Layer7 IMQ Route Multipath Loadbalance Debian Lenny 2.6.28

Debian Lenny, Clarkconnect Enterprise 4.3 Kernel 2.6.28, iptables 1.4.2 IMQ Route_Multipath patch contribute and test by [email protected] June 13 2009( Update 11 July 2009 )

Debian

[root@gateway ~]# apt-get install gzip unzip bzip2
[root@gateway ~]# apt-get install debhelper screen fakeroot zlib1g-dev build-essential libncurses5-dev kernel-package

Clarkconnect 4.3

[root@gateway ~]# apt-get install cc-devel

ดาวโหลด Package

[root@gateway ~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2
[root@gateway ~]# wget http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz
[root@gateway ~]# wget http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-28.tar.gz
[root@gateway ~]# wget http://www.ssi.bg/~ja/routes-2.6.28-16.diff
[root@gateway ~]# wget http://www.linuximq.net/patchs/linux-2.6.28.9-imq-test2.diff
[root@gateway ~]# wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.2.tar.bz2

แตกไฟล์ออกมา

[root@gateway ~]# tar xjfv linux-2.6.28.tar.bz2
[root@gateway ~]# tar xjfv iptables-1.4.2.tar.bz2
[root@gateway ~]# tar zxvf netfilter-layer7-v2.21.tar.gz
[root@gateway ~]# tar xzfv l7-protocols-2009-05-28.tar.gz

สร้าง Symbol Link

[root@gateway ~]# ln -s /usr/src/linux-2.6.28 /usr/src/linux

Patch Kernel ด้วย patch file

[root@gateway ~]# cd linux 
[root@gateway ~]# patch -p1 </usr/src/netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch
[root@gateway ~]# patch -p1 </usr/src/routes-2.6.28-16.diff
[root@gateway ~]# patch -p1 </usr/src/linux-2.6.28.9-imq-test2.diff

Config Kernel

[root@gateway ~]# make menuconfig

<source lang=bash> Networking support > Networking options > Network packet filtering framework (Netfilter) > Core Netfilter Configuration. [ ] layer7 match support

[*] select all [M] select all

<M> "IMQ" target support <M> "layer7" match support [*] "Layer7" debugging output

Networking support > Networking options > Network packet filtering framework (Netfilter) > IP: Netfilter Configuration.

[*] select all [M] select all <M> Full NAT

</source> Exit Save .config

คอมไพล์และติดตั้งมันซะ Deb + CC4.3 ( Options 1 )

[root@gateway ~]# make && make modules && make modules_install && make install

ทำให้มันบูท Kernel ใหม่ ( Debian Only ) CC4.3 ไม่ต้องทำ

[root@gateway ~]# cd /boot
[root@gateway ~]# mkinitramfs -o initrd.img-2.6.28 2.6.28
[root@gateway ~]# update-grub
[root@gateway ~]# reboot

ถ้าต้องการ Compile และสร้าง .deb ด้วย ใช้คำสั่ง ( Options 2 )

[root@gateway ~]# make clean && make mrproper
[root@gateway ~]# cp /boot/config-`uname -r` ./.config
[root@gateway ~]# make menuconfig

<source lang=bash> Networking support > Networking options > Network packet filtering framework (Netfilter) > Core Netfilter Configuration. [ ] layer7 match support

[*] select all [M] select all

<M> "IMQ" target support <M> "layer7" match support [*] "Layer7" debugging output

Networking support > Networking options > Network packet filtering framework (Netfilter) > IP: Netfilter Configuration.

[*] select all [M] select all <M> Full NAT </source> Exit Save .config

[root@gateway ~]# make-kpkg clean
[root@gateway ~]# fakeroot make-kpkg --initrd --append-to-version=-l7multiroute kernel_image kernel_headers
[root@gateway ~]# cd /usr/src
[root@gateway ~]# dpkg -i linux-image-*
[root@gateway ~]# dpkg -i linux-headers-*
[root@gateway ~]# reboot

ขี้เกียจคอมไพล์ ดาวโหลด

แก้ไข /boot/grub/menu.lst ( CC4.3 Only )

[root@gateway ~]# nano /boot/grub/menu.lst

<source lang=bash>

1. grub.conf generated by anaconda
3. Note that you do not have to rerun grub after making changes to this file
4. NOTICE: You have a /boot partition. This means that
5. all kernel and initrd paths are relative to /boot/, eg.
6. root (hd0,0)
7. kernel /vmlinuz-version ro root=/dev/sda3
8. initrd /initrd-version.img
9. boot=/dev/sda

default=1 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Linux (2.6.28)

       root (hd0,0)
       kernel /vmlinuz-2.6.28 ro root=LABEL=/ video=vesafb vga=0x313
       initrd /initrd-2.6.28.img

1. title Linux (2.6.18-93.cc4)
2. root (hd0,0)
3. kernel /vmlinuz-2.6.18-93.cc4 ro root=LABEL=/ video=vesafb vga=0x313
4. initrd /initrd-2.6.18-93.cc4.img
5. title Linux Safe Mode (2.6.18-93.cc4)
6. root (hd0,0)
7. kernel /vmlinuz-2.6.18-93.cc4 ro root=LABEL=/
8. initrd /initrd-2.6.18-93.cc4.img

</source> Reboot เครื่อง

[root@gateway ~]# reboot

ตรวจสอบ Kernel Version CC4.3

[root@gateway ~]# uname -a
Linux gateway.clarkconnect.lan 2.6.28 #1 SMP Fri Jun 19 13:17:45 ICT 2009 i686 i686 i386 GNU/Linux

ตรวจสอบ Kernel Version Debian Lenny

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 19 12:02:27 2009 from 125.24.196.166.adsl.dynamic.totbb.net
gw:~# uname -a
Linux l7.mscompute.com 2.6.28 #2 SMP Sat Jun 13 18:19:43 ICT 2009 i686 GNU/Linux

คอมไพล์ iptables v1.4.2 เพื่อให้รองรับกับ layer7

[root@gateway ~]# cd /usr/src/iptables-1.4.2
[root@gateway ~]# cp /usr/src/netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.2/extensions/
[root@gateway ~]# ./configure --with-kernel=/usr/src/linux
[root@gateway ~]# make
[root@gateway ~]# make install
[root@gateway ~]# cd /usr/src/l7-protocols-2009-05-28
[root@gateway ~]# make install
[root@gateway ~]# cp /usr/local/sbin/iptables /sbin/
[root@gateway ~]# modprobe xt_layer7

แก้ไข /etc/rc.local

[root@gateway ~]# nano /etc/rc.local

modprobe xt_layer7
modprobe xt_conntrack
modprobe nf_conntrack

ตรวจสอบ xt_layer7

[root@gateway ~]# lsmod | grep xt_layer7
xt_layer7              14356  0
nf_conntrack           64392  14 xt_layer7,xt_CONNMARK,xt_state,nf_nat_pptp,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_irc,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4
x_tables               18188  10 xt_layer7,xt_CONNMARK,xt_mark,xt_tcpudp,xt_state,ipt_MASQUERADE,ipt_REJECT,ipt_LOG,iptable_nat,ip_tables

ทดสอบ layer7

[root@gateway ~]# iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP
[root@gateway ~]# iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
[root@gateway ~]# iptables -A FORWARD -m layer7 --l7proto fasttrack -j DROP

[root@gateway ~]# iptables -nvL | grep LAYER 

<source lang=bash>

 533 50633 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto bittorrent state NEW

30091 2183K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey state NEW

   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto fasttrack state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto gnutella state NEW

74468 6939K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorrent state NEW

325K   24M DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto edonkey state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto fasttrack state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto gnutella state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto bittorrent state NEW

17392 1161K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey state NEW

   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto fasttrack state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto gnutella state NEW

</source>

ทดสอบ IMQ

http://www.linuximq.net/usage.html

คุณสามารถใช้สคริบด้านล่างเพื่อ Balance Link ได้

<source lang=bash>

1. !/bin/bash
2. This script is done by : Robert Kurjata Sep, 2003.
3. feel free to use it in any usefull way

1. CONFIGURATION

IP=/sbin/ip PING=/bin/ping

1. --------------- LINK PART -----------------
2. EXTIFn - interface name
3. EXTIPn - outgoing IP
4. EXTMn - netmask length (bits)
5. EXTGWn - outgoing gateway
6. -------------------------------------------

1. LINK 1

EXTIF1=eth2 EXTIP1= EXTM1= EXTGW1=

1. LINK 2

EXTIF2=eth1 EXTIP2= EXTM2= EXTGW2=

1. ROUTING PART
2. removing old rules and routes

echo "removing old rules" ${IP} rule del prio 50 table main ${IP} rule del prio 201 from ${EXTIP1}/${EXTM1} table 201 ${IP} rule del prio 202 from ${EXTIP2}/${EXTM2} table 202 ${IP} rule del prio 221 table 221 echo "flushing tables" ${IP} route flush table 201 ${IP} route flush table 202 ${IP} route flush table 221 echo "removing tables" ${IP} route del table 201 ${IP} route del table 202 ${IP} route del table 221

1. setting new rules

echo "Setting new routing rules"

1. main table w/o default gateway here

${IP} rule add prio 50 table main ${IP} route del default table main

1. identified routes here

${IP} rule add prio 201 from ${EXTIP1}/${EXTM1} table 201 ${IP} rule add prio 202 from ${EXTIP2}/${EXTM2} table 202

${IP} route add default via ${EXTGW1} dev ${EXTIF1} src ${EXTIP1} proto static table 201 ${IP} route append prohibit default table 201 metric 1 proto static

${IP} route add default via ${EXTGW2} dev ${EXTIF2} src ${EXTIP2} proto static table 202 ${IP} route append prohibit default table 202 metric 1 proto static

1. mutipath

${IP} rule add prio 221 table 221

${IP} route add default table 221 proto static \

           nexthop via ${EXTGW1} dev ${EXTIF1} weight 2\
           nexthop via ${EXTGW2} dev ${EXTIF2} weight 3

${IP} route flush cache

while : ; do

 ${PING} -c 1 ${EXTGW1}
 ${PING} -c 1 ${EXTGW2}
 sleep 60

done </source>

Another Balance Code ( Work ) <source lang=bash>

1. !/bin/bash
3. bal_local Load-balance internet connection over two local links
5. Version: 1.0.0 - Fri, Sep 26, 2008
7. Author: Niels Horn <[email protected]>

1. Set devices:

DEV1=${1-eth0} # default eth0 DEV2=${2-ppp0} # default ppp0

1. Get IP addresses of our devices:

ip1=`ifconfig $DEV1 | grep inet | awk '{ print $2 }' | awk -F: '{ print $2 }'` ip2=`ifconfig $DEV2 | grep inet | awk '{ print $2 }' | awk -F: '{ print $2 }'`

1. Get default gateway for our devices:

gw1=`route -n | grep $DEV1 | grep '^0.0.0.0' | awk '{ print $2 }'` gw2=`route -n | grep $DEV2 | grep '^0.0.0.0' | awk '{ print $2 }'`

echo "$DEV1: IP=$ip1 GW=$gw1" echo "$DEV2: IP=$ip2 GW=$gw2"

1. 1. 1. Definition of routes ###

1. Check if tables exists, if not -> create them:

if [ -z "`cat /etc/iproute2/rt_tables | grep '^251'`" ] ; then echo "251 rt_dev1" >> /etc/iproute2/rt_tables fi if [ -z "`cat /etc/iproute2/rt_tables | grep '^252'`" ] ; then echo "252 rt_dev2" >> /etc/iproute2/rt_tables fi

1. Define routing tables:

ip route add default via $gw1 table rt_dev1 ip route add default via $gw2 table rt_dev2

1. Create rules:

ip rule add from $ip1 table rt_dev1 ip rule add from $ip2 table rt_dev2

1. If we already have a 'nexthop' route, delete it:

if [ ! -z "`ip route show table main | grep 'nexthop'`" ] ; then ip route del default scope global fi

1. Balance links based on routes:

ip route add default scope global nexthop via $gw1 dev $DEV1 weight 1 nexthop via $gw2 dev $DEV2 weight 1

1. Flush cache table:

ip route flush cache

1. All done...

</source>

---

References

---

http://www.ssi.bg/~ja/#routes-2.6

http://l7-filter.sourceforge.net/protocols

Protocal Definition /etc/l7-protocols

http://www.linuximq.net/

http://www.howtoforge.com/kernel_compilation_debian_etch

http://www.linuximq.net/usage.html