Limiting NTP traffic
If
- you have a NTP server in the pool, and
- your NTP traffic would exceed your monthly bandwidth quota, and
- you have already set your netspeed setting in the pool to the lowest possible setting, and/or
- you don't want to spend your time watching your fluctuating bandwidth estimates, and
- you know how to work with shell scripts and iptables
then this page might be for you. Here are the scripts I use to limit the bandwidth usage of my two NTP servers to < 4 TB (more specifically, my ISP's limit is 4000 MB, not 4096 MB).
Adjust appropriately. No warranties. No support. These scripts are not particularly pretty or well-polished, but I'm publishing them in case they are useful for someone.
These scripts implement automatic throttling. If throttling is activated, the firewall will drop requests from the
NTP Pool monitoring server's netblocks while still serving traffic from other clients. This will cause the server's score to drop
below 10 and you will be kicked out of the pool. Once the estimate for the monthly traffic decreases below the throttle limit, the firewall is adjusted
again so that probes from the monitoring will get through, and your server will get back in the pool in a few hours.
Some of these scripts are run as a normal user, and the script that adjusts the firewall is run as root. These scripts use vnstat
for estimating the bandwidth usage. For CentOS users, vnstat is available from the EPEL repository. Other distro users will need to find it
elsewhere. vnstat must be configured and started. Remember to set it to start at boot as well.
throttle-4tb.sh, run as normal user:
#!/bin/sh
TX1=$( vnstat -m | grep estimated | tail -1 | cut -d\| -f2 | grep TiB )
if [ -z "$TX1" ]
then
TX1=1
fi
TX2=$( echo $TX1 | sed 's/[^0-9]//g' )
if [ $TX2 -ge 385 ] # 3.85 TiB or 3942 MB
then
if [ ! -r /tmp/throttle-ntpd.txt ]
then
echo -n "on " >> /home/user/bin/throttle.txt
date >> /home/user/bin/throttle.txt
touch /tmp/throttle-ntpd.txt
fi
else
if [ -r /tmp/throttle-ntpd.txt ]
then
echo -n "off " >> /home/user/bin/throttle.txt
date >> /home/user/bin/throttle.txt
rm -f /tmp/throttle-ntpd.txt
fi
fi
crontab entry (for user):
1,6,11,16,21,26,31,36,41,46,51,56 * * * * sh /home/user/bin/throttle-4tb.sh
throttle-ntpd.sh, run as root:
#!/bin/sh
if [ -r /tmp/throttle-ntpd.txt ] && ! /sbin/iptables -L UDP_IN -n -v | grep -q throttle
then
# note that there's no guarantee that these netblocks will not change
/sbin/iptables -I UDP_IN -p udp --dport 123 -s 207.171.3.0/24 -j DROP -m comment --comment "pool monitoring throttled"
/sbin/iptables -I UDP_IN -p udp --dport 123 -s 207.171.7.0/24 -j DROP -m comment --comment "pool monitoring throttled"
else
if [ ! -r /tmp/throttle-ntpd.txt ] && /sbin/iptables -L UDP_IN -n -v | grep -q throttle
then
# note that there's no guarantee that these netblocks will not change
/sbin/iptables -D UDP_IN -p udp --dport 123 -s 207.171.3.0/24 -j DROP -m comment --comment "pool monitoring throttled"
/sbin/iptables -D UDP_IN -p udp --dport 123 -s 207.171.7.0/24 -j DROP -m comment --comment "pool monitoring throttled"
fi
fi
crontab entry (for root):
2,7,12,17,22,27,32,37,42,47,52,57 * * * * sh /root/bin/throttle-ntpd.sh
This setup also requires that you have an UDP_IN chain in your iptables config. It's up to you to arrange that, but generally, it's a matter of iptables -N UDP_IN and iptables -A INPUT -p udp -g UDP_IN.
Hope this helps!