LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 02-17-2004, 05:49 AM   #1
debloxie
Member
 
Registered: Jul 2003
Posts: 153

Rep: Reputation: 30
Red face help with imq device and iptables


hell there

i am trying to setup traffic control on eth0 (external interface) and the imq

my firewall script looks like this:

#!/bin/bash
. /etc/rc.d/init.d/firewall.conf
#
#firewallFirewall startup/shutdown script
#
#Version: @(#) /etc/rc.d/init.d/firewall.iptables 5-oct-2003
#
#Copyright Linux Solutions Nigeria Limited 2003
#
#
#description: Starts shell processes for Kernel Services
#

# Enable ip forwarding and check against ip spoofing
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Enable IMQ module
/sbin/modprobe imq

echo "Starting firewall on Linuxbox"
echo "....."
echo "..........."
echo "......................"

# Flush Chains
$IPTABLES -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -F

#Configure routing and firewall rules
# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Enable internal connections to this box
$IPTABLES -A INPUT -i ${INTERNAL_INTERFACE} -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i ${INTERNAL_INTERFACE} -p udp --dport 137 -j DROP
$IPTABLES -A INPUT -i ${EXTERNAL_INTERFACE} -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A FORWARD -i ${EXTERNAL_INTERFACE} -p tcp --dport 135:139 -j DROP
$IPTABLES -A FORWARD -i ${EXTERNAL_INTERFACE} -p udp --dport 135:139 -j DROP
$IPTABLES -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp --dport ${DPORT1} -j ACCEPT
$IPTABLES -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp --dport ${DPORT2} -j ACCEPT

# Enable NAT

$IPTABLES -t nat -A POSTROUTING -s ${INTERNAL_NETWORK} -o ${EXTERNAL_INTERFACE} -j SNAT --to-source ${EXTERNAL_IP}

# Mark packets for shaping
$IPTABLES -t mangle -A PREROUTING -i ${INTERNAL_INTERFACE} --src ${PHONE_IP} -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p tcp -j MARK --set-mark 2
#$IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p tcp --sport 10000:20000 -j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p udp --sport 1:53 -j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p udp --dport 1:53 -j MARK --set-mark 2
$IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p udp --dport 5000 -j MARK --set-mark 2

#Drop invalid nat requests
$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} --dst 169.254.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p tcp --dport 443 --dst ! 217.107.162.88/32 -j DROP
$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} --src 169.254.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p icmp -s ${PHONE_IP} -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p icmp -j DROP


#Disable SMTP
$IPTABLES -A INPUT -p tcp --dport 25 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 25 -j DROP

# Run transparent proxy
$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p tcp --dport ${BROWSE} -j REDIRECT --to-port ${PROXY}
#$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p tcp --dport ${FTP} -j REDIRECT --to-port ${PROXY}
$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p tcp --dport ${SSL} -j REDIRECT --to-port ${PROXY}

#Send Traffic to IMQ device
$IPTABLES -A PREROUTING -t mangle -i ${EXTERNAL_INTERFACE} -j IMQ --todev 0
ip link set imq0 up
echo "Linuxbox is now secure!"
echo
echo
echo


And my traffic control script looks like this:

#!/bin/bash

##description: A light utility to simulate system load processes for optimal ada
ptation
# Bandwidth Shaping / Limiting section
##notes
##kbps = kilobyte/s
##kb = kilobyte
##kbit = kilobit/s or kilobit


#clean existing down and uplink qdiscs on all interfaces, hide errors
tc qdisc del dev eth0 root 2> /dev/null > /dev/null
tc qdisc del dev imq0 root 2> /dev/null > /dev/null

#Create root IMQ and regular tc device and specify default class
TCQ="tc qdisc add dev"
$TCQ imq0 root handle 1: htb default 10
$TCQ eth0 root handle 1: prio

# Classes
####Uplink
$TCQ eth0 parent 1:1 handle 10: sfq perturb
$TCQ eth0 parent 1:2 handle 20: sfq perturb 10

##Filters
TCF="tc filter add dev"
##filters
#phone
$TCF eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:1


###Downlink
#Parent-Vsat downlink speed
$TCC imq0 parent 1: classid 1:1 htb rate 48kbit burst 15k

##Phone
$TCC imq0 parent 1:1 classid 1:10 htb rate 18kbit ceil 30kbit prio 1
##Browsing
$TCC imq0 parent 1:1 classid 1:11 htb rate 14kbit ceil 48kbit prio 2

##fairness within each class
$TCQ imq0 parent 1:10 handle 10: sfq perturb 10
$TCQ imq0 parent 1:11 handle 11: sfq perturb 10

##Filters
$TCF imq0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:11

$TCF imq0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.0.2 flowid 1:10


The firewall.conf scripts wch the first scripts refers to looks like this:

#!/bin/bash
#Global variables
IPTABLES=/sbin/iptables

EXTERNAL_INTERFACE=eth0
INTERNAL_INTERFACE=eth1

INTERNAL_NETWORK=192.168.0.0/24
EXTERNAL_NETWORK=213.255.192.96/28

EXTERNAL_IP=213.255.192.99

PHONE_IP=192.168.0.2

#Internal Connections
DPORT1=22
DPORT2=10000

#Enabling Safe Ports
BROWSE=80
PROXY=8080
FTP=21
SSL=556


When i run the bandwidth.conf script, the error is

/etc/rc.d/init.d/bandwidth.conf start
Command line is not complete. Try option "help"
/etc/rc.d/init.d/bandwidth.conf: line 34: imq0: command not found
/etc/rc.d/init.d/bandwidth.conf: line 37: imq0: command not found
/etc/rc.d/init.d/bandwidth.conf: line 39: imq0: command not found
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument

when i restart the firewall script, the error is

[root@linuxbox init.d]# /etc/rc.d/init.d/firewall.ipt restart
Starting firewall on Linuxbox
.....
...........
......................
.........................................
iptables v1.2.8: Unknown arg `--todev'
Try `iptables -h' or 'iptables --help' for more information.
Linuxbox is now secure!


i feel the imq module was not properly loaded but it appears when i do

ip link show

it gives

5: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30
link/void


pls what cud be wrong?
 
Old 02-17-2004, 06:56 AM   #2
debloxie
Member
 
Registered: Jul 2003
Posts: 153

Original Poster
Rep: Reputation: 30
i dont understand this, maybe its something am not doing right.

when i do insmod it gives:

[root@linuxbox squid]# /sbin/insmod imq
Using /lib/modules/2.4.22-10mdk/kernel/drivers/net/imq.o.gz
insmod: a module named imq already exists

when i do ip link show it gives:

[root@linuxbox squid]# ip link show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc prio qlen 100
link/ether 00:e0:4c:39:1a:e9 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:e0:4c:39:1d:48 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
link/ether 00:0b:6a:25:ed:50 brd ff:ff:ff:ff:ff:ff
5: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30
link/void
6: imq1: <NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 30
link/void

the distro and version are

[root@linuxbox squid]# uname -a
Linux linuxbox.proxy 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux

thats mandrake 9.2

if i try to remove '--todev' string in the firewall script it tell me:

[root@linuxbox init.d]# /etc/rc.d/init.d/firewall.ipt restart
Starting firewall on Linuxbox
.....
...........
......................
.........................................
iptables v1.2.8: Couldn't load target `IMQ':/lib/iptables/libipt_IMQ.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
Linuxbox is now secure!


i think its looking for the object file but cant find it and i cant locate it in the said directory. what do u think? any help

thanks

debloxie
 
Old 03-28-2004, 08:08 AM   #3
zatys
LQ Newbie
 
Registered: Mar 2004
Posts: 2

Rep: Reputation: 0
Download 2.4.22 kernel bz2.
iptables compiling with 2.4.22 kernel sources:
rm -d -r /usr/src/linux #(link)
ln -sf /usr/src/linux-2.4.22 /usr/src/linux
cd /usr/src/iptables-1.2.8
patch -p1 <iptables-1.2.7a-imq.diff
chmod a+x extensions/.IMQ-test
chmod a+x extensions/.IMQ-test6
make
make install
rm -d -r /usr/src/linux #(link)
ln -sf /usr/src/your-kernel-dir /usr/src/linux
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stumped on IMQ problem rlh989 Linux - Networking 0 08-05-2005 04:49 PM
what is IMQ interface? blackzone Linux - Networking 1 12-31-2004 08:15 AM
pls help!!! iptables patch for IMQ device target debloxie Linux - Networking 0 03-03-2004 06:16 AM
Mandrake 9.2 and IMQ target help!!!! debloxie Linux - Networking 1 02-19-2004 11:48 AM
IMQ and HTB script Mara Linux - Networking 0 09-21-2003 05:51 PM


All times are GMT -5. The time now is 02:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration