Re: AW: [LARTC] Activate ingress policies on suse enterprise server 9

[Andy Furniss <andy.furniss@dsl.pipex.com>]

Grames Gernot wrote:
> Hi,
> 
> Thanks for the fast response,
> 
> .)Okay I tried your suggestion for my port 8099 and nothing happened:
> The tcp ip information goes from a firewall to my port 8099 and this port is
> than routed to the original 8080, I do that because I don`t want to dirturb
> my port 8080.
> But it seams the ingress filter doesn`t work on it!!
> 
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> .)I tried then for the port 8080 and something happened but no drop of the
> packages:
> #tcpdump port 8080
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 
> 3 packets captured
> 3 packets received by filter
> 0 packets dropped by kernel

tcpdump will see packets before policer - so they could still be 
dropped. Just to confuse matters though, depending on kernel options the 
ingress policer may see packets before or after prerouting.

use tc -s qdisc ls dev eth0 to see drops.

Andy.


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc