Shaping Layer 7 Application on centos 4.7 (iptables + l7 + IMQ + tc/HTB)
Pertama download kernel source kernel 2.6.26.
# wget -t0 -c http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.tar.bz2
Download iptables 1.4.1 source.
# wget -t0 -c http://www.netfilter.org/projects/iptables/files/iptables-1.4.1.tar.bz2
Download patch l7 + IMQ (untuk kernel dan iptables) yg sudah saya modifikasi jadi satu bundle.
linux-2.6.26-layer7-imq.patch (1678)iptables-1.4.1-layer7-imq.patch (1515)
Extract ,patch dan compile kernel source(to RPM)
# tar xjf linux-2.6.26.tar.bz2 # cd linux-2.6.26 # pacth -p1 < ../linux-2.6.26-layer7-imq.patch patching file drivers/net/imq.c patching file drivers/net/Kconfig patching file drivers/net/Makefile patching file include/linux/imq.h patching file include/linux/netfilter/xt_IMQ.h patching file include/linux/netfilter/xt_layer7.h patching file include/linux/netfilter_ipv4/ipt_IMQ.h patching file include/linux/netfilter_ipv6/ip6t_IMQ.h patching file include/linux/skbuff.h patching file include/net/netfilter/nf_conntrack.h patching file include/net/netfilter/nf_queue.h patching file net/core/dev.c patching file net/core/skbuff.c patching file net/netfilter/Kconfig patching file net/netfilter/Makefile patching file net/netfilter/nf_conntrack_core.c patching file net/netfilter/nf_conntrack_standalone.c patching file net/netfilter/nf_queue.c patching file net/netfilter/regexp/regexp.c patching file net/netfilter/regexp/regexp.h patching file net/netfilter/regexp/regmagic.h patching file net/netfilter/regexp/regsub.c patching file net/netfilter/xt_IMQ.c patching file net/netfilter/xt_layer7.c # cp /boot/config-`uname -r` .config # make clean # make menuconfig
pilih semua option yg ada hubungannya dengan IMQ device dan layer7
# make rpm # rpm -ivh /path/to/kernel-2.6.26-1.i[3/6]86.rpm # mkinitrd initrd-2.6.26-default.img 2.6.26
konfigure grub supaya booting dengan kernel yg telah di compile.
title CentOS (2.6.26)
root (hd0,0)
kernel /vmlinuz-2.6.26 ro root=LABEL=/
initrd /initrd-2.6.26-default.img
sesuai kan dengan konfig grub anda
Extract ,patch dan compile iptables
# tar xjf iptables-1.4.1.tar.bz2 # cd iptables-1.4.1 # pacth -p1 < ../iptables-1.4.1-layer7-imq.patch # make clean # ./configure --with-ksource=../linux-2.6.26 # make # make install
Jika ingin dalam bentuk rpm bisa cari spec file iptables nya di rpmfind.net
tambah alias untuk imq di modprobe.conf
alias imq0 imq alias imq1 imq
tc/HTB script, taruh di /etc/rc.d/rc
#---- IMQ+layer7 ----- tc qdisc del dev imq0 root > /dev/null 2>&1 /sbin/ip link set imq0 up /sbin/tc qdisc add dev imq0 root handle 1: htb default 2 /sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 80000Kbit /sbin/tc class add dev imq0 parent 1: classid 1:2 htb rate 80000Kbit /sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 1kbit ceil 2kbit /sbin/tc filter add dev imq0 parent 1: protocol ip prio 1 u32 match ip dst 0/0 match ip src [your ip network] flowid 1:10 /usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto bittorrent -j IMQ --todev 0 /usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto edonkey -j IMQ --todev 0 /usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto gnutella -j IMQ --todev 0 /usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto irc -j IMQ --todev 0 /usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto kugoo -j IMQ --todev 0 /usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto xunlei -j IMQ --todev 0 /usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto pplive -j IMQ --todev 0 /usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto http-dap -j IMQ --todev 0 tc qdisc del dev imq1 root > /dev/null 2>&1 /sbin/ip link set imq1 up /sbin/tc qdisc add dev imq1 root handle 2: htb default 2 /sbin/tc class add dev imq1 parent 2: classid 2:1 htb rate 80000Kbit /sbin/tc class add dev imq1 parent 2: classid 2:2 htb rate 80000Kbit /sbin/tc class add dev imq1 parent 2:1 classid 2:10 htb rate 1kbit ceil 2kbit /sbin/tc filter add dev imq1 parent 2: protocol ip prio 1 u32 match ip dst [your ip network] match ip src 0/0 flowid 2:10 /usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto bittorrent -j IMQ --todev 1 /usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto edonkey -j IMQ --todev 1 /usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto gnutella -j IMQ --todev 1 /usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto irc -j IMQ --todev 1 /usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto kugoo -j IMQ --todev 1 /usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto xunlei -j IMQ --todev 1 /usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto pplive -j IMQ --todev 1 /usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto http-dap -j IMQ --todev 1 #---- IMQ+layer7 -----
reboot
done 
warning: not tested with different kernel version or iptables version, be carefull or you’re ended with kernel panic 
Tags: IMQ, iptables, kernel, layer7, linux, netfilter, patch
Loading ...
Can the same instructions be applied to Debian?
for iptables’s command itself, technically yes. but patching the kernel debian’s way might be different.
Bro, I want to ask how do I contact you?
I have a few questions regarding the QOS for Centos, you could email me back and we can chat.
i think, it’s much better if you ask here, so other people can share/learn the information too.
thanks