LARTC - Apr 2005 - AW: AW: Activate ingress policies on suse enterprise serv er 9

Good Morning,

Thanks for your hint, now I can see the dropped packages!
But it is only working for port 8080 why not for port 8099??

(If you need some indices please let me know)

Thanks
Gernot
> GRAMES Gernot
> __________________________________
> 	SIEMENS AG Austria
> 	PSE SMC AI 21    
> 	*	Tel.: +43 (0) 5 1707 24356
> 	* 	FAX: +43 (0) 5 1707 54600
> 	*	E-Mail: mailto:Gernot.Grames@Siemens.com
> 	Siemensstrasse 88 - 92
> 	A-1210 VIENNA
> __________________________________
> 
-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Montag, 18. April 2005 16:05
An: Grames Gernot
Cc: ''lartc@mailman.ds9a.nl''
Betreff: Re: AW: [LARTC] Activate ingress policies on suse enterprise server
9

Grames Gernot wrote:
> Hi,
> 
> Thanks for the fast response,
> 
> .)Okay I tried your suggestion for my port 8099 and nothing happened:
> The tcp ip information goes from a firewall to my port 8099 and this port
is
> than routed to the original 8080, I do that because I don`t want to
dirturb
> my port 8080.
> But it seams the ingress filter doesn`t work on it!!
> 
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> .)I tried then for the port 8080 and something happened but no drop of the
> packages:
> #tcpdump port 8080
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt:
S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt:
S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt:
S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 
> 3 packets captured
> 3 packets received by filter
> 0 packets dropped by kernel
tcpdump will see packets before policer - so they could still be 
dropped. Just to confuse matters though, depending on kernel options the 
ingress policer may see packets before or after prerouting.

use tc -s qdisc ls dev eth0 to see drops.

Andy.



_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Grames Gernot wrote:
>  
> Good Morning,
> 
> Thanks for your hint, now I can see the dropped packages!
> But it is only working for port 8080 why not for port 8099??
> 
> (If you need some indices please let me know)
I don''t know why it should work for 8080 and not 8099 - I
don''t think I
quite understand your setup amd aims.

Andy.