Shaping Layer 7 Application on centos 4.7 (iptables + l7 + IMQ + tc/HTB)

 bash, c, filter, iptables, kernel, linux, modules  Add comments
Jul 032009
 

Pertama download kernel source kernel 2.6.26.

# wget -t0 -c http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.tar.bz2

Download iptables 1.4.1 source.

# wget -t0 -c http://www.netfilter.org/projects/iptables/files/iptables-1.4.1.tar.bz2

Download patch l7 + IMQ (untuk kernel dan iptables) yg sudah saya modifikasi jadi satu bundle.
[download#3]
[download#4]

Extract, patch dan compile kernel source(to RPM)

# tar xjf linux-2.6.26.tar.bz2
# cd linux-2.6.26
# patch -p1 < ../linux-2.6.26-layer7-imq.patch
patching file drivers/net/imq.c
patching file drivers/net/Kconfig
patching file drivers/net/Makefile
patching file include/linux/imq.h
patching file include/linux/netfilter/xt_IMQ.h
patching file include/linux/netfilter/xt_layer7.h
patching file include/linux/netfilter_ipv4/ipt_IMQ.h
patching file include/linux/netfilter_ipv6/ip6t_IMQ.h
patching file include/linux/skbuff.h
patching file include/net/netfilter/nf_conntrack.h
patching file include/net/netfilter/nf_queue.h
patching file net/core/dev.c
patching file net/core/skbuff.c
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file net/netfilter/nf_queue.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/xt_IMQ.c
patching file net/netfilter/xt_layer7.c

# cp /boot/config-`uname -r` .config
# make clean
# make menuconfig

pilih semua option yg ada hubungannya dengan IMQ device dan layer7

# make rpm
# rpm -ivh /path/to/kernel-2.6.26-1.i[3/6]86.rpm
# mkinitrd initrd-2.6.26-default.img 2.6.26

konfigure grub supaya booting dengan kernel yg telah di compile.

title CentOS (2.6.26)
       root (hd0,0)
       kernel /vmlinuz-2.6.26 ro root=LABEL=/
       initrd /initrd-2.6.26-default.img

sesuai kan dengan konfig grub anda
Extract ,patch dan compile iptables

# tar xjf iptables-1.4.1.tar.bz2
# cd iptables-1.4.1
# pacth -p1 < ../iptables-1.4.1-layer7-imq.patch
# make clean
# ./configure --with-ksource=../linux-2.6.26
# make
# make install

Jika ingin dalam bentuk rpm bisa cari spec file iptables nya di rpmfind.net
tambah alias untuk imq di modprobe.conf

alias imq0 imq
alias imq1 imq

tc/HTB script, taruh di /etc/rc.d/rc

#---- IMQ+layer7 -----
tc qdisc del dev imq0 root > /dev/null 2>&1

/sbin/ip link set imq0 up
/sbin/tc qdisc add dev imq0 root handle 1: htb default 2
/sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 80000Kbit
/sbin/tc class add dev imq0 parent 1: classid 1:2 htb rate 80000Kbit
/sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 1kbit ceil 2kbit
/sbin/tc filter add dev imq0 parent 1: protocol ip prio 1 u32 match ip dst 0/0 match ip src [your ip network] flowid 1:10

/usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto bittorrent -j IMQ --todev 0
/usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto edonkey -j IMQ --todev 0
/usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto gnutella -j IMQ --todev 0
/usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto irc -j IMQ --todev 0
/usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto kugoo -j IMQ --todev 0
/usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto xunlei -j IMQ --todev 0
/usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto pplive -j IMQ --todev 0
/usr/local/sbin/iptables -t mangle -I PREROUTING -i eth1 -m layer7 --l7proto http-dap -j IMQ --todev 0

tc qdisc del dev imq1 root > /dev/null 2>&1

/sbin/ip link set imq1 up
/sbin/tc qdisc add dev imq1 root handle 2: htb default 2
/sbin/tc class add dev imq1 parent 2: classid 2:1 htb rate 80000Kbit
/sbin/tc class add dev imq1 parent 2: classid 2:2 htb rate 80000Kbit
/sbin/tc class add dev imq1 parent 2:1 classid 2:10 htb rate 1kbit ceil 2kbit
/sbin/tc filter add dev imq1 parent 2: protocol ip prio 1 u32 match ip dst [your ip network] match ip src 0/0 flowid 2:10

/usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto bittorrent -j IMQ --todev 1
/usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto edonkey -j IMQ --todev 1
/usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto gnutella -j IMQ --todev 1
/usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto irc -j IMQ --todev 1
/usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto kugoo -j IMQ --todev 1
/usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto xunlei -j IMQ --todev 1
/usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto pplive -j IMQ --todev 1
/usr/local/sbin/iptables -t mangle -I POSTROUTING -o eth1 -m layer7 --l7proto http-dap -j IMQ --todev 1

#---- IMQ+layer7 -----

reboot

done 🙂

warning: not tested with different kernel version or iptables version, be carefull or you’re ended with kernel panic 😀

You may also want to read these posts:

  8 Responses to “Shaping Layer 7 Application on centos 4.7 (iptables + l7 + IMQ + tc/HTB)”

Comments (8)
  1. David says:
    July 8, 2010 at 4:09 pm

    Bro, I want to ask how do I contact you?

    I have a few questions regarding the QOS for Centos, you could email me back and we can chat.

  2. admin says:
    July 8, 2010 at 4:18 pm

    i think, it’s much better if you ask here, so other people can share/learn the information too.

    thanks

  3. David says:
    July 9, 2010 at 1:11 am

    Can the same instructions be applied to Debian?

  4. admin says:
    July 9, 2010 at 10:03 am

    for iptables’s command itself, technically yes. but patching the kernel debian’s way might be different.

  5. zhoux says:
    September 18, 2011 at 10:15 pm

    patch to iptables using -p1 never succeed for me. After googled the NET, I found a solution, using -p0 option, ie:
    1 # mv iptables-1.4.1-layer7-imq.patch iptables-1.4.1
    2 # cd iptables-1.4.1
    3 # pacth -p0 < iptables-1.4.1-layer7-imq.patch
    4 # ./configure ….
    5 # make
    6 # make install

    Hope you will check and test it.

  6. leenoux says:
    September 19, 2011 at 9:25 am

    well, it depend on the patch file. when imq patch create inside iptables-1.4.1 you might want to use -p0.
    it’s been along time since i wrote this article, i’ll check it out.

  7. charles says:
    October 19, 2011 at 8:04 pm

    For the novice, there is a spelling mistake in one of the commands “pacth -p1 < ../linux-2.6.26-layer7-imq.patch" its 'patch' not 'pacth'

  8. leenoux says:
    October 19, 2011 at 8:16 pm

    thanks 🙂

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

CAPTCHA

*