Hello list,
I have these sorts of filters, putting traffic into the appropiate
classid (1:15 is the default class):
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip sport 22 0xffff \
classid 1:11 # ssh
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 22 0xffff \
classid 1:11 # ssh
{and a few more 1:11 filters]
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x11 0xff \
match ip sport 123 0xffff \
classid 1:11 # return packets NTP
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x06 0xff \
match u8 0x05 0x0f at 0 \
match u8 0x10 0xff at 33 \
match u16 0x000 0xffc0 at 2 \
classid 1:11 # ACK''s
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 80 0xffff \
classid 1:12 # Webserver
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 3 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip sport 443 0xffff \
classid 1:13 # webmail server
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 21 0xffff \
classid 1:14 # ftp-server
This works fine, but traffic for 1:14 (ftp) never gets into 1:14.
Is there a certain rule order in which filters must be written? As far
as I can see I haven''t made any mistakes in these filters...
Anyone a hint?
R.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
Wouldn''t it depend on if you are using passive FTP or not?
http://www.slacksite.com/other/ftp.html
Shane McKinley
Habersham EMC
-----Original Message-----
From: richard lucassen [mailto:mailinglists@lucassen.org]
Sent: Monday, December 17, 2007 6:10 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] traffic not getting into class
Hello list,
I have these sorts of filters, putting traffic into the appropiate
classid (1:15 is the default class):
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip sport 22 0xffff \
classid 1:11 # ssh
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 22 0xffff \
classid 1:11 # ssh
{and a few more 1:11 filters]
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x11 0xff \
match ip sport 123 0xffff \
classid 1:11 # return packets NTP
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x06 0xff \
match u8 0x05 0x0f at 0 \
match u8 0x10 0xff at 33 \
match u16 0x000 0xffc0 at 2 \
classid 1:11 # ACK''s
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 80 0xffff \
classid 1:12 # Webserver
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 3 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip sport 443 0xffff \
classid 1:13 # webmail server
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 21 0xffff \
classid 1:14 # ftp-server
This works fine, but traffic for 1:14 (ftp) never gets into 1:14.
Is there a certain rule order in which filters must be written? As far
as I can see I haven''t made any mistakes in these filters...
Anyone a hint?
R.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak aloud
and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \ > match ip protocol 0x6 0xff \ > match ip dport 21 0xffff \ > classid 1:14 # ftp-server > > This works fine, but traffic for 1:14 (ftp) never gets into 1:14. > > Is there a certain rule order in which filters must be written? As far > as I can see I haven''t made any mistakes in these filters... > > Anyone a hint? >Port 21 is used only by the control connection of FTP. Active mode FTP uses port 20 to do the actual downloading and Passive mode uses random ports. I think you need to mark packets in iptables using ip_conntrack_ftp helper to identify ftp packets.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <snip>> > ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \ > match ip protocol 0x6 0xff \ match ip dport 21 0xffff \ classid 1:14 > # ftp-server > > This works fine, but traffic for 1:14 (ftp) never gets into 1:14. > > Is there a certain rule order in which filters must be written? As > far as I can see I haven''t made any mistakes in these filters...FTP is more complicated to filter than ssh. There is a control connection and a data connection.> Anyone a hint?The following sites give some info on the ftp protocal, though there is a ton of more info if you use google. http://www.slacksite.com/other/ftp.html http://www.troubleshootingnetworks.com/ftpinfo.html As an aside, ftp services really should be replaced with one of the better alternatives. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHbuaEwRXgH3rKGfMRAq2dAJ9fYPz6yvBQPuima3sUNCt0OQpHWQCfcxHw nUC+eYmSP+0MNj+DEkyUQDk=6BBW -----END PGP SIGNATURE-----