TShopping

 找回密碼
 註冊
搜索
查看: 6370|回復: 3

[教學] Linux L7filter and Qos use bridge mode

    [複製鏈接]
發表於 2009-5-13 15:34:13 | 顯示全部樓層 |閱讀模式
 
Push to Facebook Push to Plurk Push to Twitter 
L7 filter && bridge mode && tc(htb)
參考網址 http://phorum.vbird.org/viewtopic.php?t=18108&highlight=P2P
http://l7-filter.sourceforge.net/L7-HOWTO-Netfilter
bridge mode相關:
http://phorum.study-area.org//viewtopic.php?t=31046&sid=2f247943ca87bbf370e6e5a8ee23fc2a
http://phorum.study-area.org/viewtopic.php?t=30969

環境準備:
Fedora core3安裝
下載kernel 2.6.11.x
下載iptables版本選用1.3.0
準備三張網卡,一張網卡設定ip(控管用),其餘兩張網卡設定bridge mode

開始動作:
下載wget http://easynews.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2006-02-12.tar.
此檔為定義L7各種可過濾的各種應用程式,安裝後在/etc/l7-protocols/protocols/目錄下有定義
下載wget http://keihanna.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.1.tar.gz
tar zxvf 開後有kernel-2.4-layer7-1.3.patch(kernel的patch,請看README檔有支援的kernel)
iptables-layer7-1.3.patch(iptables的patch)
cd /usr/src/
下載kernel 2.6.11.2
tar zxvf 開後
把kernel-2.4-layer7-1.3.patch移到tar開的目錄
patch –p1 < kernel-2.4-layer7-1.3.patch
make mrpromer
make clean
make menuconfig
注意把(以下轉貼自官網)layer7相關用模組或編入核心
• EXPERIMENTAL (Code maturity level options → Prompt for development and/or incomplete code/drivers)
• Netfilter (Device Drivers → Networking support → Networking Options → Network packet filtering)
• Connection tracking (Network packet filtering → IP: Netfilter Configuration → Connection tracking)
• "Connection tracking flow accounting" and "IP tables support" (on the same screen)
• And finally, "Layer 7 match support"
make bzImage
make modules
make modulse_install
make install
如果順利用新編譯的核心開機

cd /usr/src
wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.0.tar.bz2
tar jxvf iptables-1.3.0tar.gz2
之後編譯及安裝iptables
把iptables-layer7-1.3.patch移到/usr/src/
patch –p1 < iptables-layer7-1.3.patch
cp /usr/src/extensions/* /usr/src/iptables-1.3.0/extensions/
cp /usr/src/extensions/.layer7-test /usr/src/iptables-1.3.0/extensions/
chmod 755 /usr/src/iptables-1.3.0/extensions/.layer7-test
make KERNEL_DIR= /usr/src/linux-2.6.11.2/
make install KERNEL_DIR=/usr/src/linux-2.6.11.2/
安裝完後看有無此檔/usr/local/lib/iptables/libipt_layer7.so有則ok!

之後把原先的iptables執行檔先改名
mv /usr/sbin/iptables /usr/sbin/iptables.old

Bridge Mode:
下載wget http://surfnet.dl.sourceforge.net/sourceforge/bridge/bridge-utils-1.1.tar.gz
tar 開後進入目錄安裝,執行make install
which brctl看有無此指令
在/etc/rc.local中寫入以下製作開機即有bridge mode
/usr/local/sbin/brctl addbr br0
/usr/local/sbin/brctl stp br0 off
/usr/local/sbin/brctl addif br0 eth1
/usr/local/sbin/brctl addif br0 eth2
ifconfig eth1 down
ifconfig eth2 down
ifconfig eth1 0.0.0.0 up
ifconfig eth2 0.0.0.0 up
ifconfig br0 0.0.0.0
echo "1" > /proc/sys/net/ipv4/ip_forward

eth0 ip請自行先定義,以下script為tc和iptables
#!/bin/bash
iptables -F
iptables -t nat -F
iptables -t mangle -F

tc qdisc del dev eth1 root 2> /dev/unll
tc qdisc del dev eth2 root 2> /dev/unll
#定義上下載限速
UP_TOTAL="100"
UP_P2P="40"
UP_OTHER="60"

DOWN_TOTAL="100"
DOWN_P2P="30"
DOWN_OTHER="70"
#定義上傳之流量eth1
tc qdisc add dev eth1 root handle 1: htb default 20
tc class add dev eth1 parent 1: classid 1:1 htb rate "$UP_TOTAL"kbps ceil "$UP_TOTAL"kbps
tc class add dev eth1 parent 1:1 classid 1:10 htb rate "$UP_P2P"kbps ceil "$UP_P2P"kbps
tc class add dev eth1 parent 1:1 classid 1:20 htb rate "$UP_OTHER"kbps ceil "$UP_OTHER"kbps
tc qdisc add dev eth1 parent 1:10 handle 11: pfifo
tc qdisc add dev eth1 parent 1:20 handle 12: pfifo
tc filter add dev eth1 parent 1: protocol ip handle 100 fw classid 1:10
#定義下載之流量eth2

tc qdisc add dev eth2 root handle 2: htb default 20
tc class add dev eth2 parent 2: classid 2:1 htb rate "$DOWN_TOTAL"kbps ceil "$DOWN_TOTAL"kbps
tc class add dev eth2 parent 2:1 classid 2:10 htb rate "$DOWN_P2P"kbps ceil "$DOWN_P2P"kbps
tc class add dev eth2 parent 2:1 classid 2:20 htb rate "$DOWN_OTHER"kbps ceil "$DOWN_OTHER"kbps
tc qdisc add dev eth2 parent 2:10 handle 21: pfifo
tc qdisc add dev eth2 parent 2:20 handle 22: pfifo
tc filter add dev eth2 parent 2: protocol ip handle 200 fw classid 2:10

for proto in edonkey bittorrent ares fasttrack gnutella
do
iptables -t mangle -A FORWARD -m layer7 --l7proto $proto -m physdev --physdev-in eth1 --physdev-out eth2 -j MARK --set-mark 200
iptables -t mangle -A FORWARD -m layer7 --l7proto $proto -m physdev --physdev-in eth2 --physdev-out eth1 -j MARK --set-mark 100
done

 

臉書網友討論
發表於 2013-11-9 00:59:43 | 顯示全部樓層
呵呵,明白了  

版主招募中

發表於 2013-11-9 00:59:43 | 顯示全部樓層
知道了 不錯~~~  


您需要登錄後才可以回帖 登錄 | 註冊 |

本版積分規則



Archiver|手機版|小黑屋|免責聲明|TShopping

GMT+8, 2016-12-4 09:46 , Processed in 0.056667 second(s), 18 queries .

本論壇言論純屬發表者個人意見,與 TShopping綜合論壇 立場無關 如有意見侵犯了您的權益 請寫信聯絡我們。

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回復 返回頂部 返回列表