All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Finally got FWMARK to work
@ 2003-11-06  8:29 ph4ke
  0 siblings, 0 replies; only message in thread
From: ph4ke @ 2003-11-06  8:29 UTC (permalink / raw)
  To: lartc


Hi List, 

Only signed up recently and posted the problem that we had with FWMARK. 

Got it solved, so if anyone has the same problem, maybe this could help : 

The problem with the (redhat) 2.4.20 kernel was that when doing ethernet 
bridging, packets seemed to bypass iptables rules, thus no marking occurs. 

Apparently there is a patch available to allow firewalling on the bridge but I didn't bother to 
use it. Funny thing is that the kernel that comes with RH 7.3 actually does let bridged packets 
be filtered by iptables . 

We finally opted for the 2.6.0-test1 kernel and everything is working fine now. Iptables 
is marking the bridged packets, and tc is queuing them as the filters dictate.  

Just thought I'd share that. 

For limiting the ftp-outgoing involved a little of iptables sorcery. 
See, the problem is that we want to limit outgoing ftp to a particular ip range, but the 
ftp server actually sits on a webserver as well. 

So i tried these rules to mark the packets, looks like its working fine. If there is a better way 
to accomplish this, please let me know, cause I'm sure this isn't the best way : 

target       prot opt  source                    destination
MARK       tcp  --  100.200.100.10        xxx.xxx.xxx.xxx     state RELATED,ESTABLISHED MARK set 0x1 ## ftp marking rule
MARK       tcp  --  anywhere             anywhere               tcp spt:http MARK set 0xa	
MARK       udp  --  anywhere             anywhere              udp spt:http MARK set 0xa

0x1 goes to the htb class where we limit the traffic 
0xa just goes to an htb class with a sfq qdisc attached to it 
Everthing else also goes to the sfq by default 

So this works fine. FTP downloads from the limited range are limited nicely, and uploads of "new" files 
from that range is fast, just like it should be. 

The only thing is that when you upload from the range and overwrite files on the ftp server, it gets limited 
just like if you where doing a download. This is extremely odd to me and if anyone has any 
ideas of why this might happen please give me a shout. 


Regards, 
Cilliè








_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2003-11-06  8:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-06  8:29 [LARTC] Finally got FWMARK to work ph4ke

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.