[LARTC] why dont packets go where i want?

[LARTC] why dont packets go where i want?

[Kertész Viktor]

Dear All!

I reach the point that I must ask you what I have to do. I am beginner at
traffic shaping and I'm very confused with it. :)
Here's my script that doesn't do what I want to do with it:
tc qdisc del dev eth1 root
tc qdisc add dev eth1 root handle 1 htb default 2 r2q 10

tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit
tc class add dev eth1 parent 1: classid 1:100 htb rate 300kbit
tc class add dev eth1 parent 1:100 classid 1:101 htb rate 10kbit ceil 30kbit
tc class add dev eth1 parent 1:100 classid 1:102 htb rate 10kbit ceil 20kbit
tc class add dev eth1 parent 1:100 classid 1:103 htb rate 10kbit ceil 15kbit

tc class add dev eth1 parent 1: classid 1:2 htb rate 700kbit burst 15k

tc qdisc add dev eth1 parent 1:101 handle 101: sfq perturb 10
tc qdisc add dev eth1 parent 1:102 handle 102: sfq perturb 10
tc qdisc add dev eth1 parent 1:103 handle 103: sfq perturb 10

tc filter add dev eth1 parent 1: protocol ip u32 match ip dst 192.168.1.0/24
flowid 1:1

tc filter add dev eth1 parent 1:1 protocol ip u32 match ip dst 192.168.1.2
flowid 1:100

tc filter add dev eth1 parent 1:100 protocol ip u32 match ip tos 0x10 0xff
flowid 1:101
tc filter add dev eth1 parent 1:100 protocol ip u32 match ip protocol 1 0xff
flowid 1:101
tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport 21 0xffff
flowid 1:103

Packets do not go to 1:103 when I download from ftp site. The last 3 filter
doesn't work at all. All packets go to 1:1. I think this class-system
doesn't work the way I think. Do you have any idea where did I make the
mistake? (of course I want to add much more classes later but it's just the
test phase) Thank you in advance!

Kertész Viktor

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Francois Dessart]

Hello,

The problem is with your FTP filter:
FTP data are transferred on a dynamic, autonegociated port.
With your filter,  only FTP control-traffic from _your_  FTP server
would go to 1:103.


Francois.

----- Original Message -----
From: "Kertész Viktor" <kviktor@i-trade.hu>
To: "lartc lista" <LARTC@mailman.ds9a.nl>
Sent: Thursday, October 17, 2002 10:09 AM
Subject: [LARTC] why dont packets go where i want?


> Dear All!
>
> I reach the point that I must ask you what I have to do. I am beginner
at
> traffic shaping and I'm very confused with it. :)
> Here's my script that doesn't do what I want to do with it:
> tc qdisc del dev eth1 root
> tc qdisc add dev eth1 root handle 1 htb default 2 r2q 10
>
> tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit
> tc class add dev eth1 parent 1: classid 1:100 htb rate 300kbit
> tc class add dev eth1 parent 1:100 classid 1:101 htb rate 10kbit ceil
30kbit
> tc class add dev eth1 parent 1:100 classid 1:102 htb rate 10kbit ceil
20kbit
> tc class add dev eth1 parent 1:100 classid 1:103 htb rate 10kbit ceil
15kbit
>
> tc class add dev eth1 parent 1: classid 1:2 htb rate 700kbit burst 15k
>
> tc qdisc add dev eth1 parent 1:101 handle 101: sfq perturb 10
> tc qdisc add dev eth1 parent 1:102 handle 102: sfq perturb 10
> tc qdisc add dev eth1 parent 1:103 handle 103: sfq perturb 10
>
> tc filter add dev eth1 parent 1: protocol ip u32 match ip dst
192.168.1.0/24
> flowid 1:1
>
> tc filter add dev eth1 parent 1:1 protocol ip u32 match ip dst
192.168.1.2
> flowid 1:100
>
> tc filter add dev eth1 parent 1:100 protocol ip u32 match ip tos 0x10
0xff
> flowid 1:101
> tc filter add dev eth1 parent 1:100 protocol ip u32 match ip protocol
1 0xff
> flowid 1:101
> tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport 21
0xffff
> flowid 1:103
>
> Packets do not go to 1:103 when I download from ftp site. The last 3
filter
> doesn't work at all. All packets go to 1:1. I think this class-system
> doesn't work the way I think. Do you have any idea where did I make
the
> mistake? (of course I want to add much more classes later but it's
just the
> test phase) Thank you in advance!
>
> Kertész Viktor
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Francois Dessart]

Small mistake, here is the correct answer:

The problem is with your FTP filter:
FTP data are transferred on a dynamic, autonegociated port.
With your filter,  only FTP _control-traffic_ from FTP server would go
to 1:103.

Francois.


> Hello,
>
> The problem is with your FTP filter:
> FTP data are transferred on a dynamic, autonegociated port.
> With your filter,  only FTP control-traffic from _your_  FTP server
> would go to 1:103.
>
>
> Francois.
>
> ----- Original Message -----
> From: "Kertész Viktor" <kviktor@i-trade.hu>
> To: "lartc lista" <LARTC@mailman.ds9a.nl>
> Sent: Thursday, October 17, 2002 10:09 AM
> Subject: [LARTC] why dont packets go where i want?
>
>
> > Dear All!
> >
> > I reach the point that I must ask you what I have to do. I am
beginner
> at
> > traffic shaping and I'm very confused with it. :)
> > Here's my script that doesn't do what I want to do with it:
> > tc qdisc del dev eth1 root
> > tc qdisc add dev eth1 root handle 1 htb default 2 r2q 10
> >
> > tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit
> > tc class add dev eth1 parent 1: classid 1:100 htb rate 300kbit
> > tc class add dev eth1 parent 1:100 classid 1:101 htb rate 10kbit
ceil
> 30kbit
> > tc class add dev eth1 parent 1:100 classid 1:102 htb rate 10kbit
ceil
> 20kbit
> > tc class add dev eth1 parent 1:100 classid 1:103 htb rate 10kbit
ceil
> 15kbit
> >
> > tc class add dev eth1 parent 1: classid 1:2 htb rate 700kbit burst
15k
> >
> > tc qdisc add dev eth1 parent 1:101 handle 101: sfq perturb 10
> > tc qdisc add dev eth1 parent 1:102 handle 102: sfq perturb 10
> > tc qdisc add dev eth1 parent 1:103 handle 103: sfq perturb 10
> >
> > tc filter add dev eth1 parent 1: protocol ip u32 match ip dst
> 192.168.1.0/24
> > flowid 1:1
> >
> > tc filter add dev eth1 parent 1:1 protocol ip u32 match ip dst
> 192.168.1.2
> > flowid 1:100
> >
> > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip tos
0x10
> 0xff
> > flowid 1:101
> > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip
protocol
> 1 0xff
> > flowid 1:101
> > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport
21
> 0xffff
> > flowid 1:103
> >
> > Packets do not go to 1:103 when I download from ftp site. The last 3
> filter
> > doesn't work at all. All packets go to 1:1. I think this
class-system
> > doesn't work the way I think. Do you have any idea where did I make
> the
> > mistake? (of course I want to add much more classes later but it's
> just the
> > test phase) Thank you in advance!
> >
> > Kertész Viktor
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://lartc.org/
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Kertész Viktor]

Hello,

Even if i use passive transfer? Notice that ping request/ping reply also
don't work. How do you mean that it only works from MY ftp server? How could
i shape ftp traffic from every ftp host? Thanks!

Viktor



> Hello,
>
> The problem is with your FTP filter:
> FTP data are transferred on a dynamic, autonegociated port.
> With your filter,  only FTP control-traffic from _your_  FTP server
> would go to 1:103.
>
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Walter Haidinger]

On Thu, 17 Oct 2002, [iso-8859-2] Kertész Viktor wrote:

> Here's my script that doesn't do what I want to do with it:
> tc qdisc del dev eth1 root
> tc qdisc add dev eth1 root handle 1 htb default 2 r2q 10
>
> tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit
> tc class add dev eth1 parent 1: classid 1:100 htb rate 300kbit
> tc class add dev eth1 parent 1:100 classid 1:101 htb rate 10kbit ceil 30kbit
> tc class add dev eth1 parent 1:100 classid 1:102 htb rate 10kbit ceil 20kbit
> tc class add dev eth1 parent 1:100 classid 1:103 htb rate 10kbit ceil 15kbit
[--cut--]

Since your script looks almost identical to mine, I wonder:
Does your HTB setup limit traffic to the specified rates?

> tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport 21 0xffff
> flowid 1:103

You want dport instead. However, isn't HTB only for _outbound_ traffic
shaping? AFAIK you need to use ingress for inbound.

walter

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Kertész Viktor]

My simple network sheme:
                     eth0                    eth1
internet--------gw(traffic shaping)-------client
I'd like to make this script work on a gateway with more than 100
clients.(ISP's gw)

>
> Since your script looks almost identical to mine, I wonder:
> Does your HTB setup limit traffic to the specified rates?
This setup set the 300kbit limit (1:1). I think the problem is with my
filtering rules.
Classes below 1:100 didn't get any packet.

>
> > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport 21
0xffff
> > flowid 1:103
>
> You want dport instead. However, isn't HTB only for _outbound_ traffic
> shaping? AFAIK you need to use ingress for inbound.
Packets are going out en eth1, aren't they? Why dport? Packets are coming
from port 21(ftp port) with passive mode. Tell me if i am wrong.

Viktor

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Francois Dessart]

> Packets are going out en eth1, aren't they? Why dport? Packets are
coming
> from port 21(ftp port) with passive mode. Tell me if i am wrong.

ftp-data        20/tcp
ftp-data        20/udp
ftp             21/tcp
ftp             21/udp

FTP data (passive) use port 20.



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Walter Haidinger]

On Thu, 17 Oct 2002, Kertész Viktor wrote:

> My simple network sheme:
>                      eth0                    eth1
> internet--------gw(traffic shaping)-------client
> I'd like to make this script work on a gateway with more than 100
> clients.(ISP's gw)

Same here.

> This setup set the 300kbit limit (1:1). I think the problem is with my
> filtering rules.
> Classes below 1:100 didn't get any packet.

I'd like to know if packets are dropped with if the 300kbit limit is
eceeded. If bandwidth isn't limited, there is no need for filters anyway.
Could you mail me the output of 'tc -s class ls dev eth1' ? Thanks.

> Packets are going out en eth1, aren't they? Why dport? Packets are coming
> from port 21(ftp port) with passive mode. Tell me if i am wrong.

For passive mode uploads, packets are coming from a private port (>1024)
and going to port 21.

You cannot shape traffic for downloads with HTB, you'll need ingress
instead. I'm not 100% (but quite!) sure there (just into traffic shaping a
few days), so would somebody please correct me if I'm wrong here.

Walter

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Kertész Viktor]

> I'd like to know if packets are dropped with if the 300kbit limit is
> eceeded. If bandwidth isn't limited, there is no need for filters anyway.
> Could you mail me the output of 'tc -s class ls dev eth1' ? Thanks.

Here you are: (i made ssh,ping,ftp traffic)
class htb 1:101 parent 1:100 leaf 101: prio 0 rate 10Kbit ceil 30Kbit burst
1611b cburst 1637b
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 1031680 ctokens: 349439

class htb 1:1 root prio 0 rate 300Kbit ceil 300Kbit burst 1983b cburst 1983b
 Sent 472615 bytes 401 pkts (dropped 0, overlimits 0)
 rate 5005bps 4pps
 lended: 401 borrowed: 0 giants: 0
 tokens: 40788 ctokens: 40788

class htb 1:100 root rate 300Kbit ceil 300Kbit burst 1983b cburst 1983b
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 42324 ctokens: 42324

class htb 1:103 parent 1:100 leaf 103: prio 0 rate 10Kbit ceil 15Kbit burst
1611b cburst 1618b
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 1031680 ctokens: 690773

class htb 1:2 root prio 0 rate 700Kbit ceil 700Kbit burst 15Kb cburst 2495b
 Sent 164 bytes 2 pkts (dropped 0, overlimits 0)
 lended: 2 borrowed: 0 giants: 0
 tokens: 139703 ctokens: 22090

class htb 1:102 parent 1:100 leaf 102: prio 0 rate 10Kbit ceil 20Kbit burst
1611b cburst 1624b
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 1031680 ctokens: 519999

>
> For passive mode uploads, packets are coming from a private port (>1024)
> and going to port 21.
I see. Checked it out with tcpdump.

>
> You cannot shape traffic for downloads with HTB, you'll need ingress
> instead. I'm not 100% (but quite!) sure there (just into traffic shaping a
> few days), so would somebody please correct me if I'm wrong here.
You make me very disappointed. Wondershaper told me that it is possible. I
just wanted to add a level in the class-tree. I think I have to think about
it once more. :)

Viktor

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Stef Coene]

On Thursday 17 October 2002 11:01, Kertész Viktor wrote:
> Hello,
>
> Even if i use passive transfer? Notice that ping request/ping reply also
> don't work. How do you mean that it only works from MY ftp server? How
> could i shape ftp traffic from every ftp host? Thanks!
There is a helper for iptables that can match _all_ ftp traffic (so data + 
control) packets.  If you mark the packets with iptabes, you can use the fw 
filter to put the packets in the class you want.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Walter Haidinger]

On Thu, 17 Oct 2002, Kertész Viktor wrote:

> Here you are: (i made ssh,ping,ftp traffic)
> class htb 1:101 parent 1:100 leaf 101: prio 0 rate 10Kbit ceil 30Kbit burst
> 1611b cburst 1637b
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>  lended: 0 borrowed: 0 giants: 0
>  tokens: 1031680 ctokens: 349439
>
> class htb 1:1 root prio 0 rate 300Kbit ceil 300Kbit burst 1983b cburst 1983b
>  Sent 472615 bytes 401 pkts (dropped 0, overlimits 0)
>  rate 5005bps 4pps
>  lended: 401 borrowed: 0 giants: 0
>  tokens: 40788 ctokens: 40788
[--cut--]

You have neither dropped or overlimit packets too. Was traffic really
limited to the specified rate?

> >
> > For passive mode uploads, packets are coming from a private port
> > (>1024) and going to port 21.
> I see. Checked it out with tcpdump.

Small typo though: replace "private" with "public".


> > You cannot shape traffic for downloads with HTB, you'll need ingress
> > instead. I'm not 100% (but quite!) sure there (just into traffic shaping a
> > few days), so would somebody please correct me if I'm wrong here.

> You make me very disappointed. Wondershaper told me that it is possible. I
> just wanted to add a level in the class-tree. I think I have to think about
> it once more. :)

I also had a look at wondershaper.  Wondershaper uses an ingress qdisc for
inbound traffic. Where does it tell you that you can shape _incoming_
traffic with htb?

Walter

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Kertész Viktor]

> You have neither dropped or overlimit packets too. Was traffic really
> limited to the specified rate?
On a 100Mbit network I downloaded at 36kbyte/s. I think it's correct.

> > You make me very disappointed. Wondershaper told me that it is possible.
I
> > just wanted to add a level in the class-tree. I think I have to think
about
> > it once more. :)
>
> I also had a look at wondershaper.  Wondershaper uses an ingress qdisc for
> inbound traffic. Where does it tell you that you can shape _incoming_
> traffic with htb?
I think we are out of sync about what outgoing traffic means. :) (and i am
sure i am wrong) When traffic goes through the gw, outgoing traffic means to
the gw that packets leave it's eth1 nic, isn't it? From wondershaper i just
took examples. Of course wondershaper shapes outgoing traffic with htb. Once
more, i download on the client machine, not on the gw. Thanks for replies!
:)

Viktor

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Walter Haidinger]

On Thu, 17 Oct 2002, Kertész Viktor wrote:

> I think we are out of sync about what outgoing traffic means. :) (and i am
> sure i am wrong) When traffic goes through the gw, outgoing traffic means to
> the gw that packets leave it's eth1 nic, isn't it? From wondershaper i just
> took examples. Of course wondershaper shapes outgoing traffic with htb. Once
> more, i download on the client machine, not on the gw. Thanks for replies!

...leave it's eth1 nic...

Well, it just hit me as this might explain why my setup does not work.
I'm shaping eth1 and uploading from a machine on the lan, not on the
gateway, just like you.
However, outgoing traffic might be incoming traffic for the internal
interface. I'm really confused now about in and out or directions in
general. I'll post a seperate mail regarding this.

Wondershaper is pretty straightforward. Just a single ppp0 interface.
I guess it cannot be mapped to a setup with multiple interfaces that
easily. My misconception...

Thanks for your "input"!

Regards, Walter

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Michael T. Babcock]

Kertész Viktor wrote:

>I think we are out of sync about what outgoing traffic means. :) (and i am
>sure i am wrong) When traffic goes through the gw, outgoing traffic means to
>the gw that packets leave it's eth1 nic, isn't it? From wondershaper i just
>took examples. Of course wondershaper shapes outgoing traffic with htb. Once
>more, i download on the client machine, not on the gw. Thanks for replies!
>:)
>  
>
Outgoing traffic to _any_ machine is the traffic that is /leaving/ _any_ 
of its network interfaces.

-- 
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[James Sneeringer]

On Thu, Oct 17, 2002 at 11:44:13AM +0200, Francois Dessart wrote:
> ftp-data        20/tcp
> ftp-data        20/udp
> ftp             21/tcp
> ftp             21/udp
> FTP data (passive) use port 20.

This is incorrect.

Both standard and passive FTP use tcp/21 as a control channel (logins,
commands, etc.).

Standard FTP uses tcp/20 as the server's source port for data transfers.
Prior to a transfer, the client listens on an arbitrary port and instructs
the server to connect to it for the transfer.

Passive FTP does not use tcp/20 at all.  Instead of the server connecting
to the client, the client connects to the server for data transfers.  The
server chooses an arbitrary port for the client to connect to.  The intent
of passive FTP was to work around firewalls that don't permit inbound
connections.

-James

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Walter Haidinger]

On Thu, 17 Oct 2002, Walter Haidinger wrote:

> You cannot shape traffic for downloads with HTB, you'll need ingress
> instead. I'm not 100% (but quite!) sure there (just into traffic shaping a
> few days), so would somebody please correct me if I'm wrong here.

Well, luckily I was wrong here!
Just shape the traffic of the internal interface, i.e. the one _sending_
the (downloaded) data to your client machine. For you this is eth1.

Walter


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Francois Dessart]

Thanks for this explanation.

> Passive FTP does not use tcp/20 at all.  Instead of the server
connecting
> to the client, the client connects to the server for data transfers.
The
> server chooses an arbitrary port for the client to connect to.  The
intent
> of passive FTP was to work around firewalls that don't permit inbound
> connections.

So with passive FTP, both ports (source and dest) are dynamic. Correct?

How to match this data tranfer with iptables?

Thanks.

Francois.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[Stef Coene]

On Friday 18 October 2002 08:21, Francois Dessart wrote:
> Thanks for this explanation.
>
> > Passive FTP does not use tcp/20 at all.  Instead of the server
>
> connecting
>
> > to the client, the client connects to the server for data transfers.
>
> The
>
> > server chooses an arbitrary port for the client to connect to.  The
>
> intent
>
> > of passive FTP was to work around firewalls that don't permit inbound
> > connections.
>
> So with passive FTP, both ports (source and dest) are dynamic. Correct?
>
> How to match this data tranfer with iptables?
There is a -m helper option so you can load additional modules.  There is a 
module that matches ftp packets (both data and control), but I don't know the 
syntax.  A google search on "iptables -m helper ftp" will help

http://www.netfilter.org/documentation/pomlist/pom-oldnat.html#helper :
If you want to match all packets belonging to ftp-sessions:
(both ftp-command and ftp-data connections)

iptables -A INPUT -m helper --helper ftp -j ACCEPT

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] why dont packets go where i want?

[James Sneeringer]

On Fri, Oct 18, 2002 at 08:41:42AM +0200, Stef Coene wrote:
> There is a -m helper option so you can load additional modules.  There is a 
> module that matches ftp packets (both data and control), but I don't know the 
> syntax.  A google search on "iptables -m helper ftp" will help
> http://www.netfilter.org/documentation/pomlist/pom-oldnat.html#helper :

Looks like it's been submitted for kernel inclusion with newnat:

http://www.netfilter.org/documentation/pomlist/pom-submitted.html#helper

For now, though, you'll still need to use patch-o-matic to be able to
use this module.

> If you want to match all packets belonging to ftp-sessions:
> (both ftp-command and ftp-data connections)
> 
> iptables -A INPUT -m helper --helper ftp -j ACCEPT

You'll also need the ip_conntrack_ftp module to be loaded.

-James

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/