Managing network traffic with WebHTB
We show you how WebHTB lets you manage network bandwidth through a convenient browser interface.
Most client computers are configured to draw the bandwidth they need up to the limits of the hardware, but the default techniques for sharing bandwidth among multiple systems on a local network are often inadequate when traffic volumes climb. Many admins find they get better network performance (and fewer user complaints) by imposing a system that places limits on individual bandwidth usage. For instance, imagine what would happen if several of the systems on a local network simultaneously started downloading movies from torrent sites, using up to 98 percent of the collective download and upload capacity. The other users on the network would complain, and you as the network administrator would have to devote precious time to troubleshooting and answering email. Why not let an automated system impose bandwidth management that addresses these kinds of issues?
Unfortunately, the tools that take advantage of the QoS (Quality of Service) entry in the Linux kernel are often difficult to set up and configure, and the best ones require a kernel recompile. The HTB-tools package  has long been a standard Linux tool for limiting bandwith use. Although it requires a lot of calculations and fiddling with configuration files, you can fine-tune HTB-tools to meet the needs of your network.
An easy alternative for managing traffic flow on your local network is a tool called WebHTB. WebHTB (Figure 1) is a set of PHP files that can help you allocate bandwidth through a web-based AJAX front end. WebHTP lets you limit bandwidth on external and internal IP addresses and manage bandwith on private Secure Network Address Translation (SNAT) addresses.
Before you can use WebHTB, you need to activate some kernel modules and recompile the kernel. First, add the following modules to your kernel configuration: Hierarchical Token Bucket (HTB), Stochastic Fairness Queuing (SFQ), Netfilter mask (FW), and Universal 32-bit comparisons with hashing (U32). In addition, you need to activate netfilter marks support and the U32 Key. Next, install iproute2 along with a web server that supports SSL 2.8 (Apache will do just fine), as well as support for MySQL, PHP, and SSH2. An SSL-enabled web server is essential for security reasons because the root password is given at login and stored with encryption. WebHTB only uses this password while making changes to the configuration. Now download the latest WebHTB package  (version 2.7 at the time of this writing) and extract the archive to your web server root on the same machine acting as a router on your network.
Next, you must set up a database for WebHTB. To do so, first enter the MySQL prompt with:
mysql -u root -p
Then create a new database called webhtbdb and grant access to your user:
CREATE database webhtbdb; GRANT ALL PRIVILEGES ON webhtbdb.* to 'user'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION; quit;
If you haven't done so already, add the user under which the web server is running to the end of the /etc/sudoers file. Also, it is important that this user have read/write permissions to the webhtb/config/config.php file in your web server root. This file stores WebHTB's settings and should be checked after you finish the installation.
Now that the hard part is over, launch your web browser, point it to http://127.0.0.1/webhtb/setup, and follow the steps of the WebHTB installer.On the setup page, enter the MySQL administrator username and password, as well as the username and password of the user who was just granted access to the newly created database. Enter webhtbdb as the database name. Choose your primary network interface (usually eth0), and submit the changes.
If the installation is successful, you can then delete the setup folder.
Earlier versions of WebHTB relied on the HTB-tools package for some QoS features. Since version 2.0, WebHTB comes with tools to deal with QoS directly. To see what is available, you can watch a Flash demo of WebHTB in action .
WebHTB watches the network interface between a local network and the Internet and imposes traffic quotas for the computers on the local net.
In particular, WebHTB manages the following parameters:
- Bandwidth – the minimum guaranteed bandwidth.
- Limit – the maximum bandwidth available to a single computer.
- Burst – the amount of data that can be sent at the maximum hardware speed before the hardware can serve another data set. If Burst is set to 0, WebHTB will calculate and apply a value automatically.
- Priority – rank in the bandwidth allocation hierarchy (a lower number denotes a higher rank).
- Queue – defines the scheduler type (currently, PFIFO, SFQ, or ESFQ).
The goal is to define classes of computers with a common purpose. For example, an Accounting class could consist of computers assigned to the accounting staff that serve a similar function. Then you can associate the desired bandwidth settings with the class.
Before you start creating classes, though, you need to define the network interface. Select Interfaces+ in the main menu to reach a dialog that will let you add an interface to the WebHTB configuration (Figure 2).
Select Classes+ in the main menu to reach a dialog that will let you define a class of computers for your network (Figure 3).
Note that you can assign bandwidth limits with the class. These limits will apply to each of the computers in the class; however, you can also associate bandwidth limits with a specific computer that will override the class settings.
Once the class is created, you can start adding computers to the class. Click the Clients+ menu entry in the main window, choose Add Client, and enter a name for the PC. Next, set the Bandwidth and Limit values to the settings you want to attribute to the PC and pick a priority level from the drop-down menu. Client names should not contain spaces or special characters, and you must limit the Bandwidth and Limit values to a multiple of 8. Now click Save. If you want to add more clients, press Reset to clear the fields.
The new clients should appear in the list immediately. With a click of the mouse, you can edit and delete the entries, thanks to the AJAX interface
(Figure 4). WebHTB works with IP, MARK, or MAC addresses.
The Show option in the menu bar leads to another submenu called Show Traffic. The Show Traffic option pops up a small window that constantly refreshes and allows the administrator to see who is using company bandwidth (Figure 5). In real time, you can study the download speed of individual clients, the overall speed of entire classes, and the limits.
Now, I want you to consider a typical scenario. Say you are the administrator of a network with 50 computers. One of the computers belongs to your boss, one is your workstation, and the other 48 are divided among your co-workers. Your job is to divide a 5Mbps line among these systems so that you and your boss will never have a speed problem and your colleagues will each have a stable Internet connection.
After you have added eth0 as the default interface, create two new classes: one called Privileged and one called Colleagues. In the privileged class, add a new client called Boss, with a guaranteed bandwidth of 512 and a limit of 640Kbps. Set the priority level to 0 so this user won't have to wait in line when downloading. Create another client called Administrator with the same settings.
This configuration assigns one fifth of the available bandwidth exclusively to you and your boss. If the other computers on the network will not be using the Internet connection at its fullest, you and your boss will each have an extra 128Kbps (because the configuration defines a maximum limit of 640Kbps).
Now all you have to do is put the rest of the users in the Colleagues class and give them equal rights at a lower guaranteed bandwidth (roughly 80Kbps each) and a limit of 128Kbps. Set priority levels as you desire (remember: the lower the assigned number, the higher the position in the bandwidth distribution hierarchy).
The WebHTB Control Center is a work in progress. The developers plan to finish it with version 2.8. The Control Center manages settings such as the MySQL password, the range of IP addresses that can access the WebHTB interface, or the language in which WebHTB is displayed. Currently, WebHTB supports Romanian, English, Spanish, and Portuguese, but according to the main developer, Daniel Delicostea, more translations are on the way. The Control Center (Figure 6) also lets users back up and restore the current settings, so the administrator can use different configurations at different times.
Before you decide who gets what bandwidth, draw a mental map of your company. Calculate who needs the bandwidth most and who usually works extra hours. The overtime workers should have a higher limit so that when the others leave for home, they will get access to the unused bandwidth. In conjunction with a good set of iptables rules (and maybe a Squid install), WebHTB will simplify your life as a network administrator. Create different configurations and experiment until you find an approach that works well for everyone.
Buy this article as PDF
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.
Klaus Knopper announces the latest version of his iconic Live Linux system.
All websites that use these popular CMS tools could be vulnerable to denial of service attacks if users don't install the updates.
According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.
DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.