Grames Gernot
2005-Apr-20 06:06 UTC
AW: AW: AW: Activate ingress policies on suse enterprise serv er 9
Hi, My problem is following now: I would like to set the filters for port 8099. I have tried it, but nothing happened. When I try the same filter for the port 8080 it is working very well. .) working filter (here I can see the dropped packages): tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080 0xffff police rate 1kbit burst 1 drop flowid :1 .) not working filter (here I can`t see the dropped packages): tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 0xffff police rate 1kbit burst 1 drop flowid :1 Maybe it is a problem of the port forwarding, because I have set the forwarding of the incoming traffic on 8099 to port 8080. iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere iacapp3.local tcp dpt:8099 to:192.168.0.10:8080 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination So my goal is to restrict incoming access only to port 8099 an not 8080 (where the filters work)! Gernot -----Ursprüngliche Nachricht----- Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Gesendet: Dienstag, 19. April 2005 23:50 An: Grames Gernot Cc: ''lartc@mailman.ds9a.nl'' Betreff: Re: AW: AW: [LARTC] Activate ingress policies on suse enterprise serv er 9 Grames Gernot wrote:> > Good Morning, > > Thanks for your hint, now I can see the dropped packages! > But it is only working for port 8080 why not for port 8099?? > > (If you need some indices please let me know)I don''t know why it should work for 8080 and not 8099 - I don''t think I quite understand your setup amd aims. Andy. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Taylor, Grant
2005-Apr-20 16:53 UTC
Re: [SPAM] AW: AW: AW: Activate ingress policies on suse enterprise serv er 9
Keep in mind that TC only controls traffic that is outbound from a system. If you are wanting to TC traffic coming in to your system you will need to look at something like IMQ. IMQ as I understand it is like a virtual device that traffic comes in to and is then resend out of back in to your system as it normally would be with out IMQ in the mix. The reason that you would want to do this is so that you can assign TC rules to the IMQ to control what does come in on the standard interfaces on your system. With that in mind your TC rule matching for 8099 coming in will never match b/c you are redirecting it to 8080 before it would be leaving the system where the TC rule is looking for it. At least that''s the way that I understand what you have written. :s Grant. . . . Grames Gernot wrote:> > Hi, > > My problem is following now: > > I would like to set the filters for port 8099. > I have tried it, but nothing happened. > > When I try the same filter for the port 8080 it is working very well. > > .) working filter (here I can see the dropped packages): > tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080 > 0xffff police rate 1kbit burst 1 drop flowid :1 > .) not working filter (here I can`t see the dropped packages): > tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 > 0xffff police rate 1kbit burst 1 drop flowid :1 > > Maybe it is a problem of the port forwarding, because I have set the > forwarding of the incoming traffic on 8099 to port 8080. > > iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- anywhere iacapp3.local tcp > dpt:8099 to:192.168.0.10:8080 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > So my goal is to restrict incoming access only to port 8099 an not 8080 > (where the filters work)! > > Gernot
Andy Furniss
2005-Apr-21 20:46 UTC
Re: AW: AW: AW: Activate ingress policies on suse enterprise serv er 9
Grames Gernot wrote:> > Hi, > > My problem is following now: > > I would like to set the filters for port 8099. > I have tried it, but nothing happened. > > When I try the same filter for the port 8080 it is working very well. > > .) working filter (here I can see the dropped packages): > tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080 > 0xffff police rate 1kbit burst 1 drop flowid :1 > .) not working filter (here I can`t see the dropped packages): > tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 > 0xffff police rate 1kbit burst 1 drop flowid :1 > > Maybe it is a problem of the port forwarding, because I have set the > forwarding of the incoming traffic on 8099 to port 8080. > > iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- anywhere iacapp3.local tcp dpt:8099 > to:192.168.0.10:8080It looks like you are using the old policer that is after PREROUTING then - I guess you don''t see any drops on 8099 because you already DNATed it to 8080.> > So my goal is to restrict incoming access only to port 8099 an not 8080 > (where the filters work)!If you drop 8099 then your DNAT rule won''t ever match - or are you thinking of multiple interfaces? To get policer before PREROUTING you need to recompile with different kernel options - You should be able to do the same with just IPTABLES rules specifying interface etc. Andy.
Andy Furniss
2005-Apr-21 20:52 UTC
Re: [SPAM] AW: AW: AW: Activate ingress policies on suse enterprise serv er 9
Taylor, Grant wrote:> Keep in mind that TC only controls traffic that is outbound from a > system.Not totally true - you can''t have HTB etc shapers without IMQ/Dummy but you can police traffic (and policers can be quite complicated) on ingress. Andy.
Possibly Parallel Threads
- AW: Activate ingress policies on suse enterprise server 9
- AW: AW: Activate ingress policies on suse enterprise serv er 9
- AW: AW: AW: AW: Activate ingress policies on suse enterpr ise serv er 9
- Activate ingress policies on suse enterprise server 9
- Activate ingress policies on suse ent erpr ise serv er 9