* =?unknown-8bit?q?r=C3=A3spuns?= la: "[LARTC] Pakets marked but no shapeing is done" din 10/20/2003
@ 2003-10-21 19:49 Dragos Cinteza
0 siblings, 0 replies; only message in thread
From: Dragos Cinteza @ 2003-10-21 19:49 UTC (permalink / raw)
To: lartc
--==----==----==----==----==----==----==----==----==----==--
Stef> On Monday 20 October 2003 17:40, Dragos Cinteza wrote:
>> Here it is now in plain text, just pls help me understand, cuz seems
>> verry ilogic what happends. Sorry for sending this 3 times. I hope it
>> is ok now.
Stef> Euh. I don't see a tc filter statement. And where is the iptables line that
Stef> matches the packets ??? Also, post your tc commands and your iptables rules.
Stef> Stef
========================================
In the last mail I only put the results of listing chains and classes.
This it is how the chains are made:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
# Set up policies
/sbin/iptables -P INPUT DROP
#Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
# This chain will log, then DROPs "Xmas" and Null packets which might
# indicate a port-scan attempt
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP
# Disallow packets frequently used by port-scanners, XMas and Null
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
# Limit Packets- helps reduce dos/syn attacks
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j MARK --set-mark 5
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.6 -j MARK --set-mark 6
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-30 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-5E -j MARK --set-mark 2
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-59-71-40 -j MARK --set-mark 3
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-D0-09-D5-6B-12 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-50-FC-9D-7A-5B -j MARK --set-mark 5
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-80-5F-8F-C2-48 -j MARK --set-mark 6
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-06-4F-05-FB-16 -j MARK --set-mark 7
/sbin/iptables -A INPUT -i ipsec+ -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# last rule in input and forward chain is for logging.
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
$GREEN_DEV is the LAN interface
and here are the tc commands:
# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev eth1 root 2> /dev/null > /dev/null
tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null
tc qdisc del dev eth0 root 2> /dev/null > /dev/null
tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
tc qdisc add dev eth1 root handle 10: htb r2q 1
tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 125kbit quantum 2250 burst 60k
tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1
tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.2 flowid 10:2
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.2 flowid 10:2
tc class add dev eth1 parent 10:10 classid 10:3 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 3 fw classid 10:3
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.3 flowid 10:3
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.3 flowid 10:3
tc class add dev eth1 parent 10:10 classid 10:4 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 4 fw classid 10:4
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.4 flowid 10:4
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.4 flowid 10:4
tc class add dev eth1 parent 10:10 classid 10:5 htb rate 20kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 5 fw classid 10:5
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.5 flowid 10:5
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.5 flowid 10:5
tc class add dev eth1 parent 10:10 classid 10:6 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 6 fw classid 10:6
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.6 flowid 10:6
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.6 flowid 10:6
tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil 125kbit quantum 1500 prio 3 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.7 flowid 10:7
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.7 flowid 10:7
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-10-21 19:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-21 19:49 =?unknown-8bit?q?r=C3=A3spuns?= la: "[LARTC] Pakets marked but no shapeing is done" din 10/20/2003 Dragos Cinteza
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.