From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Martin A. Brown" Date: Sat, 30 Aug 2003 00:19:53 +0000 Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables? Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi there Derek, There are two approaches to dropping traffic once you have identified it. I'll assume you have identified with an fwmark the traffic you wish to drop. : After I got the byte patterns and such, how might I go about blocking : that? I can't very well set the rate to 0k or anything like that, so : Ive been scratching my head on how to actually _block_ something with : iproute2. You can route it to a blackhole or you can create a policer with a drop action. Here are some examples, assuming an fwmark of 7: # echo "7 blackhole" >> /etc/iproute2/rt_tables # ip route add blackhole default table blackhole # ip rule add fwmark 7 table blackhole This creates a routing table number 7 called "blackhole", which contains exactly one route, a default route to a blackhole. Now, simply add a rule to your RPDB to select this routing table for packets with fwmark 7, and you are dropping all of these packets. If you'd prefer to use a policer, you can use something like this (untested): # tc filter add dev ppp0 parent 1:1 protocol ip \ > handle 6 fw flowid 1:8 \ > police rate 1bps burst 1 action drop/drop With that said, why don't you just use a -j DROP netfilter target? Wouldn't that be easier if you are already using netfilter? Best of luck, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/