Hello: I am a bit unclear on shaping FTP traffic only. How do i do it? This is what i currently have: # classid 1:100 is a 200Kbit limiter # filter for matching "ftp-data" (0x14) and "ftp" (0x15) ports $TC filter add dev eth1 parent 1:0 protocol ip prio 9 u32 match ip \ sport 0x14 0xffff flowid 1:100 $TC filter add dev eth1 parent 1:0 protocol ip prio 8 u32 match ip \ sport 0x15 0xffff flowid 1:100 This does not seem to work. Can anyone provide me with a filter for catching active and passive FTP connects? Thank you for your time. -- Emperor Palpatine: Everything that has transpired has done so according to my design.
On Sep/25/2001, Shanker Balan wrote:> Hello:hi!> I am a bit unclear on shaping FTP traffic only. How do i do it?you just filter by ftp-data port (20) and by passive ports range (most ftp daemons gives you the chance to define a determinate range of ports to use in passive mode) i discourage you from shaping ftp control traffic (21), because of the annoying delay you introduce in the interactiveness of the ftp session> This is what i currently have: > > # classid 1:100 is a 200Kbit limiter > # filter for matching "ftp-data" (0x14) and "ftp" (0x15) ports > $TC filter add dev eth1 parent 1:0 protocol ip prio 9 u32 match ip \ > sport 0x14 0xffff flowid 1:100 > $TC filter add dev eth1 parent 1:0 protocol ip prio 8 u32 match ip \ > sport 0x15 0xffff flowid 1:100 > > This does not seem to work. Can anyone provide me with a filter for > catching active and passive FTP connects?this is how i do it using iptables marking and fw tc filter #for matching ftp-data iptables -A OUTPUT -o $IF_EXT -p tcp --sport 20 -j MARK 1 #for matching passive ports range that i configured in my ftp daemon iptables -A OUTPUT -o $IF_EXT -p tcp --sport 5000:5100 -j MARK 1 #and now the tc filters using fw tc filter add dev $IF_EXT parent 1:0 protocol ip prio 1 handle 1 fw classid 1:100> Thank you for your time.ivan
Hello: Ivan Lopez wrote,> you just filter by ftp-data port (20) and by passive ports range (most > ftp daemons gives you the chance to define a determinate range of > ports to use in passive mode)But i have no control over the FTP clients users behind my Linux router will use. Moreover, i have full NAT for my internal network.> i discourage you from shaping ftp control traffic (21), because of the > annoying delay you introduce in the interactiveness of the ftp sessionOk. Will take out port 21 then.> this is how i do it using iptables marking and fw tc filter > > #for matching ftp-data iptables -A OUTPUT -o $IF_EXT -p tcp --sport 20 > -j MARK 1 #for matching passive ports range that i configured in my > ftp daemon iptables -A OUTPUT -o $IF_EXT -p tcp --sport 5000:5100 -j > MARK 1For this to work, all FTP clients should be configured to use only ports between 5000 and 5100 right? -- Emperor Palpatine: Everything that has transpired has done so according to my design.
On Sep/25/2001, Shanker Balan wrote:> Hello: > > Ivan Lopez wrote, > > you just filter by ftp-data port (20) and by passive ports range (most > > ftp daemons gives you the chance to define a determinate range of > > ports to use in passive mode) > > But i have no control over the FTP clients users behind my Linux router > will use. Moreover, i have full NAT for my internal network. > > > i discourage you from shaping ftp control traffic (21), because of the > > annoying delay you introduce in the interactiveness of the ftp session > > Ok. Will take out port 21 then. > > > this is how i do it using iptables marking and fw tc filter > > > > #for matching ftp-data iptables -A OUTPUT -o $IF_EXT -p tcp --sport 20 > > -j MARK 1 #for matching passive ports range that i configured in my > > ftp daemon iptables -A OUTPUT -o $IF_EXT -p tcp --sport 5000:5100 -j > > MARK 1 > > For this to work, all FTP clients should be configured to use only ports > between 5000 and 5100 right?it''s not the clients, but the server configuration when using passive mode, is the server who selects which port is going to be used for the data transfer, so you can configure the range of ports to be used, and my example setup is for this case: shaping the available download bandwith to external clients from your server but if what you want is to limit the available download bandwith to your internal clients from external ftp servers, you must shape the outgoing packets in the internal interface (coming from internet to your clients): for active mode (ftp-data transfers by port 20) it can be done with iptables -A POSTROUTING -t mangle -o $IF_INT -p tcp --sport 20 -j MARK 1 but, because of the above commented behavior of the passive mode, you cannot predict which ports will be used by your clients... and i don''t know any *good* thing for matching accurately this ftp passive connections (anyone else here knows how :?) ivan PD: note my mistake in the previous reply in the iptables lines, they lack the -t mangle option, sorry O:)
Hello: Ivan Lopez wrote,> but, because of the above commented behavior of the passive mode, you > cannot predict which ports will be used by your clients... and i don''t > know any *good* thing for matching accurately this ftp passive > connections (anyone else here knows how :?)And that is exactly my problem - You never know what ports will be opened for ftp data transfer and hence cannot "catch" them. Since the FTP data port is unpredictable, what i have temporarily done is to use a dedicated class of 1.5Mbit solely for HTTP traffic and the remainder of .5Mbit is used for "other" traffic on a 2Mbit link. This is not a perfect solution but it makes sure that http traffic is not affected. Looks like there is no straight forward solution for shaping FTP traffic using Linux. How do routers and other traffic management appliances handle FTP traffic shaping anyway? Is it possible to use the Iptable''s "established,related" functions to mark FTP data traffic and then use the "fw" classifier on it? -- Emperor Palpatine: Everything that has transpired has done so according to my design.
Hi, Is it possible to use the "Connection tracking / FTP protocol support" module to track FTP connections? Regards, Daniel -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Shanker Balan Sent: Tuesday, September 25, 2001 12:37 PM To: LARTC Subject: [LARTC] Re: Shaping only FTP traffic> Is it possible to use the Iptable''s "established,related" functions to > mark FTP data traffic and then use the "fw" classifier on it?
On Sep/25/2001, Shanker Balan wrote:> Is it possible to use the Iptable''s "established,related" functions to > mark FTP data traffic and then use the "fw" classifier on it?yes, using ip_conntrack_ftp, it will be something like this (take a look at http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html) iptables -A OUTPUT -t mangle -o $IF_LAN -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j MARK --set-mark 1 passive ftp-data traffic will be marked with this rule, but this is very generic and may catch other traffic totally unrelated to an ftp communication... (ie. a dcc send using ip_conntrack_irc) ivan
Hello: Ivan Lopez wrote,> iptables -A OUTPUT -t mangle -o $IF_LAN -p tcp --sport 1024: --dport > 1024: -m state --state ESTABLISHED,RELATED -j MARK --set-mark 1 > > passive ftp-data traffic will be marked with this rule, but this is > very generic and may catch other traffic totally unrelated to an ftp > communication... (ie. a dcc send using ip_conntrack_irc)Which is one of the things i want to avoid - marking *all* tracked connections. Now if only one could narrow the marking down purely to FTP traffic. I guess i should make this a feature request to the Netfilter team! ;) -- Emperor Palpatine: Everything that has transpired has done so according to my design.