From: Andy Furniss <andy.furniss@dsl.pipex.com>
To: lartc@vger.kernel.org
Subject: Re: AW: AW: AW: [LARTC] Activate ingress policies on suse enterprise
Date: Thu, 21 Apr 2005 20:46:00 +0000 [thread overview]
Message-ID: <42681108.9000203@dsl.pipex.com> (raw)
In-Reply-To: <E650DED25A93D71184B80002B3CC411D84F54A@vies1a1a.sie.siemens.at>
Grames Gernot wrote:
>
> Hi,
>
> My problem is following now:
>
> I would like to set the filters for port 8099.
> I have tried it, but nothing happened.
>
> When I try the same filter for the port 8080 it is working very well.
>
> .) working filter (here I can see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080
> 0xffff police rate 1kbit burst 1 drop flowid :1
> .) not working filter (here I can`t see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
> 0xffff police rate 1kbit burst 1 drop flowid :1
>
> Maybe it is a problem of the port forwarding, because I have set the
> forwarding of the incoming traffic on 8099 to port 8080.
>
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere iacapp3.local tcp dpt:8099
> to:192.168.0.10:8080
It looks like you are using the old policer that is after PREROUTING then -
I guess you don't see any drops on 8099 because you already DNATed it to
8080.
>
> So my goal is to restrict incoming access only to port 8099 an not 8080
> (where the filters work)!
If you drop 8099 then your DNAT rule won't ever match - or are you
thinking of multiple interfaces?
To get policer before PREROUTING you need to recompile with different
kernel options - You should be able to do the same with just IPTABLES
rules specifying interface etc.
Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2005-04-21 20:46 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-18 11:19 [LARTC] Activate ingress policies on suse enterprise server 9 Grames Gernot
2005-04-18 13:01 ` Andy Furniss
2005-04-18 13:13 ` AW: " Grames Gernot
2005-04-18 14:05 ` Andy Furniss
2005-04-19 5:55 ` AW: AW: [LARTC] Activate ingress policies on suse enterprise serv er 9 Grames Gernot
2005-04-19 21:50 ` AW: AW: [LARTC] Activate ingress policies on suse enterprise Andy Furniss
2005-04-20 6:06 ` AW: " Grames Gernot
2005-04-21 20:46 ` Andy Furniss [this message]
2005-04-22 6:25 ` AW: AW: AW: AW: [LARTC] Activate ingress policies on suse enterpr Grames Gernot
2005-04-22 23:34 ` Andy Furniss
2005-04-26 5:58 ` [LARTC] Activate ingress policies on suse ent erpr ise serv er 9 Grames Gernot
2005-04-26 22:30 ` Andy Furniss
2005-04-27 6:03 ` AW: [LARTC] Activate ingress policies on suse ent erpr ise serv e r 9 Grames Gernot
2005-04-27 19:51 ` AW: [LARTC] Activate ingress policies on suse ent erpr ise serv Andy Furniss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42681108.9000203@dsl.pipex.com \
--to=andy.furniss@dsl.pipex.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.