From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Furniss Date: Thu, 21 Apr 2005 20:46:00 +0000 Subject: Re: AW: AW: AW: [LARTC] Activate ingress policies on suse enterprise Message-Id: <42681108.9000203@dsl.pipex.com> List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Grames Gernot wrote: > > Hi, > > My problem is following now: > > I would like to set the filters for port 8099. > I have tried it, but nothing happened. > > When I try the same filter for the port 8080 it is working very well. > > .) working filter (here I can see the dropped packages): > tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080 > 0xffff police rate 1kbit burst 1 drop flowid :1 > .) not working filter (here I can`t see the dropped packages): > tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 > 0xffff police rate 1kbit burst 1 drop flowid :1 > > Maybe it is a problem of the port forwarding, because I have set the > forwarding of the incoming traffic on 8099 to port 8080. > > iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- anywhere iacapp3.local tcp dpt:8099 > to:192.168.0.10:8080 It looks like you are using the old policer that is after PREROUTING then - I guess you don't see any drops on 8099 because you already DNATed it to 8080. > > So my goal is to restrict incoming access only to port 8099 an not 8080 > (where the filters work)! If you drop 8099 then your DNAT rule won't ever match - or are you thinking of multiple interfaces? To get policer before PREROUTING you need to recompile with different kernel options - You should be able to do the same with just IPTABLES rules specifying interface etc. Andy. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc