From: Ivan Lopez <ivan@askai.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Re: Shaping only FTP traffic
Date: Tue, 25 Sep 2001 10:08:23 +0000 [thread overview]
Message-ID: <marc-lartc-100141252116757@msgid-missing> (raw)
In-Reply-To: <marc-lartc-100140813700807@msgid-missing>
On Sep/25/2001, Shanker Balan wrote:
> Hello:
>
> Ivan Lopez wrote,
> > you just filter by ftp-data port (20) and by passive ports range (most
> > ftp daemons gives you the chance to define a determinate range of
> > ports to use in passive mode)
>
> But i have no control over the FTP clients users behind my Linux router
> will use. Moreover, i have full NAT for my internal network.
>
> > i discourage you from shaping ftp control traffic (21), because of the
> > annoying delay you introduce in the interactiveness of the ftp session
>
> Ok. Will take out port 21 then.
>
> > this is how i do it using iptables marking and fw tc filter
> >
> > #for matching ftp-data iptables -A OUTPUT -o $IF_EXT -p tcp --sport 20
> > -j MARK 1 #for matching passive ports range that i configured in my
> > ftp daemon iptables -A OUTPUT -o $IF_EXT -p tcp --sport 5000:5100 -j
> > MARK 1
>
> For this to work, all FTP clients should be configured to use only ports
> between 5000 and 5100 right?
it's not the clients, but the server configuration
when using passive mode, is the server who selects which port is going to be used for the data transfer, so you can configure the range of ports to be used, and my example setup is for this case: shaping the available download bandwith to external clients from your server
but if what you want is to limit the available download bandwith to your internal clients from external ftp servers, you must shape the outgoing packets in the internal interface (coming from internet to your clients):
for active mode (ftp-data transfers by port 20) it can be done with
iptables -A POSTROUTING -t mangle -o $IF_INT -p tcp --sport 20 -j MARK 1
but, because of the above commented behavior of the passive mode, you cannot predict which ports will be used by your clients... and i don't know any *good* thing for matching accurately this ftp passive connections (anyone else here knows how :?)
ivan
PD: note my mistake in the previous reply in the iptables lines, they lack the -t mangle option, sorry O:)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
next prev parent reply other threads:[~2001-09-25 10:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-09-25 8:55 [LARTC] Re: Shaping only FTP traffic Shanker Balan
2001-09-25 10:08 ` Ivan Lopez [this message]
2001-09-25 10:49 ` Shanker Balan
2001-09-25 11:29 ` Daniel Bergqvist
2001-09-25 11:56 ` Ivan Lopez
2001-09-25 12:43 ` Shanker Balan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-100141252116757@msgid-missing \
--to=ivan@askai.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.