Hi All, I''m new one the list and thought it somewhat appropriate to divulge a little info about myself Name: Cilliè Country : South-Africa I work for a ISP and we have been playing with tc/iptables/iproute snort and a whole load of other stuff on and off for the past view months. I have a small problem with tc that I struggle to find a solution for and was wondering if someone would be so kind as to help with it. I have successfully set up some queuing chains, classfull and some tbf''s and sfq''s but felt limited with the extent of tc''s packet classifier. So i thought that the FWMARK thing would be a great solution to the problem, but unfortunately I can not get this to work. Marking of the packets appears to be successfull but tc''s classifier [ rule something like "fw handle 6" ] fails to pick up the marked packets ( if its all right if i explain this so crudely ) I have tried several different kernels, with the patches applied, and yet it still seems to fail in this. First was a patched RH 7.3 kernel ( 2.5.18-3 ) A redhat 9 kernel and a gentoo linux kernel that had already been patched with [filter on fwmark] and all the other relevant stuff. All the relevant options are compiled in. As i''m writing this a stock 2.4.20 kernel is also being compiled. Could anyone please try and clarify for me why this does not work ( or what I am 10 to 1 doing wrong ?) I would really appreciate this Best Regards, Ciiliè -- evil is the r00t of all windows boxes _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Cillie, I might be missing something here, but I do use this filter setup for limiting outbound http and ftp traffic. Regards edmund -----Original Message----- From: ph4ke [mailto:deff@sadomain.co.za] Sent: Monday, November 03, 2003 8:27 PM To: eturner@monash.edu.my Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] New member Hi Edmund Thanks for responding so soon. That works fine for shaping traffic that likes to talk on fixed ports, like smtp of pop3, but really do much when you want to start limiting things like outbound http or ftp traffic. regards, cilliè On Monday 03 November 2003 09:04, you wrote:> Cillie, > I too have experience similar problems. I have since resorted to mark > the IP addresses for the respective tc classifiers as such : > > Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 match ip src > (IP address) classid 1:10 > > This seem to work for me. By the way, im using a patched RH92.4.20-18.> Iptables 1.2.8-9. > > Regards > edmund_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Edmund Thanks for responding so soon. That works fine for shaping traffic that likes to talk on fixed ports, like smtp of pop3, but really do much when you want to start limiting things like outbound http or ftp traffic. regards, cilliè On Monday 03 November 2003 09:04, you wrote:> Cillie, > I too have experience similar problems. I have since resorted to mark > the IP addresses for the respective tc classifiers as such : > > Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 match ip src > (IP address) classid 1:10 > > This seem to work for me. By the way, im using a patched RH9 2.4.20-18. > Iptables 1.2.8-9. > > Regards > edmund_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Edmund
OK, sorry ''bout that.
Say for example that I have a webserver and I only want that thing to push
512kbit out. The only way that I see that I would be able to limit this kind
of outbound traffic with the tc classifier is if I knew which ip''s will
be
visiting web-pages. If this was the situation I would be able to have a long
list of rules that all look something like
.. u32 match ip src xxx.xxx.xxx.xx flowid 1:1
or something
Unfortunately there is about a few million possible ipv4 addresses that can
access the box if they really felt like it.
This could problem could possibly be solved by having a rule like this :
.. u32 match ip sport 80 match ip src (webserver) flowid whatever
But the real problem lies in limiting ftp, since ftp (at least the way i
thought it works. could be wrong. probably am)
just does the whole auth section on sport 20/21 and
the data transfer actually take place on a random 1024+ source port
and a random 1024+ destination port.
This would be perfectly solved with iptables marking because one
should be able to do something like
--append PREROUTING -m state --state ESTABLISHED, RELATED --jump MARK
--set mark 1 { please excuse the line wrapping }
thanks a lot for your time
cilliè
On Monday 03 November 2003 10:35, you wrote:> Cillie,
> I might be missing something here, but I do use this filter setup for
> limiting outbound http and ftp traffic.
>
>
> Regards
> edmund
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Cillie, take this setup for example:
Web server IP = 192.168.1.2
1MB access to the internet.
Etho -LAN
Eth2 - External --1MB access to the internet.
tc qdisc add dev eth2 root handle 3: htb default 10
tc class add dev eth2 parent 3: classid 3:1 htb rate 1mbit
tc class add dev eth2 parent 3:1 classid 3:12 htb rate 400kbit ceil
400kbit prio 4
tc filter add dev eth2 parent 3:0 protocol ip prio 4 u32 match ip src
192.168.1.2 classid 3:12
I manage to limit all outbound traffic from 192.168.1.2 by putting a
filter for the src address of the web server on the external NIC. This
seems to work for me.
Regards
edmund
-----Original Message-----
From: ph4ke [mailto:deff@sadomain.co.za]
Sent: Monday, November 03, 2003 9:14 PM
To: eturner@monash.edu.my
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] New member
Hi Edmund
OK, sorry ''bout that.
Say for example that I have a webserver and I only want that thing to
push
512kbit out. The only way that I see that I would be able to limit this
kind
of outbound traffic with the tc classifier is if I knew which ip''s will
be
visiting web-pages. If this was the situation I would be able to have a
long
list of rules that all look something like
.. u32 match ip src xxx.xxx.xxx.xx flowid 1:1
or something
Unfortunately there is about a few million possible ipv4 addresses that
can
access the box if they really felt like it.
This could problem could possibly be solved by having a rule like this :
.. u32 match ip sport 80 match ip src (webserver) flowid
whatever
But the real problem lies in limiting ftp, since ftp (at least the way i
thought it works. could be wrong. probably am)
just does the whole auth section on sport 20/21 and
the data transfer actually take place on a random 1024+ source port
and a random 1024+ destination port.
This would be perfectly solved with iptables marking because one
should be able to do something like
--append PREROUTING -m state --state ESTABLISHED, RELATED --jump MARK
--set mark 1 { please excuse the line wrapping }
thanks a lot for your time
cilliè
On Monday 03 November 2003 10:35, you wrote:> Cillie,
> I might be missing something here, but I do use this filter setup for
> limiting outbound http and ftp traffic.
>
>
> Regards
> edmund
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/