----- Original Message -----
From: <lartc-request@mailman.ds9a.nl>
To: <lartc@mailman.ds9a.nl>
Sent: Thursday, October 23, 2003 11:05 AM
Subject: LARTC digest, Vol 1 #1420 - 10 msgs
> Send LARTC mailing list submissions to
> lartc@mailman.ds9a.nl
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ds9a.nl/mailman/listinfo/lartc
> or, via email, send a message with subject or body ''help''
to
> lartc-request@mailman.ds9a.nl
>
> You can reach the person managing the list at
> lartc-admin@mailman.ds9a.nl
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of LARTC digest..."
>
>
> Today''s Topics:
>
> 1. Re: "Help with routing" (Robert Kurjata)
> 2. Need Suggestion on CBQ Rules. (Raghuveer K)
> 3. Per host Traffic Shaping bridge, using DSCP (Warwick Chapman)
> 4. nexthop reachability (Vadiraj C S)
> 5. Re: ''Help with routing'' (nixo@nixo.com.ar)
> 6. Split access problems. (Mike Taekema)
> 7. Re: Per host Traffic Shaping bridge, using DSCP (Stef Coene)
> 8. esfq (ThE PhP_KiD)
> 9. RE: Missing parameter descriptions (Marko Buuri)
> 10. iptables question (Walter D. Wyndroski)
>
> --__--__--
>
> Message: 1
> Date: Wed, 22 Oct 2003 08:59:05 +0200
> From: Robert Kurjata <rkurjata@ire.pw.edu.pl>
> Reply-To: Robert Kurjata <rkurjata@ire.pw.edu.pl>
> To: nixo@nixo.com.ar
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] "Help with routing"
>
> Hi nixo,
>
> I suppose you don''t preserve properly output address see my
postting
> with script from 15th October this year :)
> (append prohibit default:)
>
>
> nnca> the scheme of my LAN is the next:
>
> nnca> eth0 isp1 /32
> nnca> eth1 lan de isp1 (LAN With public IP /24)
> nnca> eth2 isp2 /32
> nnca> eth3 lan de isp2 (LAN With public IP /26)
>
> nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1
> nnca> ip route add default via 200.47.4.x table 1
>
>
> nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2
> nnca> ip route add default via 200.80.32.x table 2
>
>
>
> nnca> ip rule add from 200.47.4.x table 1
> nnca> ip rule add from 200.80.32.x table 2
>
> nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0
nexthop> nnca> via
> nnca> 200.80.32.x dev eth2
>
> nnca> ******
>
> nnca> My problem is this: when I trace from the NETWORK of ISP1,
sometimes the> nnca> tracer go out from the gateway of ISP2 and vice versa
>
> nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as
before> nnca> complete the gateway from ISP2 y vice versa.
>
>
> nnca> Mi question is: what is wrong in my config...??? What I need to
put
or is> nnca> anything wrong with this config???.
> nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH.
>
>
> nnca> _______________________________________________
> nnca> LARTC mailing list / LARTC@mailman.ds9a.nl
> nnca> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://lartc.org/>
>
>
> --
> Greetings,
> Robert mailto:rkurjata@ire.pw.edu.pl
>
>
> --__--__--
>
> Message: 2
> Date: Wed, 22 Oct 2003 13:12:21 +0530
> From: Raghuveer K <rvk@gsecone.com>
> Reply-To: Raghuveer K <rvk@gsecone.com>
> Organization: Global Security One Ltd.
> To: Stef Coene <stef.coene@docum.org>
> Cc: lartc@mailman.ds9a.nl,
> "Martin A. Brown" <mabrown-lartc@securepipe.com>
> Subject: [LARTC] Need Suggestion on CBQ Rules.
>
> Stef Coene wrote:
>
> >On Tuesday 23 September 2003 07:56, Raghuveer wrote:
> >
> >
> >>Here are the rules Iam applying to control outgoing traffic at
WAN(eth0)
> >>interface for public hosted services.
> >>Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0
ip is
> >>192.168.1.2
> >>
> >>tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt
1000
cell> >>8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth
100Mbit
rate> >>497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt
1000
> >>bounded
> >>/* Hosted http server bandwidth = 64Kbit */
> >>tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit
rate
> >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt
1000
> >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip
src
> >>192.168.1.2 match ip sport 80 0xffff classid 1:2
> >>
> >>/* Hosted ftp server bandwidth = 64Kbit */
> >>tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit
rate
> >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt
1000
> >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip
src
> >>192.168.1.2 match ip sport 21 0xffff classid 1:3
> >>
> >>/* Default : Rest/Other traffic */
> >>tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit
rate
> >>369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt
1000
> >>/* Here I want replace the below rule with a simple rule based only
on
> >>port i.e by using some default port other than 80, 21 as sport,
which
> >>according to your last mail is not possible, hence pls check
whether the
> >>below rule will do for remaining traffic */
> >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip
src
> >>0/0 match ip dst 0/0 classid 1:4
> >>
> >>Pls let me know whether the above rules are framed correctly or can
be
> >>done in a better way.
> >>
> >>
> >I can''t do it better then you did :)
> >
> >
> Stef,
> Traffic Control is not taking place after applying the above rules. Here
> follows the test setup:-
> 1. The linux m/c ''s eth0(100Mbits, WAN) is connected to 128 Kbits
ADSL
> and eth1 to the LAN.
> 2. I tried doing traffic control for incoming(at eth1) and outgoing(at
> eth0) traffic using CBQ(above rules).
> 3. In LAN, I connected 3 m/c''s(all linux).
> 4. The ISP rate taken is 97% of 128Kbits.
> 5. Bandwidth Monitoring is done by using IPTraf on each LAN
m/c''s.
>
> I have few observations and queries, as follows:--
> 1. Here the ISP rate is fluctuating in the range of 21Kbits to 131 Kbits
> for 128Kbits ADSL.
> 2. I have not added any filter for the parent class. Is it required...?
> What happens if I add...?
> 3. Is "iptraf " tool OK for monitoring the distribution of
bandwidth on
> each LAN m/c.
> 4. Whether shall I take outgoing and incoming ISP rate''s in 30:70
ratio,
> i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming
> Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL).
>
> Can you pls guide me where amI going wrong..?
>
> Regards
> -Raghu
>
> >Stef
> >
> >
> >
>
>
> --
> ****** This email is confidential and is intended for the original
recipient(s)> only. If you have erroneously received this mail, please delete it
immediately> and notify the sender. Unauthorized copying, disclosure or distribution of
the> material in this mail is prohibited. Views expressed in this mail are
those of> the individual sender and do not bind Gsec1 Limited. or its subsidiary,
unless> the sender has done so expressly with due authority of Gsec1.******
>
>
>
>
> --__--__--
>
> Message: 3
> Date: Wed, 22 Oct 2003 11:39:51 +0200
> From: Warwick Chapman <warwick@thusa.co.za>
> To: lartc@mailman.ds9a.nl
> Cc: anthon@ws.co.za
> Subject: [LARTC] Per host Traffic Shaping bridge, using DSCP
>
> Howdy
>
> We would like to set up a Linux Bridge to replace a FreeBSD/ipfw box
> doing shaping. Currently, we can only chape per IP/protocol on the
> FreeBSD box, and not by type of traffic (local/international).
>
> Our upstream provider, Internet Solutions (www.is.co.za) differentiates
> between Local and International Bandwidth as follows:
> "Local traffic DSCP bit is set to 20. International is set to
18."
>
> What steps would be involved in, say, setting up shaping to a host to
> give it a 32kb International and 64 local. Would it be possible to
> allow bursting when bandwidth is available?
>
> I have read the LARTC Guide at lartc.org, which has an example of how to
> shape an particular host, but not how to incorporate matching the DSCP
bit.>
> I''m assuming iptables is used to match the DSCP bit, something
like the
> following:
> # iptables -t mangle -A INPUT -m dscp --dscp 16 -j ????
>
> Once it is matched, though, how does on force it into a queue? Or am I
> thinking of this in the wrong way?
>
> Regards
>
> Warwick Chapman
> Marketing and Operations
> Thusa Business Support cc
>
> Cellular: +27 83 7797 094
> Telephone: +27 31 563 1180
> Facsimile: +27 31 563 1182
> Website: http://www.thusa.co.za
>
> -- There are 10 types of people in this world. Those
> who understand binary, and those who don''t.
>
>
>
> --__--__--
>
> Message: 4
> Date: Wed, 22 Oct 2003 16:49:39 +0530 (IST)
> From: Vadiraj C S <vadiraj@deeproot.co.in>
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] nexthop reachability
>
> Hello all,
>
> I was just wondering If i could do this..
>
>
> Local___ public_________Gateway1
> Subnet IP
>
>
> local net |------192.168.1.1--| Internet
> 192.168.1.0-----| |-------202.202.1.1
> |------202.202.1.6--|
>
> here goes my routing table
>
> at any subnet say 192.168.1.2 i want some thing like this
>
> 1] route to 202.202.1.0/24 via 192.168.1.1
>
> 2] default gateway via 202.202.1.1
>
> but at second routing configuration I get host unreachable error by both
> route and ip route command..
> Though there is route to 202 network via 192.168.1.1 it says unreachable
> but I can ping to 202 network..
>
> what should I do to achieve this?
>
> Why I need to do is for dead gateway detection, I do not want to check
> the nexthop reachable or not, i need to know if ISP is reachable..
>
> Any support will be grateful!!
>
>
> regards
> Vadiraj C S
>
>
> --__--__--
>
> Message: 5
> Date: Wed, 22 Oct 2003 15:13:29 -0300 (ART)
> Subject: Re: [LARTC] ''Help with routing''
> From: <nixo@nixo.com.ar>
> To: <rkurjata@ire.pw.edu.pl>
> Cc: <nixo@nixo.com.ar>, <lartc@mailman.ds9a.nl>
>
> Thank you very much for the solution, but I still have a problem and I
> need help :) . The problem number one has been solved. When I trace from
> any computer of my LAN, It`s go out from the right ISP. But after a short
> time, is like if the rute was chached and it back to the same problem.
> (I´m getting paranoic :-P )
>
> The Problem number two still happens when someone from outside trace an IP
> from mi LAN. Always the before complete jump is responded for the
> interface who correnspond to the other ISP.
>
> Do you have an idea what can be the failure... or, can I call this a
> failure in my config?
>
> THANKS VERY MUCH
> Nicolas Fillon
> Argentina
>
> > Hi nixo,
> >
> > I suppose you don''t preserve properly output address see my
postting
> > with script from 15th October this year :)
> > (append prohibit default:)
> >
> >
> > nnca> the scheme of my LAN is the next:
> >
> > nnca> eth0 isp1 /32
> > nnca> eth1 lan de isp1 (LAN With public IP /24)
> > nnca> eth2 isp2 /32
> > nnca> eth3 lan de isp2 (LAN With public IP /26)
> >
> > nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1
> > nnca> ip route add default via 200.47.4.x table 1
> >
> >
> > nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2
> > nnca> ip route add default via 200.80.32.x table 2
> >
> >
> >
> > nnca> ip rule add from 200.47.4.x table 1
> > nnca> ip rule add from 200.80.32.x table 2
> >
> > nnca> ip route add default scope global nexthop via 200.47.4.x dev
eth0
> > nexthop nnca> via
> > nnca> 200.80.32.x dev eth2
> >
> > nnca> ******
> >
> > nnca> My problem is this: when I trace from the NETWORK of ISP1,
> > sometimes the nnca> tracer go out from the gateway of ISP2 and vice
> > versa
> >
> > nnca> And when someone trace an IP from my LAN of ISP1, it`s showme
as
> > before nnca> complete the gateway from ISP2 y vice versa.
> >
> >
> > nnca> Mi question is: what is wrong in my config...??? What I need
to
> > put or is nnca> anything wrong with this config???.
> > nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH.
> >
> >
> > nnca> _______________________________________________
> > nnca> LARTC mailing list / LARTC@mailman.ds9a.nl
> > nnca> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> > http://lartc.org/
> >
> >
> >
> > --
> > Greetings,
> > Robert mailto:rkurjata@ire.pw.edu.pl
>
>
>
>
> --__--__--
>
> Message: 6
> From: "Mike Taekema" <mike@netmaster.com>
> To: <lartc@mailman.ds9a.nl>
> Date: Wed, 22 Oct 2003 12:03:56 -0700
> Subject: [LARTC] Split access problems.
>
> Good day,
>
> I seem to be having getting my split access scripts to run properly. Here
is> my split_access script:
>
> IF1=eth0
> IF2=eth1
> IP1=10.123.124.52
> IP2=10.123.124.240
> P1=10.123.124.1
> P2=10.123.124.251
> P1_NET=10.123.124.0/25
> P2_NET=10.123.124.128/25
> IFE0=eth0
> IFE1=eth1
>
>
> ip route flush all
>
> ip route add $P1_NET dev $IF1 src $IP1 table $IFE0
> ip route add default via $P1 table $IFE0
> ip route add $P2_NET dev $IF2 src $IP2 table $IFE1
> ip route add default via $P2 table $IFE1
>
> ip route add $P1_NET dev $IF1 src $IP1
> ip route add $P2_NET dev $IF2 src $IP2
>
> ip route add default via $P1
>
> ip rule add from $IP1 table $IFE0
> ip rule add from $IP2 table $IFE1
>
> exit 0
>
> Now here is my rt_tables file:
>
> #
> # reserved values
> #
> 255 local
> 254 main
> 253 default
> 0 unspec
> 2 eth0
> 4 eth1
> #
> # local
> #
> 1 inr.ruhep
>
> Now when I run the script I get these errors: (run script using sh -x
> split_access)
>
> + IF1=eth0
> + IF2=eth1
> + IP1=10.123.124.52
> + IP2=10.123.124.240
> + P1=10.123.124.1
> + P2=10.123.124.251
> + P1_NET=10.123.124.0/25
> + P2_NET=10.123.124.128/25
> + IFE0=eth0
> + IFE1=eth1
> + ip route flush all
> + ip route add 10.123.124.0/25 dev eth0 src 10.123.124.52 table eth0
> + ip route add default via 10.123.124.1 table eth0
> + ip route add 10.123.124.128/25 dev eth1 src 10.123.124.240 table eth1
> + ip route add default via 10.123.124.251 table eth1
> RTNETLINK answers: File exists
> + ip route add 10.123.124.0/25 dev eth0 src 10.123.124.52
> RTNETLINK answers: File exists
> + ip route add 10.123.124.128/25 dev eth1 src 10.123.124.240
> RTNETLINK answers: File exists
> + ip route add default via 10.123.124.1
> RTNETLINK answers: File exists
> + ip rule add from 10.123.124.52 table eth0
> RTNETLINK answers: Invalid argument
> + ip rule add from 10.123.124.240 table eth1
> RTNETLINK answers: Invalid argument
> + exit 0
>
>
> Why am I getting "file exists and Invalid arguments again?
>
>
> Thanks in advance
>
>
> -Mike T.
>
>
>
>
> --__--__--
>
> Message: 7
> From: Stef Coene <stef.coene@docum.org>
> To: Warwick Chapman <warwick@thusa.co.za>, lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Per host Traffic Shaping bridge, using DSCP
> Date: Wed, 22 Oct 2003 22:06:04 +0200
> Cc: anthon@ws.co.za
>
> On Wednesday 22 October 2003 11:39, Warwick Chapman wrote:
> > Howdy
> >
> > We would like to set up a Linux Bridge to replace a FreeBSD/ipfw box
> > doing shaping. Currently, we can only chape per IP/protocol on the
> > FreeBSD box, and not by type of traffic (local/international).
> >
> > Our upstream provider, Internet Solutions (www.is.co.za)
differentiates
> > between Local and International Bandwidth as follows:
> > "Local traffic DSCP bit is set to 20. International is set to
18."
> >
> > What steps would be involved in, say, setting up shaping to a host to
> > give it a 32kb International and 64 local. Would it be possible to
> > allow bursting when bandwidth is available?
> >
> > I have read the LARTC Guide at lartc.org, which has an example of how
to
> > shape an particular host, but not how to incorporate matching the DSCP
bit.> >
> > I''m assuming iptables is used to match the DSCP bit,
something like the
> > following:
> > # iptables -t mangle -A INPUT -m dscp --dscp 16 -j ????
> >
> > Once it is matched, though, how does on force it into a queue? Or am I
> > thinking of this in the wrong way?
> If the packets are marked with iptables, you can use the fw filter to put
the> packets in a class.
> iptables -t mangle -A INPUT -m dscp --dscp 16 -j MARK --set-mark 2
>
> Stef
>
> --
> stef.coene@docum.org
> "Using Linux as bandwidth manager"
> http://www.docum.org/
> #lartc @ irc.openprojects.net
>
>
> --__--__--
>
> Message: 8
> From: "ThE PhP_KiD" <gregoriandres@yahoo.com.ar>
> To: <lartc@mailman.ds9a.nl>
> Date: Wed, 22 Oct 2003 17:45:22 -0300
> Subject: [LARTC] esfq
>
> hi,
>
> I want to try esfq in order to make a load balance
> in my linux router, (both, lan side and interent side)
>
> I want that all hosts of my lan haves the same bandwidth
> avaible.
>
> Since linux router are connected to an ISP which privide
> a variable bandwidth, I think that can''t use HTB.
>
> Also, in this situation, how can I do to priorize some
> LAN hosts from others ?
>
> Thanks you very much in advance.
>
> Andres.
>
>
>
>
> --__--__--
>
> Message: 9
> Reply-To: <marko@buuri.name>
> From: "Marko Buuri" <marko@buuri.name>
> To: <lartc@mailman.ds9a.nl>
> Subject: RE: [LARTC] Missing parameter descriptions
> Date: Mon, 20 Oct 2003 10:53:34 +0300
>
> >Damion de Soto wrote:
> >Marko Buuri wrote:
> >> I''ve been looking for descriptions of qdisc parameter
> >"estimator" and u32
> >> parameter "police" (defined by POLICE_SPEC), but in
vain. I
> >hope someone on
> >> this list can explain these.
> >Have you seen :
> >http://lartc.org/howto/lartc.adv-filter.policing.html
> >with examples for ''police''
> >http://lartc.org/howto/lartc.cookbook.synflood-protect.html
> >and
> >http://lartc.org/howto/lartc.cookbook.ultimate-tc.html
>
> Thank you for replying!
>
> I find that POLICE_SPEC (term from tc command syntax, not found in the
> HOWTO) isn''t very well or perhaps clearly documented. I figure the
first
> page you sent is trying to say is that the syntax is more or less:
>
> POLICE_SPEC = police [buffer [buffer] | maxburst [maxburst]] [mtu [mtu]
> | minburst [minburst]] [mpu [mpu]] [rate [rate]] (continue | drop | pass
> | reclassify)
>
> However, the examples you sent are using parameter "burst" not
listed
> above. A novice as myself can find learning Linux traffic control a bit
> confusing with this kind of discrepancies between the HOWTO, the command
> syntax and the man pages.
>
> >I''m not sure where examples are of
''estimator'' usage.
>
> If someone else here knows, please do tell.
>
>
> Marko
>
>
> --__--__--
>
> Message: 10
> From: "Walter D. Wyndroski" <wdwrn@friendlycity.net>
> To: <lartc@mailman.ds9a.nl>
> Date: Wed, 22 Oct 2003 23:45:01 -0400
> Subject: [LARTC] iptables question
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0107_01C398F6.82AC90F0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> First off, I know this is the LARTC list, but I''ve been living on
this
list> for over a year now. :) Now with that said, I''m probably
going to get
flam> ed for my question. :)>
> I''ve read that iptables is a first match wins system. My recent
experience
> is showing that it is a last match wins. I understand that if a packet is
m> atched in prerouting chain, it may be matched again in a subsequent chain
u> nless the jump target was drop.>
> NOTE: I am not using iptables as a true firewall, much as most people on
th> is list do not. I''m primarily using iptables to mark packets and
drop them> for securing my network and to deny all traffic to my router except for a
f> ew exclusive port.s>
>
>
> The following is an excerpt from my router script on how I''m
handling
certa> in traffic to my router and this works: (This example is a last match
wins)>
> #Deny All Traffic to Interface except SSH and ICMP
> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT
> #CMTS Link
> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP
> #CMTS Link
> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport !
22> -j DROP #CMTS Link>
> ##Allow SNMP Calls Via MRTG To This Interface Only
> $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst
172.20.0.5> -p udp --dport 161 -j ACCEPT> $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst
172.20.0.5> -p udp --dport 162 -j ACCEPT>
> This is how I was doing it and it worked: (This example is a first match
wi> ns)> (note: I was routing the fwmark 1 to blackhole)
>
> ##Allow SNMP Calls Via MRTG To This Interface Only
> $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst
172.20.> 0.5 -p udp --dport 161 -j ACCEPT> $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst
172.20.> 0.5 -p udp --dport 162 -j ACCEPT>
> #Deny All Traffic to Interface except SSH and ICMP
> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j
ACCEP> T #CMTS Link> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j
MARK> --set-mark 1 #CMTS Link> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport
!> 22 -j MARK --set-mark 1 #CMTS Link>
> I just need someone to tell me when is iptables using first match wins
vers> us last match wins. I think I am missing something but I am not sure. I
sta> y so busy with other tasks that I cannot devote the time that I need and
wo> uld like to this. Anyway, many thanks in advance.>
>
> Walt Wyndroski
>
***************************************************************************>
*******************> * This message has been scanned by CityNET''s email scanner for
viruses and
> dangerous content *
> * and is believed to be clean. CityNET is proud to use MailScanner. For
m> ore information *> * concerning MailScanner, visit http://www.mailscanner.info
> *
>
***************************************************************************>
*******************>
>
> ------=_NextPart_000_0107_01C398F6.82AC90F0
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=3DContent-Type content=3D"text/html;
charset=3Diso-8859-1">> <META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=3D#ffffff>
> <DIV><FONT face=3DArial size=3D2>First off, I know this is the
LARTC list,
> but I''ve=20
> been living on this list for over a year now. :) Now with that said,
I''m=20> probably going to get flamed for my question. :)</FONT></DIV>
> <DIV><FONT face=3DArial
size=3D2></FONT> </DIV>
> <DIV><FONT face=3DArial size=3D2>I''ve read that
iptables is a first match
w> ins=20> system. My recent experience is showing that it is a last match wins. I=20
> understand that if a packet is matched in prerouting chain, it may be
match> ed=20> again in a subsequent chain unless the jump target was
drop.</FONT></DIV>
> <DIV><FONT face=3DArial
size=3D2></FONT> </DIV>
> <DIV><FONT face=3DArial size=3D2>NOTE: I am not using iptables
as a true
fi> rewall,=20> much as most people on this list do not. I''m primarily using
iptables to
ma> rk=20> packets and drop them for securing my network and to deny all traffic to
my> =20> router except for a few exclusive port.s</FONT></DIV>
> <DIV><FONT face=3DArial
size=3D2></FONT> </DIV>
> <DIV><FONT face=3DArial
size=3D2></FONT> </DIV>
> <DIV><FONT face=3DArial
size=3D2></FONT> </DIV>
> <DIV><FONT face=3DArial size=3D2>The following is an excerpt
from my
router> script=20> on how I''m handling certain traffic to my router and this works:
(This
exam> ple=20> is a last match wins)</DIV>
> <DIV> </DIV>
> <DIV>#Deny All Traffic to Interface except SSH and ICMP</DIV>
> <DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp
-j=20
>
ACCEPT &nb>
sp; =20> #CMTS Link</DIV>
> <DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p !
tcp -j=20>
DROP  >
; =20> #CMTS Link</DIV>
> <DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p
tcp --dport> ! 22=20> -j DROP #CMTS Link</DIV>
> <DIV> </DIV>
> <DIV>##Allow SNMP Calls Via MRTG To This Interface
Only<BR>$IPTABLES -A
FOR> WARD=20> -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport
161 -> j=20> ACCEPT<BR>$IPTABLES -A FORWARD -i eth3 -t mangle --src
66.28.168.226 --dst> =20> 172.20.0.5 -p udp --dport 162 -j ACCEPT<BR></DIV>
> <DIV>This is how I was doing it and it worked: (This example
is a
firs> t=20> match wins)</DIV>
> <DIV>
> <DIV>
> <DIV>(note: I was routing the fwmark 1 to blackhole)</DIV>
> <DIV> </DIV>
> <DIV>##Allow SNMP Calls Via MRTG To This Interface
Only<BR>$IPTABLES -A=20
> PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p
udp --> dport=20> 161 -j ACCEPT<BR>$IPTABLES -A PREROUTING -i eth3 -t mangle --src
66.28.168.> 226=20> --dst 172.20.0.5 -p udp --dport 162 -j
ACCEPT<BR></DIV></DIV>
> <DIV>#Deny All Traffic to Interface except SSH and ICMP</DIV>
> <DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst
172.20.0.5 -p
icm> p -j=20>
ACCEPT &nb>
sp; >
=20> #CMTS Link</DIV>
> <DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p !
tcp=20> -j MARK --set-mark=20
>
1 &n>
bsp; =20> #CMTS Link</DIV>
> <DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p
tcp --dp> ort !=20> 22 -j MARK --set-mark 1 #CMTS
Link</DIV>
> <DIV> </DIV>
> <DIV>I just need someone to tell me when is iptables using first
match
wins> =20> versus last match wins. I think I am missing something but I am not sure.
I> stay=20> so busy with other tasks that I cannot devote the time that I need and
woul> d=20> like to this. Anyway, many thanks in advance.</DIV>
> <DIV> </DIV>
> <DIV> </DIV>
> <DIV>Walt
Wyndroski</DIV></DIV></FONT></BODY><br>
> <br>
> <table border=3D"1" cellpadding=3D"0"
cellspacing=3D"0" width=3D"100%"
bord> ercolor=3D"#800000">> <tr>
> <td width=3D"100%">
> <p align=3D"center"> This message has been
scanned by CityNET''s
> email scanner for viruses and dangerous content <br>
> and is believed to be clean. CityNET is proud to use
MailScann> er. For more
information <br>> concerning MailScanner, visit
http://www.mailscanner.info</td>
> </tr>
> </table>
> </HTML>
>
> ------=_NextPart_000_0107_01C398F6.82AC90F0--
>
>
>
>
> --__--__--
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc
>
>
> End of LARTC Digest
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/