thr3ads.net - LARTC - tc filter isn''t work ! [Mar 2003]

If this information is useful, please help other people find it:
Share via:

netmaster

2003-Mar-25 00:28 UTC

tc filter isn''t work !

->  Hi!
->  
->  I''ve a Linux Box that I want to apply a filter
->  in order to limit FTP salient traffic from my
->  linux box to internet.
->  
->  I''ve a:
->  	Red Hat 7.2
->  	Kernel 2.4.20 (with HTB built in!)
->  	iptables 1.2.7a
->  
->  Also, I get "tc" binnary package from HTB home page.
->  
->  I have a script in order to manage everything.
->  
->  After to do a FTP session, and sent a file to INTERNET from 
->  my Linux BOX, and traffic seems catched by iptables, but 
->  not by tc filter (dropped 0, overlimits 0)
->  
->  What is wrong ???
->  Please see below my script, and diagnostics.
->  
->  Thank you !!
->  
->  Mac
->  
->  -------------------------------------------------------
->  
->  #!/bin/bash
->  
->  # Clear everything
->  
->  tc qdisc del dev eth0 root 2> /dev/null > /dev/null
->  tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
->  iptables -F OUTPUT -t mangle 
->  iptables -F INPUT -t mangle 
->  iptables -F PREROUTING -t mangle 
->  iptables -F POSTROUTING -t mangle 
->  iptables -F FORWARD -t mangle 
->  
->  # HTB qdisc
->  
->  tc qdisc add dev eth0 root handle 1: htb
->  tc class add dev eth0 parent 1: classid 1:1 htb rate 32kbit 
->  ceil 32kbit burst 2kbit
->  
->  # FTP traffic class
->  tc class add dev eth0 parent 1:1 classid 1:10 htb rate 
->  16kbit ceil 16kbit
->  
->  # sfq
->  tc qdisc add dev eth0 parent 1:10 handle 40: sfq perturb 10
->  
->  # Filter FTP traffic
->  tc filter add dev eth0 parent 1: protocol ip prio 1 handle 
->  1 fw classid 1:10
->  
->  # iptables to get FTP traffic
->  
->  iptables -A OUTPUT -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A OUTPUT -t mangle -p tcp --dport 20 
->  -j MARK --set-mark 1 iptables -A OUTPUT -t mangle -p udp 
->  --dport 21 -j MARK --set-mark 1 iptables -A OUTPUT -t 
->  mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A PREROUTING -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A PREROUTING -t mangle -p tcp 
->  --dport 20 -j MARK --set-mark 1 iptables -A PREROUTING -t 
->  mangle -p udp --dport 21 -j MARK --set-mark 1 iptables -A 
->  PREROUTING -t mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A FORWARD -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A FORWARD -t mangle -p tcp --dport 
->  20 -j MARK --set-mark 1 iptables -A FORWARD -t mangle -p 
->  udp --dport 21 -j MARK --set-mark 1 iptables -A FORWARD -t 
->  mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A POSTROUTING -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A POSTROUTING -t mangle -p tcp 
->  --dport 20 -j MARK --set-mark 1 iptables -A POSTROUTING -t 
->  mangle -p udp --dport 21 -j MARK --set-mark 1 iptables -A 
->  POSTROUTING -t mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  -------------------------------------------------------
->  
->  [root@LinuxBOX macwww]# iptables -L -t mangle -nvx
->  
->  Chain PREROUTING (policy ACCEPT 190679 packets, 163312488 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->         1       40 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain INPUT (policy ACCEPT 161324 packets, 160097182 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->  
->  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain OUTPUT (policy ACCEPT 130426 packets, 136583975 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->        33     1989 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain POSTROUTING (policy ACCEPT 130426 packets, 136583975 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->        33     1989 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0   
->  
->  
->  -------------------------------------------------------
->  
->  [root@LinuxBOX macwww]# tc -s -d qdisc show dev eth0
->  qdisc sfq 60: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
->  
->   qdisc sfq 50: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
->  
->   qdisc sfq 40: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 2451 bytes 33 pkts (dropped 0, overlimits 0)
->  
->   qdisc htb 1: r2q 10 default 0 direct_packets_stat 7233 ver 
->  3.7  Sent 9630794 bytes 7266 pkts (dropped 0, overlimits 0)
->  

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Martin A. Brown

2003-Mar-25 01:00 UTC

head link

FTP and shaping was [ tc filter isn''t work ! ]

Hi "netmaster",

You can do it, but it takes a bit of extra work because of the design of
FTP.  Also, this is in the FAQ.  See Stef''s FAQ entry for it!

  http://www.docum.org/stef.coene/qos/faq/cache/43.html

Or, if you prefer to click forty more times, an old thread with pointers
to other threads.....

  http://mailman.ds9a.nl/pipermail/lartc/2003q1/007548.html

Ciao,

-Martin

 : ->  I''ve a Linux Box that I want to apply a filter
 : ->  in order to limit FTP salient traffic from my
 : ->  linux box to internet.

"FTP salient traffic"  I like that.  :)

<much detail snipped and ignored>

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Reasonably Related Threads

Search for more possibly parallel threads

LARTC - Mar 2003 - tc filter isn''t work !

tc filter isn''t work !

FTP and shaping was [ tc filter isn''t work ! ]

Reasonably Related Threads