LARTC - Apr 2005 - AW: AW: AW: Activate ingress policies on suse enterprise serv er 9

Hi,

My problem is following now:

I would like to set the filters for port 8099.
I have tried it, but nothing happened.

When I try the same filter for the port 8080 it is working very well.

.) working filter (here I can see the dropped packages):
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080
0xffff police rate 1kbit burst 1 drop flowid :1
.) not working filter (here I can`t see the dropped packages):
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
0xffff police rate 1kbit burst 1 drop flowid :1

Maybe it is a problem of the port forwarding, because I have set the
forwarding of the incoming traffic on 8099 to port 8080. 

iptables -L -t nat 
Chain PREROUTING (policy ACCEPT) 
target     prot opt source               destination 
DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
to:192.168.0.10:8080 

Chain POSTROUTING (policy ACCEPT) 
target     prot opt source               destination 

Chain OUTPUT (policy ACCEPT) 
target     prot opt source               destination 

So my goal is to restrict incoming access only to port 8099 an not 8080
(where the filters work)!

Gernot

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Dienstag, 19. April 2005 23:50
An: Grames Gernot
Cc: ''lartc@mailman.ds9a.nl''
Betreff: Re: AW: AW: [LARTC] Activate ingress policies on suse enterprise
serv er 9

Grames Gernot wrote:
>  
> Good Morning,
> 
> Thanks for your hint, now I can see the dropped packages!
> But it is only working for port 8080 why not for port 8099??
> 
> (If you need some indices please let me know)
I don''t know why it should work for 8080 and not 8099 - I
don''t think I
quite understand your setup amd aims.

Andy.


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Keep in mind that TC only controls traffic that is outbound from a system.  If
you are wanting to TC traffic coming in to your system you will need to look at
something like IMQ.  IMQ as I understand it is like a virtual device that
traffic comes in to and is then resend out of back in to your system as it
normally would be with out IMQ in the mix.  The reason that you would want to do
this is so that you can assign TC rules to the IMQ to control what does come in
on the standard interfaces on your system.

With that in mind your TC rule matching for 8099 coming in will never match b/c
you are redirecting it to 8080 before it would be leaving the system where the
TC rule is looking for it.  At least that''s the way that I understand
what you have written. :s



Grant. . . .

Grames Gernot wrote:
>  
> Hi,
> 
> My problem is following now:
> 
> I would like to set the filters for port 8099.
> I have tried it, but nothing happened.
> 
> When I try the same filter for the port 8080 it is working very well.
> 
> .) working filter (here I can see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080 
> 0xffff police rate 1kbit burst 1 drop flowid :1
> .) not working filter (here I can`t see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 
> 0xffff police rate 1kbit burst 1 drop flowid :1
> 
> Maybe it is a problem of the port forwarding, because I have set the 
> forwarding of the incoming traffic on 8099 to port 8080.
> 
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             iacapp3.local       tcp 
> dpt:8099 to:192.168.0.10:8080
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> So my goal is to restrict incoming access only to port 8099 an not 8080 
> (where the filters work)!
> 
> Gernot

Grames Gernot wrote:
>  
> Hi,
> 
> My problem is following now:
> 
> I would like to set the filters for port 8099.
> I have tried it, but nothing happened.
> 
> When I try the same filter for the port 8080 it is working very well.
> 
> .) working filter (here I can see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080
> 0xffff police rate 1kbit burst 1 drop flowid :1
> .) not working filter (here I can`t see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
> 0xffff police rate 1kbit burst 1 drop flowid :1
> 
> Maybe it is a problem of the port forwarding, because I have set the
> forwarding of the incoming traffic on 8099 to port 8080. 
> 
> iptables -L -t nat 
> Chain PREROUTING (policy ACCEPT) 
> target     prot opt source               destination 
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080 
It looks like you are using the old policer that is after PREROUTING then -
I guess you don''t see any drops on 8099 because you already DNATed it
to
8080.
> 
> So my goal is to restrict incoming access only to port 8099 an not 8080
> (where the filters work)!
If you drop 8099 then your DNAT rule won''t ever match - or are you 
thinking of multiple interfaces?

To get policer before PREROUTING you need to recompile with different 
kernel options - You should be able to do the same with just IPTABLES 
rules specifying interface etc.

Andy.

Taylor, Grant wrote:
> Keep in mind that TC only controls traffic that is outbound from a 
> system.
Not totally true - you can''t have HTB etc shapers without IMQ/Dummy but
you can police traffic (and policers can be quite complicated) on ingress.

Andy.