the
proof-of-concept purposes, I think what you are asking for can be done in this
way.

HTH, :-)
Marko



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Am 28.06.2012 08:27, schrieb Jatin K:

>> Seriously?
> yes, its my client's requirement ...... I can understand its not the way to go ....
> but he pays me for this ... I'm a service provider .. I have to do what they
> said and want to do


there is really a differece between service probider and
tech bitch doing all for money independent how wrong it is :-)

>> I think you need to state the problem you are trying to solve....not ask for a
>> solution which really sounds wrong headed.
>>
> how can you prove its wrong ... they need this kind of configurations, and my duty is to provide the solutions what
> they need if its possible....

but it is not possible and all you can give your customer is
a crappy solution which will not really work

HTTP as example is stateless
so no, you can not limit "number of tcp connections" on a central
machine to limit number of clients with internet access

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 27.06.2012 08:57, Jatin K wrote:
> Dear All
>
> I'm on FC 15 which is acting as a router for Cable Internet connection
> for 145 PC on the LAN, which works fine... But there is one question in
> my mind, How do I limit the maximum numbers of concurrent connections to
> router. i.e. if I want to allow only 90 concurrent connection to the
> router at the given time only 90 PCs can pass through the router or
> connect to the Internet other PCs/users have to wait until the connected
> PCs session is over.
>
> is there any solution/tweak available ???
>

1. It's probably far from perfect but you could try to allow access
(forward packets) only for authenticated clients. You could try to
combine Kerberos tools (or some other auth protocol) with iptables etc.
It sould be possible to limit number of simultaneously authenticated
clients.

2. It might also be possible to setup a dhcp server combined with your
router and allow traffic that is related to clients that obtained their
IP config form that server (so dhcp server need to run some script after
client is successfully configured to open firewall). It certainly has
lot of security issues but in case it's not your top priority
requirement you can try it. But dhcp leases must be renewed often so you
don't block "slots" for too long.


Mateusz Marzantowicz
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 06/28/2012 04:34 AM, Ian Malone wrote:

On 27 June 2012 07:57, Jatin K<ssh.fedora@gmail.com> wrote:

Dear All

I'm on FC 15 which is acting as a router for Cable Internet connection
for 145 PC on the LAN, which works fine... But there is one question in
my mind, How do I limit the maximum numbers of concurrent connections to
router. i.e. if I want to allow only 90 concurrent connection to the
router at the given time only 90 PCs can pass through the router or
connect to the Internet other PCs/users have to wait until the connected
PCs session is over.



Having read all the other replies I have to agree that your client is
either embarked on a philosophical exercise in traffic management or
has come to their own (likely incorrect) conclusion that this is the
best way to achieve something else. Best response is to engage and try
to find out why.

However, I don't see why it wouldn't be possible to use the kind of
access control that gets used on commercial or courtesy wifi systems
where all requests get redirected to a local server until the user
authenticates the machine (usually via a web browser to make payment
or agree to T&Cs). It does still have all the issues like background
connections (software updates, NTP etc.), but this is protocol
agnostic so far as I know. Look up captive portals (e.g. wifidog),
note I've never done this.


You could, I suppose, make the router also a DHCP server, and have a
limited number of IPs available in the pool along with forcing lease

expirations. I believe the OP said no more than 90 simultaneous
"sessions", so have a pool of 90 IPs available. When they're all given
out, the other computers can't get an IP until someone's lease expires
and frees up an IP. This, of course, would also limit the local LAN to
90 users.

If they're trying to limit access to the Internet, then perhaps using a
proxy such as Squid can be done. It has a number of access rule
mechanisms that might be tuned to do what is needed.

I agree the OP's client has got a weird idea as to limiting access, but
perhaps they feel their uplink is too small to handle more connections.
There is a lot of education that's required here with the client.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Overweight: When you step on your dog's tail...and it dies. -
----------------------------------------------------------------------
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org