All of lore.kernel.org
 help / color / mirror / Atom feed
From: "netmaster" <webmaster@ciudadglobal.com.ar>
To: lartc@vger.kernel.org
Subject: [LARTC] tc filter isn't work !
Date: Tue, 25 Mar 2003 00:28:23 +0000	[thread overview]
Message-ID: <marc-lartc-104855219721019@msgid-missing> (raw)

->  Hi!
->  
->  I've a Linux Box that I want to apply a filter
->  in order to limit FTP salient traffic from my
->  linux box to internet.
->  
->  I've a:
->  	Red Hat 7.2
->  	Kernel 2.4.20 (with HTB built in!)
->  	iptables 1.2.7a
->  
->  Also, I get "tc" binnary package from HTB home page.
->  
->  I have a script in order to manage everything.
->  
->  After to do a FTP session, and sent a file to INTERNET from 
->  my Linux BOX, and traffic seems catched by iptables, but 
->  not by tc filter (dropped 0, overlimits 0)
->  
->  What is wrong ???
->  Please see below my script, and diagnostics.
->  
->  Thank you !!
->  
->  Mac
->  
->  -------------------------------------------------------
->  
->  #!/bin/bash
->  
->  # Clear everything
->  
->  tc qdisc del dev eth0 root 2> /dev/null > /dev/null
->  tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
->  iptables -F OUTPUT -t mangle 
->  iptables -F INPUT -t mangle 
->  iptables -F PREROUTING -t mangle 
->  iptables -F POSTROUTING -t mangle 
->  iptables -F FORWARD -t mangle 
->  
->  # HTB qdisc
->  
->  tc qdisc add dev eth0 root handle 1: htb
->  tc class add dev eth0 parent 1: classid 1:1 htb rate 32kbit 
->  ceil 32kbit burst 2kbit
->  
->  # FTP traffic class
->  tc class add dev eth0 parent 1:1 classid 1:10 htb rate 
->  16kbit ceil 16kbit
->  
->  # sfq
->  tc qdisc add dev eth0 parent 1:10 handle 40: sfq perturb 10
->  
->  # Filter FTP traffic
->  tc filter add dev eth0 parent 1: protocol ip prio 1 handle 
->  1 fw classid 1:10
->  
->  # iptables to get FTP traffic
->  
->  iptables -A OUTPUT -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A OUTPUT -t mangle -p tcp --dport 20 
->  -j MARK --set-mark 1 iptables -A OUTPUT -t mangle -p udp 
->  --dport 21 -j MARK --set-mark 1 iptables -A OUTPUT -t 
->  mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A PREROUTING -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A PREROUTING -t mangle -p tcp 
->  --dport 20 -j MARK --set-mark 1 iptables -A PREROUTING -t 
->  mangle -p udp --dport 21 -j MARK --set-mark 1 iptables -A 
->  PREROUTING -t mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A FORWARD -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A FORWARD -t mangle -p tcp --dport 
->  20 -j MARK --set-mark 1 iptables -A FORWARD -t mangle -p 
->  udp --dport 21 -j MARK --set-mark 1 iptables -A FORWARD -t 
->  mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A POSTROUTING -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A POSTROUTING -t mangle -p tcp 
->  --dport 20 -j MARK --set-mark 1 iptables -A POSTROUTING -t 
->  mangle -p udp --dport 21 -j MARK --set-mark 1 iptables -A 
->  POSTROUTING -t mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  -------------------------------------------------------
->  
->  [root@LinuxBOX macwww]# iptables -L -t mangle -nvx
->  
->  Chain PREROUTING (policy ACCEPT 190679 packets, 163312488 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->         1       40 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain INPUT (policy ACCEPT 161324 packets, 160097182 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->  
->  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain OUTPUT (policy ACCEPT 130426 packets, 136583975 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->        33     1989 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain POSTROUTING (policy ACCEPT 130426 packets, 136583975 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->        33     1989 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0   
->  
->  
->  -------------------------------------------------------
->  
->  [root@LinuxBOX macwww]# tc -s -d qdisc show dev eth0
->  qdisc sfq 60: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
->  
->   qdisc sfq 50: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
->  
->   qdisc sfq 40: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 2451 bytes 33 pkts (dropped 0, overlimits 0)
->  
->   qdisc htb 1: r2q 10 default 0 direct_packets_stat 7233 ver 
->  3.7  Sent 9630794 bytes 7266 pkts (dropped 0, overlimits 0)
->  

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

                 reply	other threads:[~2003-03-25  0:28 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=marc-lartc-104855219721019@msgid-missing \
    --to=webmaster@ciudadglobal.com.ar \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.