Grames Gernot
2005-Apr-18 13:13 UTC
AW: Activate ingress policies on suse enterprise server 9
Hi, Thanks for the fast response, .)Okay I tried your suggestion for my port 8099 and nothing happened: The tcp ip information goes from a firewall to my port 8099 and this port is than routed to the original 8080, I do that because I don`t want to dirturb my port 8080. But it seams the ingress filter doesn`t work on it!! iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere iacapp3.local tcp dpt:8099 to:192.168.0.10:8080 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .)I tried then for the port 8080 and something happened but no drop of the packages: #tcpdump port 8080 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK> 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK> 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK> 3 packets captured 3 packets received by filter 0 packets dropped by kernel Thanks, Gernot> GRAMES Gernot > __________________________________ > SIEMENS AG Austria > PSE SMC AI 21 > * Tel.: +43 (0) 5 1707 24356 > * FAX: +43 (0) 5 1707 54600 > * E-Mail: mailto:Gernot.Grames@Siemens.com > Siemensstrasse 88 - 92 > A-1210 VIENNA > __________________________________ >-----Ursprüngliche Nachricht----- Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Gesendet: Montag, 18. April 2005 15:01 An: Grames Gernot Cc: ''lartc@mailman.ds9a.nl'' Betreff: Re: [LARTC] Activate ingress policies on suse enterprise server 9 Grames Gernot wrote:> Hi, > > what is needed to activate ingress policies for enterprise server 9!> tc qdisc add dev eth0 ingress > tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 > 0xffff police rate 1kbit burst 1kbit mtu 1 drop flowid :1I get a memory allocation error if I try to add that. Playing around it seems policer doesn''t like small burst and mtu together. Burst is a value and will act like MTU so the rule below should work and do what you want - drop everything with dport 8099. tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 0xffff police rate 1kbit burst 1 drop flowid :1 Andy. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Andy Furniss
2005-Apr-18 14:05 UTC
Re: AW: Activate ingress policies on suse enterprise server 9
Grames Gernot wrote:> Hi, > > Thanks for the fast response, > > .)Okay I tried your suggestion for my port 8099 and nothing happened: > The tcp ip information goes from a firewall to my port 8099 and this port is > than routed to the original 8080, I do that because I don`t want to dirturb > my port 8080. > But it seams the ingress filter doesn`t work on it!! > > iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- anywhere iacapp3.local tcp dpt:8099 > to:192.168.0.10:8080 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > .)I tried then for the port 8080 and something happened but no drop of the > packages: > #tcpdump port 8080 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S > 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK> > 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S > 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK> > 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S > 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK> > > 3 packets captured > 3 packets received by filter > 0 packets dropped by kerneltcpdump will see packets before policer - so they could still be dropped. Just to confuse matters though, depending on kernel options the ingress policer may see packets before or after prerouting. use tc -s qdisc ls dev eth0 to see drops. Andy.
Possibly Parallel Threads
- AW: AW: Activate ingress policies on suse enterprise serv er 9
- AW: AW: AW: Activate ingress policies on suse enterprise serv er 9
- Activate ingress policies on suse enterprise server 9
- AW: AW: AW: AW: Activate ingress policies on suse enterpr ise serv er 9
- Activate ingress policies on suse ent erpr ise serv er 9