From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andy Furniss <andy.furniss@dsl.pipex.com>
Date: Mon, 18 Apr 2005 14:05:14 +0000
Subject: Re: AW: [LARTC] Activate ingress policies on suse enterprise server 9
Message-Id: <4263BE9A.4060405@dsl.pipex.com>
List-Id: <lartc.vger.kernel.org>
References: <E650DED25A93D71184B80002B3CC411D84F54A@vies1a1a.sie.siemens.at>
In-Reply-To: <E650DED25A93D71184B80002B3CC411D84F54A@vies1a1a.sie.siemens.at>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

Grames Gernot wrote:
> Hi,
> 
> Thanks for the fast response,
> 
> .)Okay I tried your suggestion for my port 8099 and nothing happened:
> The tcp ip information goes from a firewall to my port 8099 and this port is
> than routed to the original 8080, I do that because I don`t want to dirturb
> my port 8080.
> But it seams the ingress filter doesn`t work on it!!
> 
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> .)I tried then for the port 8080 and something happened but no drop of the
> packages:
> #tcpdump port 8080
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 
> 3 packets captured
> 3 packets received by filter
> 0 packets dropped by kernel

tcpdump will see packets before policer - so they could still be 
dropped. Just to confuse matters though, depending on kernel options the 
ingress policer may see packets before or after prerouting.

use tc -s qdisc ls dev eth0 to see drops.

Andy.


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc