Welcome to !

     Main Menu

Main How-To

Arbitrator9.61 on linux-2.4.30 miniHOWTO

Main FAQ

Tips & Tricks

Change Log

Buy Online

Application shaping for Kazaa and numerous others


About Us

Contact Us


Warning, before you untar the Arbitrator releases please read the How-To. Also any items in the Changelog relating to the version.

. arbitrator9.62.tar.gz this is the GPL version. It does not come with a GUI, nor is reporting included in this version. Those items are licensed with our commercial products only. This version runs on the Linux 2.6.5 kernel. No other patches are required since iptables and ebtables are already in this kernel. READ THE CHANGE LOG FOR INFO ON THIS VERSION.

. arbitrator8.63.tar.gz this is the GPL version. This is currently the most stable version based on the 2.4.19 kernel. It does not come with a GUI, nor is reporting included in this version. Those items are licensed with our commercial products only. This version runs on the Linux 2.4.19 kernel. READ THE CHANGE LOG FOR INFO ON THIS VERSION.

. callnetplot version 1.0 for plotting MULTIPLE VLANs This is a user donated perl script which should be used with 8.25. Other versions may be able to be tweaked to use this as well with a little work.
. sanity.tar.gz
Version 1.21 is a watchdog utility type program for the Arbi. You can read the README by clicking here.

. userlimit1.0.tar.gz
This is a beta release and we welcome beta customers. Enforce Bandwidth Caps on monthly/daily or hourly usage, take actions when caps are exceeded. You can read the README by clicking here.

. arbiqos1.1.tar.gz
This is a beta release and we welcome beta customers. You can find the docs for ArbiQos by clicking here.

. apccrond - Perl cron like helper app

. asciiplot2.0 - Perl plot routine that creates ASCII graphs in the form of horizontal bar charts. You could modify the code to output graphics instead of ASCII *'s for use with web apps. Here is the README.

. bridge-utils-0.9.5.tar
. bridge-nf-0.0.7-against-2.4.19.diff for the 2.4.19 kernels.
Off site links

. 2.6.5 Kernel Source


Interested in simulating traffic? Please visit our partner Candela Technologies.

     Linux help links
New to Linux?
Here are a few links
to get you over the
that learning curve.

The Linux Cookbook

Linux Useful Commands

A Bridging Firewall

 how-tos: SuSE How-to

PHP-NukeDetailed notes on SuSE 8.1 install.
WARNING, USE AT YOUR OWN RISK the following cannot be used in every installation attempt and may even render the computer unresponsive or disable it all together.

Detailed Notes on Loading the Arbitrator3.2 and Suse 8.1 distribution

SuSE 8.1 and Arbitrator 3.2 with Firewalling Compile and Setup how-to
by Steve...

Machine configuration:
Pentium III 866 w/256k ram (no onboard stuff like video or lan)
Cheap PCI video card
40 gig hd
2 network cards (identical cards)

If you have any comments, questions about this then please use the bulletin board setup for the Arbitrator, don't try to find me directly for help.

I installed SuSE 8.1 via FTP for this project. This is a way to install SuSE free of charge. Be sure you have a high speed connection to do this though. I went to:
then found the downloads area and followed the link there to:
to see about installing via FTP.
I didn't know it but I found out later the hardest part was picking the right network card driver for the network cards I had installed. They were not in the list since they were not your standard 3com and such. I created the boot CDROM and went that route since I had a CD burner available. If you have never setup SuSE then you might have some problems with choices for what to install, I know I did. I just installed the basics evidently. The basics don't have the kernel source or compilers installed but that's not a problem if you can get the machine at least to the point of booting into a video mode you can live with. Once you get it going and setup then you can use the YaST2 to add more programs and the source to your install. It is fairly simple. I installed the C/C++ compiler and tools and the Advanced Development and the TCL/TK Development stuff.

You should now have a running SuSE 8.1 with kernel source for 2.4.19.SuSE to continue.

If you are not already, login as root.
cd /usr/src
ls -l
you should see at least 2.4.19.SuSE listed. If you don't see a line that also says just
then do the following
ln -s 2.4.19.SuSE linux
now when you do an ls -l you should see the ones we need. If you did see a linux link in there already then make sure it is pointing to your 2.4.19.SuSE directory. If not then do a rm linux and then relink it by following the line above here.
Now you need to go get the patch for 2.4.19 so firewalling works with the bridge.
It's at http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff
When you get it then put it in the /usr/src directory before continuing.
Assuming you put the diff file into /usr/src do the following:
cd /usr/src/2.4.19.SuSE
patch -p1 < /usr/src/bridge-nf-0.0.7-against-2.4.19.diff
cd /usr/src
Now get the bridging tools from the bandwidtharbitrator.com site.
To setup the bridge tools do the following:
mkdir /bridge
cd /bridge
tar xfv /usr/src/bridge-utils-0.9.5.tar
You should now have a bridge-utils directory there if you do an ls.
Now type in:
mkdir /art
∑ Download arbitratorX.X.tar.gz to any directory ( from the link on the bandwidtharbitrator.com website), X.X is the version.

After you have the bridging utilities installed and tested and the 2.4.19 kernel source installed with a symbolic link of /usr/src/linux pointing to that 2.4.19 source directory.

The next step overwrites the standard bridging source files, it should only overwrite files specific to the arbitrator but to be safe we suggest that you do not do this on a machine with important data or one you canít afford to have crash. If you wish to see what files will be overwritten then just look at the contents of this tar.gz

tar zxfv arbitratorX.X.tar.gz
cd arbitratorX.X
Run the following command as root

(if you are running a version of arbitrator that is older than 4.21 then the instructions for the install of that are here)

Now you are ready to recompile the kernel
I did the following:

cd /usr/src/linux-2.4.19.SuSE
make clean
make mrproper
make menuconfig

If you are using the 2.4.19.SuSE source then most everything is already checked with a * or M. You can leave it this way or if you know what you are doing, you can turn off some stuff by using the arrow keys on the keyboard down to an item and hitting spacebar to toggle it. * means compile it into the kernel and M means to compile it into a loadable module and a blank means leave it out.
This is how my Networking options screen looked when done:
  ¶ +--------------------------------------------------------------------------------+ ¶
  ¶ ¶       M  Packet socket                                                         ¶ ¶
  ¶ ¶      [*]   Packet socket: mmapped IO                                           ¶ ¶
  ¶ ¶       M  Netlink device emulation                                              ¶ ¶
  ¶ ¶      [*] Network packet filtering (replaces ipchains)                          ¶ ¶
  ¶ ¶      [ ]   Network packet filtering debugging                                  ¶ ¶
  ¶ ¶      [*] Socket Filtering                                                      ¶ ¶
  ¶ ¶      <*> Unix domain sockets                                                   ¶ ¶
  ¶ ¶      [*] TCP/IP networking                                                     ¶ ¶
  ¶ ¶       M    Threaded linUX application protocol accelerator layer (TUX)         ¶ ¶
  ¶ ¶      [*]     External CGI module                                               ¶ ¶
  ¶ ¶      [*]     extended TUX logging format                                       ¶ ¶
  ¶ ¶      [ ]     debug TUX                                                         ¶ ¶
  ¶ ¶      [*]   IP: multicasting                                                    ¶ ¶
  ¶ ¶      [*]   IP: advanced router                                                 ¶ ¶
  ¶ ¶      [*]     IP: policy routing                                                ¶ ¶
  ¶ ¶      [*]       IP: use netfilter MARK value as routing key                     ¶ ¶
  ¶ ¶      [*]       IP: fast network address translation                            ¶ ¶
  ¶ ¶      [*]     IP: equal cost multipath                                          ¶ ¶
  ¶ ¶      [*]     IP: use TOS value as routing key                                  ¶ ¶
  ¶ ¶      [*]     IP: verbose route monitoring                                      ¶ ¶
  ¶ ¶      [*]     IP: large routing tables                                          ¶ ¶
  ¶ ¶      [*]   IP: kernel level autoconfiguration                                  ¶ ¶
  ¶ ¶      [*]     IP: DHCP support                                                  ¶ ¶
  ¶ ¶      [*]     IP: BOOTP support                                                 ¶ ¶
  ¶ ¶      [*]     IP: RARP support                                                  ¶ ¶
  ¶ ¶       M    IP: tunneling                                                       ¶ ¶
  ¶ ¶       M    IP: GRE tunnels over IP                                             ¶ ¶
  ¶ ¶      [*]     IP: broadcast GRE over IP                                         ¶ ¶
  ¶ ¶      [*]   IP: multicast routing                                               ¶ ¶
  ¶ ¶      [*]     IP: PIM-SM version 1 support                                      ¶ ¶
  ¶ ¶      [*]     IP: PIM-SM version 2 support                                      ¶ ¶
  ¶ ¶      [ ]   IP: ARP daemon support (EXPERIMENTAL)                               ¶ ¶
  ¶ ¶      [*]   IP: TCP Explicit Congestion Notification support                    ¶ ¶
  ¶ ¶      [*]   IP: TCP syncookie support (disabled per default)                    ¶ ¶
  ¶ ¶        IP: Netfilter Configuration  --->                                       ¶ ¶
  ¶ ¶        IP: Virtual Server Configuration  --->                                  ¶ ¶
  ¶ ¶       M    The IPv6 protocol (EXPERIMENTAL)                                    ¶ ¶
  ¶ ¶        IPv6: Netfilter Configuration  --->                                     ¶ ¶
  ¶ ¶      [ ]   Prepare net_device struct for shared IPv6 cards                     ¶ ¶
  ¶ ¶       M    Kernel httpd acceleration (EXPERIMENTAL)                            ¶ ¶
  ¶ ¶      [*] Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)                       ¶ ¶
  ¶ ¶      [*]   Classical IP over ATM                                               ¶ ¶
  ¶ ¶      [*]     Do NOT send ICMP if no neighbour                                  ¶ ¶
  ¶ ¶       M    LAN Emulation (LANE) support                                        ¶ ¶
  ¶ ¶       M      Multi-Protocol Over ATM (MPOA) support                            ¶ ¶
  ¶ ¶       M    RFC1483/2684 Bridged protocols                                      ¶ ¶
  ¶ ¶      [ ]     Per-VC IP filter kludge                                           ¶ ¶
  ¶ ¶       M  802.1Q VLAN Support                                                   ¶ ¶
  ¶ ¶      ---                                                                       ¶ ¶
  ¶ ¶       M  The IPX protocol                                                      ¶ ¶
  ¶ ¶      [ ]   IPX: Full internal IPX network                                      ¶ ¶
  ¶ ¶       M  Appletalk protocol support                                            ¶ ¶
  ¶ ¶      Appletalk devices  --->                                                   ¶ ¶
  ¶ ¶       M  DECnet Support                                                        ¶ ¶
  ¶ ¶      [*]   DECnet: SIOCGIFCONF support                                         ¶ ¶
  ¶ ¶      [ ]   DECnet: router support (EXPERIMENTAL)                               ¶ ¶
  ¶ ¶       M  802.1d Ethernet Bridging                                              ¶ ¶
  ¶ ¶      [*]   netfilter (firewalling) support                                     ¶ ¶
  ¶ ¶       M  CCITT X.25 Packet Layer (EXPERIMENTAL)                                ¶ ¶
  ¶ ¶       M  LAPB Data Link Driver (EXPERIMENTAL)                                  ¶ ¶
  ¶ ¶      [ ] 802.2 LLC (EXPERIMENTAL)                                              ¶ ¶
  ¶ ¶      [ ] Frame Diverter (EXPERIMENTAL)                                         ¶ ¶
  ¶ ¶       M  Acorn Econet/AUN protocols (EXPERIMENTAL)                             ¶ ¶
  ¶ ¶      [ ]   AUN over UDP                                                        ¶ ¶
  ¶ ¶      [ ]   Native Econet                                                       ¶ ¶
  ¶ ¶       M  WAN router                                                            ¶ ¶
  ¶ ¶      [ ] Fast switching (read help!)                                           ¶ ¶
  ¶ ¶      [ ] Forwarding between high speed interfaces                              ¶ ¶
  ¶ ¶      QoS and/or fair queueing  --->                                            ¶ ¶
  ¶ ¶      Network testing  --->                                                     ¶ ¶
  ¶ +--------------------------------------------------------------------------------+ ¶

Then go down to IP: Netfilter Configuration and hit enter to get in there. This is what mine looked like in there when done:
  ¶ +--------------------------------------------------------------------------------+ ¶
  ¶ ¶            M  Connection tracking (required for masq/NAT)                      ¶ ¶
  ¶ ¶            M    FTP protocol support                                           ¶ ¶
  ¶ ¶            M    IRC protocol support                                           ¶ ¶
  ¶ ¶            M  Userspace queueing via NETLINK (EXPERIMENTAL)                    ¶ ¶
  ¶ ¶            M  IP tables support (required for filtering/masq/NAT)              ¶ ¶
  ¶ ¶            M    limit match support                                            ¶ ¶
  ¶ ¶            M    MAC address match support                                      ¶ ¶
  ¶ ¶            M    netfilter MARK match support                                   ¶ ¶
  ¶ ¶            M    Multiple port match support                                    ¶ ¶
  ¶ ¶            M    TOS match support                                              ¶ ¶
  ¶ ¶            M    psd match support                                              ¶ ¶
  ¶ ¶            M    AH/ESP match support                                           ¶ ¶
  ¶ ¶            M    LENGTH match support                                           ¶ ¶
  ¶ ¶            M    TTL match support                                              ¶ ¶
  ¶ ¶            M    tcpmss match support                                           ¶ ¶
  ¶ ¶            M    Connection state match support                                 ¶ ¶
  ¶ ¶            M    Connections/IP limit match support                             ¶ ¶
  ¶ ¶            M    Unclean match support (EXPERIMENTAL)                           ¶ ¶
  ¶ ¶            M    String match support (EXPERIMENTAL)                            ¶ ¶
  ¶ ¶            M    Owner match support (EXPERIMENTAL)                             ¶ ¶
  ¶ ¶            M    Packet filtering                                               ¶ ¶
  ¶ ¶            M      REJECT target support                                        ¶ ¶
  ¶ ¶            M      MIRROR target support (EXPERIMENTAL)                         ¶ ¶
  ¶ ¶            M    Full NAT                                                       ¶ ¶
  ¶ ¶            M      MASQUERADE target support                                    ¶ ¶
  ¶ ¶            M      REDIRECT target support                                      ¶ ¶
  ¶ ¶           [ ]     NAT of local connections (READ HELP)                         ¶ ¶
  ¶ ¶            M      Basic SNMP-ALG support (EXPERIMENTAL)                        ¶ ¶
  ¶ ¶            M    Packet mangling                                                ¶ ¶
  ¶ ¶            M      TOS target support                                           ¶ ¶
  ¶ ¶            M      MARK target support                                          ¶ ¶
  ¶ ¶            M    LOG target support                                             ¶ ¶
  ¶ ¶            M    ULOG target support                                            ¶ ¶
  ¶ ¶            M    TCPMSS target support                                          ¶ ¶
  ¶ ¶            M  ARP tables support                                               ¶ ¶
  ¶ ¶            M    ARP packet filtering                                           ¶ ¶
  ¶ ¶            M  ipchains (2.2-style) support                                     ¶ ¶
  ¶ ¶            M  ipfwadm (2.0-style) support                                      ¶ ¶
  ¶ +--------------------------------------------------------------------------------+ ¶
Assuming you chose the rest of the stuff you needed in other areas or left them alone then continue with:

make dep
make bzImage
make modules
cp /usr/src/linux-2.4.19.SuSE/arch/i386/boot/bzImage /boot/vmlinuz-2.4.19-4GB
make modules_install
cp /usr/src/linux-2.4.19.SuSE/System.map /boot/System.map-2.4.19-4GB
YOUR NEW KERNEL IS NOW /boot/vmlinuz-2.4.19-4GB
YOUR MODULES ARE IN /lib/modules/2.4.19-4GB

Now make the bridge utility programs with:

cd /bridge/bridge-utils/

SuSE 8.1 uses the Grub boot loader instead of Lilo. So the following needed to be done:

pico -w /boot/grub/menu.lst
(If you don't use or have the pico editor then use whatever you would for a text editor)
My edited menu.1st looks like:
gfxmenu (hd0,1)/boot/message
color white/blue black/light-gray
default 0
timeout 8
title SuSE-2.4.19
   kernel (hd0,1)/boot/vmlinuz-2.4.19-4GB root=/dev/hda2   vga=788
   initrd (hd0,1)/boot/initrd
title linux-original
   kernel (hd0,1)/boot/vmlinuz root=/dev/hda2   vga=788
   initrd (hd0,1)/boot/initrd
title floppy
   root (fd0)
   chainloader +1
title failsafe
   kernel (hd0,1)/boot/vmlinuz.shipped root=/dev/hda2 vga=normal maxcpus=0 3
   initrd (hd0,1)/boot/initrd.shipped
In the file above the line:
kernel (hd0,1)/boot/vmlinuz-2.4.19-4GB root=/dev/hda2 vga=788
is the major change. Make sure it has vmlinuz-2.4.19-4GB since that is the new kernel. Only change the /boot/vmlinuz-2.4.19-4GB and not the rest of this file.
Your lines and parameters may be different than mine too depending on what partition your SuSE was installed on. Don't change them to mine above, leave them alone.
Save this menu.1st now.

Assuming you have no other programs running that you care about, do:

shutdown -r now

When it comes up you should be able to pick the top menu item (SuSE-2.4.19) in Grub and boot into your new kernel.

You can now edit the files for the Arbitrator such as the /etc/arbitrator.conf and put in some Shaping or limits or change default values.
If you just want to try what is in the configs as standard values then just try this from the console because the standard setup does not give you remote access to the machine. Your IP's for the net cards will be gone with the standard setup:
/etc/init.d/arbitrate start
You may see a line blow by that says something about the bridging code being tainted or whatever, this is just protection for the author so he makes sure you know it is not standard kernel source but is patched bridge code.

Other items of interest:
Just so I say it some place, setup your two net cards so the system sees them. Use DHCP if you have DHCP available or give them static IP's if not. The static IP's don't need to be Internetable such as you could use or whatever. The IP's will be removed from eth0 and eth1 when the Arbitrator starts up later in the default files that get installed. If you don't have DHCP though and you choose to use DHCP to get the cards seen by the system then what happens in SuSE (at least in mine) is that DHCP keeps going forever, trying and trying for days or weeks and then finally decides it will not get and IP for the net cards and disables your eth0 and eth1. One way to find out if they is happening to you is to do a:

ps ax |less
and see if DHCP is still in the running processes after you start up the Arbitrator program. If DHCP does find IP's for your net cards it won't be in there and all is well. Otherwise you may find your Arbitrator machine down one day and not know why. Mine took a week or two before it would die this way. Just putting static IP's on eth0 and eth1 and setting up the gateway and dns and unchecking everything related to DHCP in the net card setup fixed that.

How to get back into your box if you mess up the kernel. Well, first try selecting the boot menu item called (linux-original). See if you get back in. If that doesn't work then try the (failsafe) one. If that doesn't work then try hitting ESC on the Grub menu and go to the text based menu of Grub. There go down to the one marked (failsafe) and edit that line with an E. Go to the line that begins with kernel and edit that line too, I think with an E again. Go to the very end of that line and replace that 3 with a 1 (that's a one). Then hit a B to boot into that revised entry. What this does is puts you into init level 1 which doesn't load much in the way of auto load stuff and doesn't even go into X. Now hopefully you can fix whatever you messed up. I found this out by patching the kernel source with the diff file AFTER running Art's shell command which also patches the code. I then proceeded to compile and install the new kernel and even put in a command to start up the /etc/init.d/arbitrate process upon booting. Well I was in a bad spot till I figured out how to get into level 1 cause it would boot up and promptly hang and freeze the screen.

If you want to set the /etc/init.d/arbitrate process to run upon boot then I suggest the following after you have verified that everything always works as you expect it too :)
chkconfig arbitrate 5
chkconfig arbitrate on
This should put a link in the rc5.d directory meaning start the arbitrate process when it gets to this level. I made the mistake of making it so it started in runlevels 2,3,4,5 and that's why I had to resort to editing the Grub boot command on the (failsafe) option. That would boot into runlevel 3 by default. My SuSE goes into runlevel 5 which seems to be the standard runlevel for it. I'm used to Redhat and their norm is 3.

How do I rotate the arblog so it doesn't present a problem some day in the future. Well I have a crontab that has this line in it set to run at 4 AM:
0 4 * * * /usr/sbin/logrotate /root/arblog.cfg
and that arblog.cfg that is in my /root directory looks like:

/var/log/arblog {
rotate 2
This will rotate the log if it is over 1000k in size and will only keep the last two old logs so it doesn't keep going and going...
If you don't know how to add that line to your crontab and you have no crontab right now (check with "crontab -L") then just make a file (I call mine crontab and put it in my root directory) and put in that one liner above. Then while in the same directory as that new file and if you called it crontab as I did then just do "crontab crontab" and do "crontab -L" and you should see it there.

How do I get an IP for the bridge so I can use the lan or net to get into the box. Well the way I did it was to edit the file /etc/init.d/arbitrate and go down to the line about 151 (depending on if you edited this file already) and edit the line that looks like:
ifconfig $NAME up
instead of that line put something like
ifconfig $NAME netmask up
where is the IP you want for it and is the netmask for it. This can be the same as eth0 was if you want since when the bridge starts up it zero's out eth0's IP. I also added a line under this with:
route add default gw
which setup my default gateway. Now either stop arbitrate and delbr the my bridge or reboot and then start the arbitrate process. Now you can get to the machine and still only used two net cards. You can check to see if it has an IP for the bridge with "ifconfig" and look at the stuff it has for "my" which is the name of the bridge that the Arbitrator creates. If you notice, your eth0 and eth1 now have no IP's.

What's a firewall routine look like that I can build upon. Well this is one. Note that when you are dealing with a bridge that the rules are usually applied to the FORWARD chain and not the normal INPUT chain. Firewall lines can be written many different ways, the example below is just one way.

# allows connection tracking support, needed
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Drop all rules for a clean slate
iptables -F
# enables connection tracking, needed
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# allows all outbound traffic
iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
# drop anything from this incoming IP because I dislike this person
#iptables -A FORWARD --in-interface eth0 --out-interface eth1 -s -j REJECT
# allow SOME inbound services
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp --destination-port http -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p udp --destination-port http -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp --destination-port smtp -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p udp --destination-port smtp -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp --destination-port 110 -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p udp --destination-port 110 -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp --destination-port ssh -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p udp --destination-port ssh -j ACCEPT
# drop everything else
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -j REJECT
Thanks to Art, George, LarsG, trnepal, price and Andre since I used them via the Arbitrator mailing list or direct email to get advice or just read what they were going through to help me solve my own problems getting this all going.


Note: 18


Web site powered by PHP-Nuke

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2002 by me
Web site engine's code is Copyright © 2003 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.211 Seconds