* [LARTC] Pakets marked but no shapeing is done
@ 2003-10-19 9:31 =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
2003-10-19 17:22 ` Dragoa Cinteza
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?= @ 2003-10-19 9:31 UTC (permalink / raw)
To: lartc
<html><head>
<style>
body { FONT-FAMILY:'georgia' ; FONT-SIZE:12 ; }
</style>
</head>
<body align=>
Hello lartc users,<br>
<br>
I mark pakets (by MAC and IP), works on my lan except for 1 single host. <br>
This host is able to fuck-up the entire network because not a single bit of <br>
his traffic is shaped. this way when he is downloading there is no more <br>
internet in the entire LAN.<br>
<br>
<br>
Here is what I get:<br>
<br>
~ # iptables -L -n -v <br>
Chain INPUT (policy DROP 129 packets, 18244 bytes) <br>
pkts bytes target prot opt in out source destination <br>
121K 89M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F <br>
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 <br>
2106 103K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5 <br>
121K 89M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
117K 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED <br>
215 7951 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 <br>
21 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 <br>
671 40197 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30 <br>
54 4471 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E <br>
1417 87806 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40 <br>
734 56195 ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12 <br>
394 28308 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B <br>
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48 <br>
109 11947 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16 <br>
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 <br>
129 18244 RED all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
129 18244 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
113 16529 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT ' <br>
<br>
Chain FORWARD (policy DROP 0 packets, 0 bytes) <br>
pkts bytes target prot opt in out source destination <br>
198K 62M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
198K 62M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F <br>
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 <br>
198K 62M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
190K 61M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30 <br>
1 48 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E <br>
429 54514 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40 <br>
6831 832K ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12 <br>
478 28669 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B <br>
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995 <br>
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995 <br>
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48 <br>
72 5774 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16 <br>
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 <br>
0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
0 0 DMZHOLES all -- * eth0 0.0.0.0/0 0.0.0.0/0 <br>
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT ' <br>
<br>
Chain OUTPUT (policy ACCEPT 141K packets, 85M bytes) <br>
pkts bytes target prot opt in out source destination <br>
141K 85M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
<br>
Chain CUSTOMFORWARD (1 references) <br>
pkts bytes target prot opt in out source destination <br>
<br>
The
bad host is 192.168. 1.1. As you can see his pakets are marked, but then the shapeing is not done at all.<br>
<br>
~ # tc -d -s class show dev eth1 <br>
class
htb 10:10 root rate 125Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 7 <br>
Sent 45405999 bytes 110084 pkts (dropped 0, overlimits 0) <br>
rate 90bps 1pps <br>
lended: 35284 borrowed: 0 giants: 0 <br>
tokens: 2086912 ctokens: 79872 <br>
<br>
class
htb 10:1 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) <br>
lended: 0 borrowed: 0 giants: 0 <br>
tokens: 14563554 ctokens: 90112 <br>
<br>
class
htb 10:2 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) <br>
lended: 0 borrowed: 0 giants: 0 <br>
tokens: 14563554 ctokens: 90112 <br>
<br>
class
htb 10:3 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 446562 bytes 6804 pkts (dropped 0, overlimits 0) <br>
rate 5bps <br>
lended: 6804 borrowed: 0 giants: 0 <br>
tokens: 14344532 ctokens: 58573 <br>
<br>
class
htb 10:4 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 44734592 bytes 102026 pkts (dropped 0, overlimits 0) <br>
rate 37bps <br>
lended: 66742 borrowed: 35284 giants: 0 <br>
tokens: 14518044 ctokens: 83560 <br>
<br>
class
htb 10:5 parent 10:10 prio 2 quantum 1500 rate 20Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 216317 bytes 1153 pkts (dropped 0, overlimits 0) <br>
rate 60bps <br>
lended: 1153 borrowed: 0 giants: 0 <br>
tokens: 12304384 ctokens: 79872 <br>
<br>
class
htb 10:6 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) <br>
lended: 0 borrowed: 0 giants: 0 <br>
tokens: 14563554 ctokens: 90112 <br>
<br>
class
htb 10:7 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 8528 bytes 101 pkts (dropped 0, overlimits 0) <br>
lended: 101 borrowed: 0 giants: 0 <br>
tokens: 14546488 ctokens: 87655 <br>
<br>
And this is the version I use<br>
kernel HTB init, kernel part version 3.10 </body></html>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* [LARTC] Pakets marked but no shapeing is done
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
@ 2003-10-19 17:22 ` Dragoa Cinteza
2003-10-20 15:40 ` Dragos Cinteza
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Dragoa Cinteza @ 2003-10-19 17:22 UTC (permalink / raw)
To: lartc
<html><head>
<style>
body { FONT-FAMILY:'georgia' ; FONT-SIZE:12 ; }
</style>
</head>
<body align=>
Sorry
for the non-mime-encoded 8bit iso-8859-1 characters in the from header. <br>
I resend this as an answer to the problem Harald Welte told me about.<br>
I hope it's ok and goes to the maillist now.<br>
<br>
Hello lartc users,<br>
<br>
I mark pakets (by MAC and IP), works on my lan except for 1 single host. <br>
This host is able to fuck-up the entire network because not a single bit of <br>
his traffic is shaped. this way when he is downloading there is no more <br>
internet in the entire LAN.<br>
<br>
<br>
Here is what I get:<br>
<br>
~ # iptables -L -n -v <br>
Chain INPUT (policy DROP 129 packets, 18244 bytes) <br>
pkts bytes target prot opt in out source destination <br>
121K 89M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F <br>
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 <br>
2106
103K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5 <br>
121K 89M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
117K 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED <br>
215 7951 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 <br>
21 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 <br>
671 40197 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30 <br>
54 4471 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E <br>
1417 87806 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40 <br>
734 56195 ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12 <br>
394 28308 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B <br>
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48 <br>
109 11947 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16 <br>
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 <br>
129 18244 RED all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
129 18244 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
113
16529 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT ' <br>
<br>
Chain FORWARD (policy DROP 0 packets, 0 bytes) <br>
pkts bytes target prot opt in out source destination <br>
198K 62M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
198K 62M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F <br>
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 <br>
198K 62M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
190K 61M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30 <br>
1 48 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E <br>
429 54514 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40 <br>
6831 832K ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12 <br>
478 28669 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B <br>
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995 <br>
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995 <br>
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48 <br>
72 5774 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16 <br>
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 <br>
0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
0 0 DMZHOLES all -- * eth0 0.0.0.0/0 0.0.0.0/0 <br>
0
0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT ' <br>
<br>
Chain OUTPUT (policy ACCEPT 141K packets, 85M bytes) <br>
pkts bytes target prot opt in out source destination <br>
141K 85M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0 <br>
<br>
Chain CUSTOMFORWARD (1 references) <br>
pkts bytes target prot opt in out source destination <br>
<br>
The
bad host is 192.168. 1.1. As you can see his pakets are marked, but then the shapeing is not done at all.<br>
<br>
~ # tc -d -s class show dev eth1 <br>
class
htb 10:10 root rate 125Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 7 <br>
Sent 45405999 bytes 110084 pkts (dropped 0, overlimits 0) <br>
rate 90bps 1pps <br>
lended: 35284 borrowed: 0 giants: 0 <br>
tokens: 2086912 ctokens: 79872 <br>
<br>
class
htb 10:1 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) <br>
lended: 0 borrowed: 0 giants: 0 <br>
tokens: 14563554 ctokens: 90112 <br>
<br>
class
htb 10:2 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) <br>
lended: 0 borrowed: 0 giants: 0 <br>
tokens: 14563554 ctokens: 90112 <br>
<br>
class
htb 10:3 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 446562 bytes 6804 pkts (dropped 0, overlimits 0) <br>
rate 5bps <br>
lended: 6804 borrowed: 0 giants: 0 <br>
tokens: 14344532 ctokens: 58573 <br>
<br>
class
htb 10:4 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 44734592 bytes 102026 pkts (dropped 0, overlimits 0) <br>
rate 37bps <br>
lended: 66742 borrowed: 35284 giants: 0 <br>
tokens: 14518044 ctokens: 83560 <br>
<br>
class
htb 10:5 parent 10:10 prio 2 quantum 1500 rate 20Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 216317 bytes 1153 pkts (dropped 0, overlimits 0) <br>
rate 60bps <br>
lended: 1153 borrowed: 0 giants: 0 <br>
tokens: 12304384 ctokens: 79872 <br>
<br>
class
htb 10:6 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) <br>
lended: 0 borrowed: 0 giants: 0 <br>
tokens: 14563554 ctokens: 90112 <br>
<br>
class
htb 10:7 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 <br>
Sent 8528 bytes 101 pkts (dropped 0, overlimits 0) <br>
lended: 101 borrowed: 0 giants: 0 <br>
tokens: 14546488 ctokens: 87655 <br>
<br>
And this is the version I use<br>
kernel HTB init, kernel part version 3.10 </body></html>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* [LARTC] Pakets marked but no shapeing is done
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
2003-10-19 17:22 ` Dragoa Cinteza
@ 2003-10-20 15:40 ` Dragos Cinteza
2003-10-20 18:47 ` Stef Coene
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Dragos Cinteza @ 2003-10-20 15:40 UTC (permalink / raw)
To: lartc
Here it is now in plain text, just pls help me understand, cuz seems
verry ilogic what happends. Sorry for sending this 3 times. I hope it
is ok now.
Hello lartc users,
I mark pakets (by MAC and IP), works on my lan except for 1 single host.
This host is able to fuck-up the entire network because not a single bit of
his traffic is shaped. this way when he is downloading there is no more
internet in the entire LAN.
Here is what I get:
~ # iptables -L -n -v
Chain INPUT (policy DROP 129 packets, 18244 bytes)
pkts bytes target prot opt in out source destination
121K 89M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
2106 103K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5
121K 89M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
117K 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
215 7951 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
21 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
671 40197 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30
54 4471 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E
1417 87806 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40
734 56195 ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12
394 28308 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48
109 11947 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0
129 18244 RED all -- * * 0.0.0.0/0 0.0.0.0/0
129 18244 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0
113 16529 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
198K 62M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0
198K 62M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
198K 62M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
190K 61M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30
1 48 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E
429 54514 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40
6831 832K ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12
478 28669 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48
72 5774 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0
0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DMZHOLES all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '
Chain OUTPUT (policy ACCEPT 141K packets, 85M bytes)
pkts bytes target prot opt in out source destination
141K 85M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0
Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source destination
The bad host is 192.168. 1.1. As you can see his pakets are marked, but then the shapeing is not done at all.
~ # tc -d -s class show dev eth1
class htb 10:10 root rate 125Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 7
Sent 45405999 bytes 110084 pkts (dropped 0, overlimits 0)
rate 90bps 1pps
lended: 35284 borrowed: 0 giants: 0
tokens: 2086912 ctokens: 79872
class htb 10:1 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112
class htb 10:2 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112
class htb 10:3 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 446562 bytes 6804 pkts (dropped 0, overlimits 0)
rate 5bps
lended: 6804 borrowed: 0 giants: 0
tokens: 14344532 ctokens: 58573
class htb 10:4 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 44734592 bytes 102026 pkts (dropped 0, overlimits 0)
rate 37bps
lended: 66742 borrowed: 35284 giants: 0
tokens: 14518044 ctokens: 83560
class htb 10:5 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 216317 bytes 1153 pkts (dropped 0, overlimits 0)
rate 60bps
lended: 1153 borrowed: 0 giants: 0
tokens: 12304384 ctokens: 79872
class htb 10:6 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112
class htb 10:7 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 8528 bytes 101 pkts (dropped 0, overlimits 0)
lended: 101 borrowed: 0 giants: 0
tokens: 14546488 ctokens: 87655
And this is the version I use
kernel HTB init, kernel part version 3.10
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] Pakets marked but no shapeing is done
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
2003-10-19 17:22 ` Dragoa Cinteza
2003-10-20 15:40 ` Dragos Cinteza
@ 2003-10-20 18:47 ` Stef Coene
2003-10-27 21:26 ` Dragos Cinteza
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Stef Coene @ 2003-10-20 18:47 UTC (permalink / raw)
To: lartc
On Monday 20 October 2003 17:40, Dragos Cinteza wrote:
> Here it is now in plain text, just pls help me understand, cuz seems
> verry ilogic what happends. Sorry for sending this 3 times. I hope it
> is ok now.
Euh. I don't see a tc filter statement. And where is the iptables line that
matches the packets ??? Also, post your tc commands and your iptables rules.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [LARTC] Pakets marked but no shapeing is done
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
` (2 preceding siblings ...)
2003-10-20 18:47 ` Stef Coene
@ 2003-10-27 21:26 ` Dragos Cinteza
2003-10-28 7:41 ` Catalin BOIE
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Dragos Cinteza @ 2003-10-27 21:26 UTC (permalink / raw)
To: lartc
In the last mail I only put the results of listing chains and classes.
This it is how the chains are made:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
# Set up policies
/sbin/iptables -P INPUT DROP
#Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
# This chain will log, then DROPs "Xmas" and Null packets which might
# indicate a port-scan attempt
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP
# Disallow packets frequently used by port-scanners, XMas and Null
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
# Limit Packets- helps reduce dos/syn attacks
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j MARK --set-mark 5
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.6 -j MARK --set-mark 6
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-30 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-5E -j MARK --set-mark 2
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-59-71-40 -j MARK --set-mark 3
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-D0-09-D5-6B-12 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-50-FC-9D-7A-5B -j MARK --set-mark 5
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-80-5F-8F-C2-48 -j MARK --set-mark 6
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-06-4F-05-FB-16 -j MARK --set-mark 7
/sbin/iptables -A INPUT -i ipsec+ -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# last rule in input and forward chain is for logging.
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
$GREEN_DEV is the LAN interface
and here are the tc commands:
# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev eth1 root 2> /dev/null > /dev/null
tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null
tc qdisc del dev eth0 root 2> /dev/null > /dev/null
tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
tc qdisc add dev eth1 root handle 10: htb r2q 1
tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 125kbit quantum 2250 burst 60k
tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1
tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.2 flowid 10:2
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.2 flowid 10:2
tc class add dev eth1 parent 10:10 classid 10:3 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 3 fw classid 10:3
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.3 flowid 10:3
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.3 flowid 10:3
tc class add dev eth1 parent 10:10 classid 10:4 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 4 fw classid 10:4
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.4 flowid 10:4
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.4 flowid 10:4
tc class add dev eth1 parent 10:10 classid 10:5 htb rate 20kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 5 fw classid 10:5
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.5 flowid 10:5
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.5 flowid 10:5
tc class add dev eth1 parent 10:10 classid 10:6 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 6 fw classid 10:6
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.6 flowid 10:6
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.6 flowid 10:6
tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil 125kbit quantum 1500 prio 3 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.7 flowid 10:7
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.7 flowid 10:7
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [LARTC] Pakets marked but no shapeing is done
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
` (3 preceding siblings ...)
2003-10-27 21:26 ` Dragos Cinteza
@ 2003-10-28 7:41 ` Catalin BOIE
2003-10-28 18:18 ` Stef Coene
2003-11-01 12:35 ` =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
6 siblings, 0 replies; 8+ messages in thread
From: Catalin BOIE @ 2003-10-28 7:41 UTC (permalink / raw)
To: lartc
What ip isn't shaped right?
---
Catalin(ux) BOIE
catab@deuroconsult.ro
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] Pakets marked but no shapeing is done
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
` (4 preceding siblings ...)
2003-10-28 7:41 ` Catalin BOIE
@ 2003-10-28 18:18 ` Stef Coene
2003-11-01 12:35 ` =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
6 siblings, 0 replies; 8+ messages in thread
From: Stef Coene @ 2003-10-28 18:18 UTC (permalink / raw)
To: lartc
On Monday 27 October 2003 22:26, Dragos Cinteza wrote:
> In the last mail I only put the results of listing chains and classes.
You never told us what's your LAN interface : eth0 or eth1? And you have
double filters : for the src and dst. And that's not needed. You can not
have packets with src and dst the same address on a nic.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [LARTC] Pakets marked but no shapeing is done
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
` (5 preceding siblings ...)
2003-10-28 18:18 ` Stef Coene
@ 2003-11-01 12:35 ` =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
6 siblings, 0 replies; 8+ messages in thread
From: =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?= @ 2003-11-01 12:35 UTC (permalink / raw)
To: lartc
--==----==----==----==----==----==----==----==----==----==--
Stef> On Monday 27 October 2003 22:26, Dragos Cinteza wrote:
>> In the last mail I only put the results of listing chains and classes.
Stef> You never told us what's your LAN interface : eth0 or eth1?
eth0 is my LAN interface (GREEN): IP = 192.168.1.10
and
eth1 is my internet interface (RED)
My script blocks access to all stations except the ones that have the right combinations of MAC and IP (7 hosts)
Then are in customforward few rules that block access to certain sites.
I tryed to do marking based on IP, then based on MAC, but host 192.168.1.1 it still isn't marked.
Stef> And you have double filters : for the src and dst. And that's not needed. You can not have packets with src and dst the same address on a nic.
I know, i think i should only put source. Im not sure but I think packets still have the LAN (192.168.1.x) source address when are filtered by tc, and only after that the source is replaced with the linux box external ip address for NATing. Anyway the filtering is not done with the source only, as iti isn't with source and destination or only destination.
Stef> Stef
========================================
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2003-11-01 12:35 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
2003-10-19 17:22 ` Dragoa Cinteza
2003-10-20 15:40 ` Dragos Cinteza
2003-10-20 18:47 ` Stef Coene
2003-10-27 21:26 ` Dragos Cinteza
2003-10-28 7:41 ` Catalin BOIE
2003-10-28 18:18 ` Stef Coene
2003-11-01 12:35 ` =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.