LARTC - Apr 2005 - AW: AW: AW: AW: Activate ingress policies on suse enterpr ise serv er 9

Hi,

So far, if have understand correctly: I route the incoming tcpip message of
port 8099 directly to 8080 and then the ingress filter on port 8099 has
nothing to do!?

Yes I think on different interface on one machine (different Ports for
different Request, with different restriction).

What has exactly to be done to set the policier before Prerouting!
Which kernel options, or also extra modules!?

Or how it can be done on iptable level??

Thanks for helping me out in such problematic things.

Gernot

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Donnerstag, 21. April 2005 22:46
An: Grames Gernot
Cc: ''lartc@mailman.ds9a.nl''
Betreff: Re: AW: AW: AW: [LARTC] Activate ingress policies on suse
enterprise serv er 9

Grames Gernot wrote:
>  
> Hi,
> 
> My problem is following now:
> 
> I would like to set the filters for port 8099.
> I have tried it, but nothing happened.
> 
> When I try the same filter for the port 8080 it is working very well.
> 
> .) working filter (here I can see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080
> 0xffff police rate 1kbit burst 1 drop flowid :1
> .) not working filter (here I can`t see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
> 0xffff police rate 1kbit burst 1 drop flowid :1
> 
> Maybe it is a problem of the port forwarding, because I have set the
> forwarding of the incoming traffic on 8099 to port 8080. 
> 
> iptables -L -t nat 
> Chain PREROUTING (policy ACCEPT) 
> target     prot opt source               destination 
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080 
It looks like you are using the old policer that is after PREROUTING then -
I guess you don''t see any drops on 8099 because you already DNATed it
to
8080.
> 
> So my goal is to restrict incoming access only to port 8099 an not 8080
> (where the filters work)!
If you drop 8099 then your DNAT rule won''t ever match - or are you 
thinking of multiple interfaces?

To get policer before PREROUTING you need to recompile with different 
kernel options - You should be able to do the same with just IPTABLES 
rules specifying interface etc.

Andy.


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Grames Gernot wrote:
> Hi,
> 
> So far, if have understand correctly: I route the incoming tcpip message of
> port 8099 directly to 8080 and then the ingress filter on port 8099 has
> nothing to do!?
> 
> Yes I think on different interface on one machine (different Ports for
> different Request, with different restriction).
> 
> What has exactly to be done to set the policier before Prerouting!
> Which kernel options, or also extra modules!?
On recent kernels if you select packet action in Qos and/or fair queuing 
of config the policer will be before PREROUTING.
> 
> Or how it can be done on iptable level??
You could have your DNAT rule only for packets from the interface you 
want eg .... -i eth1 DNAT ...... would only do packets inbound from eth1.

Andy.