Tim’s Network Corner

After users ( or your family at home ) have discovered the peer-to-peer program’s and are saturating your internet connection
you probably want to do something about it and give the really important connections a vast amount of traffic guarantee.
But what if you are running a mail server and you do not want your internet connection being filled with datatraffic from spammers?
Then we should do traffic shaping on the ingress interface. This is called Traffic Policing.

ingredients for today are:

IProute2
The InterMediate Queuing Device	[get it here]
Linux (vanilla) kernel sources	[Get it here]
IPtables sources (yes, the sources )	[Get it here]
Patches for iptables and for the Linux kernel	[Get it here]
Lots of time

Linux comes with traffic control since kernel 2.2 ( at least, if you compiled it ), and you can manage this with iproute2. Allthough traffic control comes with the kernel and traffic shaping is supported out-of-the-box,we are going to need IMQ for ingress traffic shaping (Traffic Policing).

NB: It is beter to not use Debian or Ubuntu kernels, because these can contain patches which can skrew up the IMQ patch.
NB2:There are special patches for Debian, but if you can make them work you had some serious time to spend

( It took me a day for I realized I couldn’t get it to work on ubuntu and I took a vanilla kernel )

A vanilla kernel from www.kernel.org should be fine

So, let’s begin compiling stuff:

First copy the .config file from the previous (distro) kernel to the new kernel source directory if you have any.

Then apply the patch to the kernel by using “patch -p0 < imq-kernel-patch.diff”

Run make menuconfig and make sure all needed kernel modules are there ( especially the IPtables and trafficshaping modules ) and make sure you compile IMQ as a module ( Device drivers > Network device support > IMQ )

If you are using Debian or Ubuntu create a Ubuntu/Debian package of your new kernel by running fakeroot make-kpkg

Then install the new kernel by running dpkg -i

Create a initrd if needed by running mkinitrd -o /boot/initrd

If everything went well, you should be able to insert the IMQ module.

Test the kernel, and if satisfied boot the kernel.

Apply the patch to iptables by executing patch -p1 < imq-iptables-patch.diff

Compile iptables, and install the new version onto the system

NB: It is possible you can get some errors about some module of Iptables. I just deleted the file,
and the compilation succeeded. I never had any problems while running iptables, but use this solution on your own risk..

You now should be able to run this init-script to set up traffic policing:

#!/bin/bash
#EDIT some vars
$LIMIT=2mbit
$BURST=15k
$DEST=YOUR_RANGE/24
$INCOMING=eth1
#END EDIT

$value=$1
case $value in
start)
modprobe imq
# Insert IMQ module

tc qdisc add dev imq0 root handle 1: htb default 20
# Create root traffic queue

tc class add dev imq0 parent 1: classid 1:1 htb rate $LIMIT burst $BURST
# Create qdisc class for limiting traffic to 2 mbit with a burst of 15 kbit/s

tc filter add dev imq0 parent 1: protocol ip prio 1 u32 match ip dst $DEST flowid 1:1
# Create filter to filter traffic that should be in our 2mbit queue

iptables -t mangle -A POSTROUTING -o $INCOMING -j IMQ –todev 0

# Forward all traffic to the IMQ device for traffic policing

ip link set imq0 up
# Bring the IMQ device up

;;
stop)
iptables -t mangle -D POSTROUTING -o $INCOMING -j IMQ –todev 0
ip link set imq0 down
;;
esac

This entry was posted on Tuesday, August 29th, 2006 at 7:07 pm and is filed under Linux, TCP/IP, Ubuntu. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.