From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables?
Date: Sat, 30 Aug 2003 00:19:53 +0000 [thread overview]
Message-ID: <marc-lartc-106220452323995@msgid-missing> (raw)
In-Reply-To: <marc-lartc-106201614032501@msgid-missing>
Hi there Derek,
There are two approaches to dropping traffic once you have identified it.
I'll assume you have identified with an fwmark the traffic you wish to
drop.
: After I got the byte patterns and such, how might I go about blocking
: that? I can't very well set the rate to 0k or anything like that, so
: Ive been scratching my head on how to actually _block_ something with
: iproute2.
You can route it to a blackhole or you can create a policer with a drop
action.
Here are some examples, assuming an fwmark of 7:
# echo "7 blackhole" >> /etc/iproute2/rt_tables
# ip route add blackhole default table blackhole
# ip rule add fwmark 7 table blackhole
This creates a routing table number 7 called "blackhole", which contains
exactly one route, a default route to a blackhole. Now, simply add a rule
to your RPDB to select this routing table for packets with fwmark 7, and
you are dropping all of these packets.
If you'd prefer to use a policer, you can use something like this
(untested):
# tc filter add dev ppp0 parent 1:1 protocol ip \
> handle 6 fw flowid 1:8 \
> police rate 1bps burst 1 action drop/drop
With that said, why don't you just use a -j DROP netfilter target?
Wouldn't that be easier if you are already using netfilter?
Best of luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2003-08-30 0:19 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-27 20:25 [LARTC] Layer 7 application blocking via tc/iptables? Derek
2003-08-28 17:54 ` Stef Coene
2003-08-29 7:37 ` Julien Gateaud
2003-08-29 8:38 ` S Mohan
2003-08-29 8:47 ` Stef Coene
2003-08-29 9:09 ` Julien Gateaud
2003-08-29 15:34 ` Derek
2003-08-29 19:49 ` Steve Wright
2003-08-29 20:07 ` Derek
2003-08-29 20:28 ` Steve Wright
2003-08-29 20:43 ` Jasper Spaans
2003-08-29 20:58 ` Nicolas Orlando Nappe
2003-08-29 23:24 ` Martin A. Brown
2003-08-29 23:55 ` Steve Wright
2003-08-30 0:19 ` Martin A. Brown [this message]
2003-08-30 21:05 ` Oskar Andreasson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106220452323995@msgid-missing \
--to=mabrown-lartc@securepipe.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.