|
help with imq device and iptables
hell there
i am trying to setup traffic control on eth0 (external interface) and the imq my firewall script looks like this: #!/bin/bash . /etc/rc.d/init.d/firewall.conf # #firewallFirewall startup/shutdown script # #Version: @(#) /etc/rc.d/init.d/firewall.iptables 5-oct-2003 # #Copyright Linux Solutions Nigeria Limited 2003 # # #description: Starts shell processes for Kernel Services # # Enable ip forwarding and check against ip spoofing echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Enable IMQ module /sbin/modprobe imq echo "Starting firewall on Linuxbox" echo "....." echo "..........." echo "......................" # Flush Chains $IPTABLES -F $IPTABLES -t mangle -F $IPTABLES -t nat -F #Configure routing and firewall rules # Set default policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # Enable internal connections to this box $IPTABLES -A INPUT -i ${INTERNAL_INTERFACE} -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i ${INTERNAL_INTERFACE} -p udp --dport 137 -j DROP $IPTABLES -A INPUT -i ${EXTERNAL_INTERFACE} -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i ${EXTERNAL_INTERFACE} -p tcp --dport 135:139 -j DROP $IPTABLES -A FORWARD -i ${EXTERNAL_INTERFACE} -p udp --dport 135:139 -j DROP $IPTABLES -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp --dport ${DPORT1} -j ACCEPT $IPTABLES -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp --dport ${DPORT2} -j ACCEPT # Enable NAT $IPTABLES -t nat -A POSTROUTING -s ${INTERNAL_NETWORK} -o ${EXTERNAL_INTERFACE} -j SNAT --to-source ${EXTERNAL_IP} # Mark packets for shaping $IPTABLES -t mangle -A PREROUTING -i ${INTERNAL_INTERFACE} --src ${PHONE_IP} -j MARK --set-mark 1 $IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p tcp -j MARK --set-mark 2 #$IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p tcp --sport 10000:20000 -j MARK --set-mark 2 $IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p udp --sport 1:53 -j MARK --set-mark 2 $IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p udp --dport 1:53 -j MARK --set-mark 2 $IPTABLES -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -p udp --dport 5000 -j MARK --set-mark 2 #Drop invalid nat requests $IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} --dst 169.254.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p tcp --dport 443 --dst ! 217.107.162.88/32 -j DROP $IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} --src 169.254.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p icmp -s ${PHONE_IP} -j ACCEPT $IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p icmp -j DROP #Disable SMTP $IPTABLES -A INPUT -p tcp --dport 25 -j DROP $IPTABLES -A FORWARD -p tcp --dport 25 -j DROP # Run transparent proxy $IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p tcp --dport ${BROWSE} -j REDIRECT --to-port ${PROXY} #$IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p tcp --dport ${FTP} -j REDIRECT --to-port ${PROXY} $IPTABLES -t nat -A PREROUTING -i ${INTERNAL_INTERFACE} -p tcp --dport ${SSL} -j REDIRECT --to-port ${PROXY} #Send Traffic to IMQ device $IPTABLES -A PREROUTING -t mangle -i ${EXTERNAL_INTERFACE} -j IMQ --todev 0 ip link set imq0 up echo "Linuxbox is now secure!" echo echo echo And my traffic control script looks like this: #!/bin/bash ##description: A light utility to simulate system load processes for optimal ada ptation # Bandwidth Shaping / Limiting section ##notes ##kbps = kilobyte/s ##kb = kilobyte ##kbit = kilobit/s or kilobit #clean existing down and uplink qdiscs on all interfaces, hide errors tc qdisc del dev eth0 root 2> /dev/null > /dev/null tc qdisc del dev imq0 root 2> /dev/null > /dev/null #Create root IMQ and regular tc device and specify default class TCQ="tc qdisc add dev" $TCQ imq0 root handle 1: htb default 10 $TCQ eth0 root handle 1: prio # Classes ####Uplink $TCQ eth0 parent 1:1 handle 10: sfq perturb $TCQ eth0 parent 1:2 handle 20: sfq perturb 10 ##Filters TCF="tc filter add dev" ##filters #phone $TCF eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:1 ###Downlink #Parent-Vsat downlink speed $TCC imq0 parent 1: classid 1:1 htb rate 48kbit burst 15k ##Phone $TCC imq0 parent 1:1 classid 1:10 htb rate 18kbit ceil 30kbit prio 1 ##Browsing $TCC imq0 parent 1:1 classid 1:11 htb rate 14kbit ceil 48kbit prio 2 ##fairness within each class $TCQ imq0 parent 1:10 handle 10: sfq perturb 10 $TCQ imq0 parent 1:11 handle 11: sfq perturb 10 ##Filters $TCF imq0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:11 $TCF imq0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.0.2 flowid 1:10 The firewall.conf scripts wch the first scripts refers to looks like this: #!/bin/bash #Global variables IPTABLES=/sbin/iptables EXTERNAL_INTERFACE=eth0 INTERNAL_INTERFACE=eth1 INTERNAL_NETWORK=192.168.0.0/24 EXTERNAL_NETWORK=213.255.192.96/28 EXTERNAL_IP=213.255.192.99 PHONE_IP=192.168.0.2 #Internal Connections DPORT1=22 DPORT2=10000 #Enabling Safe Ports BROWSE=80 PROXY=8080 FTP=21 SSL=556 When i run the bandwidth.conf script, the error is /etc/rc.d/init.d/bandwidth.conf start Command line is not complete. Try option "help" /etc/rc.d/init.d/bandwidth.conf: line 34: imq0: command not found /etc/rc.d/init.d/bandwidth.conf: line 37: imq0: command not found /etc/rc.d/init.d/bandwidth.conf: line 39: imq0: command not found RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument when i restart the firewall script, the error is [root@linuxbox init.d]# /etc/rc.d/init.d/firewall.ipt restart Starting firewall on Linuxbox ..... ........... ...................... ......................................... iptables v1.2.8: Unknown arg `--todev' Try `iptables -h' or 'iptables --help' for more information. Linuxbox is now secure! i feel the imq module was not properly loaded but it appears when i do ip link show it gives 5: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30 link/void pls what cud be wrong? |
i dont understand this, maybe its something am not doing right.
when i do insmod it gives: [root@linuxbox squid]# /sbin/insmod imq Using /lib/modules/2.4.22-10mdk/kernel/drivers/net/imq.o.gz insmod: a module named imq already exists when i do ip link show it gives: [root@linuxbox squid]# ip link show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc prio qlen 100 link/ether 00:e0:4c:39:1a:e9 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:e0:4c:39:1d:48 brd ff:ff:ff:ff:ff:ff 4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100 link/ether 00:0b:6a:25:ed:50 brd ff:ff:ff:ff:ff:ff 5: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30 link/void 6: imq1: <NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 30 link/void the distro and version are [root@linuxbox squid]# uname -a Linux linuxbox.proxy 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux thats mandrake 9.2 if i try to remove '--todev' string in the firewall script it tell me: [root@linuxbox init.d]# /etc/rc.d/init.d/firewall.ipt restart Starting firewall on Linuxbox ..... ........... ...................... ......................................... iptables v1.2.8: Couldn't load target `IMQ':/lib/iptables/libipt_IMQ.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. Linuxbox is now secure! i think its looking for the object file but cant find it and i cant locate it in the said directory. what do u think? any help thanks debloxie |
Download 2.4.22 kernel bz2.
iptables compiling with 2.4.22 kernel sources: rm -d -r /usr/src/linux #(link) ln -sf /usr/src/linux-2.4.22 /usr/src/linux cd /usr/src/iptables-1.2.8 patch -p1 <iptables-1.2.7a-imq.diff chmod a+x extensions/.IMQ-test chmod a+x extensions/.IMQ-test6 make make install rm -d -r /usr/src/linux #(link) ln -sf /usr/src/your-kernel-dir /usr/src/linux |
| All times are GMT -5. The time now is 01:57 PM. |