Integration - bwmtools

Next: Graphing, Previous: Configuration, Up: Top

4 Integrating BWM Tools with your system

This section will describe how to integrate BWM Tools into your system, be it you use BWM Tools to entirely manage your firewall, NAT and traffic shaping or just to do the traffic shaping.

There are two possible scenarios here detailed below...

You want to use BWM Tools for both your firewall and traffic shaping.

This is the easiest scenario to deal with, only having 4 steps below to get your firewall, NAT and traffic shaping up and running...
1. Configure your classes, ACL's, NAT and traffic shaping rules as described in the previous sections. The end target for all accepted traffic must be bwmd in the INPUT chain or OUTPUT chain if you doing single box or a router configuration respectively.
2. Run BWM Firewall with the below possible arguments to generate an iptables-restore compatible configuration file...
```
               Usage: bwm_firewall <options>
               
               Options:
                   -c,  --config=<config_file>     Specify non-default BWM Tools config file
                   -f,  --file[=<output_file>]     Generate iptables-restore file from
                                                   BWM Tools firewall
                   -l,  --load                     Load BWM Tools firewall directly into
                                                   kernel
                   -h,  --help                     Display this page
                   -r,  --reset-counters           Reset iptables counters, usable with
                                                   "iptables-restore -c"
          
```
  BWM Firewall takes the BWM Tools XML configuration file and translates the various sections and tags into a firewall which can be loaded directly with iptables-restore.
  
  BWM Firewall defualts to writing the iptables-restore configuration file to /etc/sysconfig/iptables.
3. Once you've generated the iptables restore file you must load it atomically into the kernel with the following command...
  iptables-restore < /etc/sysconfig/iptables
4. The last step is to fire up bwmd with your choice of the available options below...
```
               Usage: bwmd <options>
               
               Options:
                   -c,  --config=<config_file>     Specify non-default BWM Tools config file
                   -f,  --foreground               Run in foreground and print debug infomation to the screen
                   -h,  --help                     Display this page
          
```
  BWMD defualts to using the configuration file in
  /etc/bwm_tools/firewall.xml.
You want to use another firewalling application and have BWM Tools do only the traffic shaping.

Here there are a few things to remember...
- BWM Tools works with the NFMARK parameter attached to packets. Marking packets can only be done in the mangle table in iptables.
- BWM Tools uses the userpace queueing mechanism, all packets to be shaped must be targetted at QUEUE in the filter table. This is done by either adding a rule to the INPUT and OUTPUT chain in the case of a single box which you need to shape traffic to and from respectively. While in the case of a firewall where traffic passes through you would add a rule to the FORWARD chain.
- Therefore in order for BWM Tools to shape traffic, packets must be MARK'ed with a number corrosponding to the number specified in the nfmark="..." parameter defined in the <flow> tag and targetted in iptables to QUEUE instead of ACCEPT as per above.
Imagine you would like your linux router to rate limit all traffic from and to IP 192.168.1.100, an example of this can be found below...
- Configuring iptables
```
               iptables -t filter -A FORWARD -m mark ! --mark 0x0 -j QUEUE
               iptables -t mangle -A FORWARD -s 192.168.1.100 -j MARK --set-mark 100
               iptables -t mangle -A FORWARD -d 192.168.1.100 -j MARK --set-mark 101
          
```
- Configuring bwmd
```
                   <firewall>
                       <global>
                           <modules>
                               <load name="ip_queue"/>
                           </modules>
                       </global>
               
                       # Traffic flows
                       <traffic>
                           <flow name="pc_in" max-rate="64000" report-timeout="60"
                                   nfmark="100" />
                           <flow name="pc_out" max-rate="64000" report-timeout="60"
                                   nfmark="101" />
                       </traffic>
                   </firewall>
          
```