[LARTC] Re: Shaping only FTP traffic

[LARTC] Re: Shaping only FTP traffic

[Shanker Balan]

Hello:

Ivan Lopez wrote,
> you just filter by ftp-data port (20) and by passive ports range (most
> ftp daemons gives you the chance to define a determinate range of
> ports to use in passive mode)

But i have no control over the FTP clients users behind my Linux router
will use. Moreover, i have full NAT for my internal network.
 
> i discourage you from shaping ftp control traffic (21), because of the
> annoying delay you introduce in the interactiveness of the ftp session

Ok. Will take out port 21 then.

> this is how i do it using iptables marking and fw tc filter
> 
> #for matching ftp-data iptables -A OUTPUT -o $IF_EXT -p tcp --sport 20
> -j MARK 1 #for matching passive ports range that i configured in my
> ftp daemon iptables -A OUTPUT -o $IF_EXT -p tcp --sport 5000:5100 -j
> MARK 1

For this to work, all FTP clients should be configured to use only ports
between 5000 and 5100 right?

-- 
Emperor Palpatine:
	Everything that has transpired has done so according
	to my design.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Re: Shaping only FTP traffic

[Ivan Lopez]

On Sep/25/2001, Shanker Balan wrote:

> Hello:
> 
> Ivan Lopez wrote,
> > you just filter by ftp-data port (20) and by passive ports range (most
> > ftp daemons gives you the chance to define a determinate range of
> > ports to use in passive mode)
> 
> But i have no control over the FTP clients users behind my Linux router
> will use. Moreover, i have full NAT for my internal network.
>  
> > i discourage you from shaping ftp control traffic (21), because of the
> > annoying delay you introduce in the interactiveness of the ftp session
> 
> Ok. Will take out port 21 then.
> 
> > this is how i do it using iptables marking and fw tc filter
> > 
> > #for matching ftp-data iptables -A OUTPUT -o $IF_EXT -p tcp --sport 20
> > -j MARK 1 #for matching passive ports range that i configured in my
> > ftp daemon iptables -A OUTPUT -o $IF_EXT -p tcp --sport 5000:5100 -j
> > MARK 1
> 
> For this to work, all FTP clients should be configured to use only ports
> between 5000 and 5100 right?

it's not the clients, but the server configuration
when using passive mode, is the server who selects which port is going to be used for the data transfer, so you can configure the range of ports to be used, and my example setup is for this case: shaping the available download bandwith to external clients from your server

but if what you want is to limit the available download bandwith to your internal clients from external ftp servers, you must shape the outgoing packets in the internal interface (coming from internet to your clients):

for active mode (ftp-data transfers by port 20) it can be done with

iptables -A POSTROUTING -t mangle -o $IF_INT -p tcp --sport 20 -j MARK 1

but, because of the above commented behavior of the passive mode, you cannot predict which ports will be used by your clients... and i don't know any *good* thing for matching accurately this ftp passive connections (anyone else here knows how :?)

ivan

PD: note my mistake in the previous reply in the iptables lines, they lack the -t mangle option, sorry O:)

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

[LARTC] Re: Shaping only FTP traffic

[Shanker Balan]

Hello:

Ivan Lopez wrote,
> but, because of the above commented behavior of the passive mode, you
> cannot predict which ports will be used by your clients... and i don't
> know any *good* thing for matching accurately this ftp passive
> connections (anyone else here knows how :?)

And that is exactly my problem -  You never know what ports will be
opened for ftp data transfer and hence cannot "catch" them.

Since the FTP data port is unpredictable, what i have temporarily done is
to use a dedicated class of 1.5Mbit solely for HTTP traffic and the
remainder of .5Mbit is used for "other" traffic on a 2Mbit link. This is
not a perfect solution but it makes sure that http traffic is not
affected.

Looks like there is no straight forward solution for shaping FTP traffic
using Linux. How do routers and other traffic management appliances
handle FTP traffic shaping anyway?

Is it possible to use the Iptable's "established,related" functions to
mark FTP data traffic and then use the "fw" classifier on it?

-- 
Emperor Palpatine:
	Everything that has transpired has done so according
	to my design.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

RE: [LARTC] Re: Shaping only FTP traffic

[Daniel Bergqvist]

Hi,

Is it possible to use the "Connection tracking / FTP protocol support"
module to track FTP connections?

Regards,
Daniel

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Shanker Balan
Sent: Tuesday, September 25, 2001 12:37 PM
To: LARTC
Subject: [LARTC] Re: Shaping only FTP traffic

> Is it possible to use the Iptable's "established,related" functions to
> mark FTP data traffic and then use the "fw" classifier on it?




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Re: Shaping only FTP traffic

[Ivan Lopez]

On Sep/25/2001, Shanker Balan wrote:

> Is it possible to use the Iptable's "established,related" functions to
> mark FTP data traffic and then use the "fw" classifier on it?

yes, using ip_conntrack_ftp, it will be something like this (take a look at http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html)

iptables -A OUTPUT -t mangle -o $IF_LAN -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j MARK --set-mark 1

passive ftp-data traffic will be marked with this rule, but this is very generic and may catch other traffic totally unrelated to an ftp communication... (ie. a dcc send using ip_conntrack_irc)

ivan

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

[LARTC] Re: Shaping only FTP traffic

[Shanker Balan]

Hello:

Ivan Lopez wrote,
> iptables -A OUTPUT -t mangle -o $IF_LAN -p tcp --sport 1024: --dport
> 1024: -m state --state ESTABLISHED,RELATED -j MARK --set-mark 1
> 
> passive ftp-data traffic will be marked with this rule, but this is
> very generic and may catch other traffic totally unrelated to an ftp
> communication... (ie. a dcc send using ip_conntrack_irc)

Which is one of the things i want to avoid - marking *all* tracked
connections. Now if only one could narrow the marking down purely to
FTP traffic.

I guess i should make this a feature request to the Netfilter team! ;)

-- 
Emperor Palpatine:
	Everything that has transpired has done so according
	to my design.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/