From: Dragos Cinteza <Dragos_Cinteza@web.de>
To: lartc@vger.kernel.org
Subject: RE: [LARTC] Pakets marked but no shapeing is done
Date: Mon, 27 Oct 2003 21:26:19 +0000 [thread overview]
Message-ID: <marc-lartc-106743162107344@msgid-missing> (raw)
In-Reply-To: <marc-lartc-106655646120686@msgid-missing>
In the last mail I only put the results of listing chains and classes.
This it is how the chains are made:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
# Set up policies
/sbin/iptables -P INPUT DROP
#Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
# This chain will log, then DROPs "Xmas" and Null packets which might
# indicate a port-scan attempt
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP
# Disallow packets frequently used by port-scanners, XMas and Null
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
# Limit Packets- helps reduce dos/syn attacks
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j MARK --set-mark 5
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.6 -j MARK --set-mark 6
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-30 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-5E -j MARK --set-mark 2
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-59-71-40 -j MARK --set-mark 3
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-D0-09-D5-6B-12 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-50-FC-9D-7A-5B -j MARK --set-mark 5
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-80-5F-8F-C2-48 -j MARK --set-mark 6
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-06-4F-05-FB-16 -j MARK --set-mark 7
/sbin/iptables -A INPUT -i ipsec+ -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# last rule in input and forward chain is for logging.
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
$GREEN_DEV is the LAN interface
and here are the tc commands:
# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev eth1 root 2> /dev/null > /dev/null
tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null
tc qdisc del dev eth0 root 2> /dev/null > /dev/null
tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
tc qdisc add dev eth1 root handle 10: htb r2q 1
tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 125kbit quantum 2250 burst 60k
tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1
tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.2 flowid 10:2
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.2 flowid 10:2
tc class add dev eth1 parent 10:10 classid 10:3 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 3 fw classid 10:3
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.3 flowid 10:3
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.3 flowid 10:3
tc class add dev eth1 parent 10:10 classid 10:4 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 4 fw classid 10:4
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.4 flowid 10:4
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.4 flowid 10:4
tc class add dev eth1 parent 10:10 classid 10:5 htb rate 20kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 5 fw classid 10:5
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.5 flowid 10:5
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.5 flowid 10:5
tc class add dev eth1 parent 10:10 classid 10:6 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 6 fw classid 10:6
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.6 flowid 10:6
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.6 flowid 10:6
tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil 125kbit quantum 1500 prio 3 burst 60k
tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7
tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.7 flowid 10:7
tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.7 flowid 10:7
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2003-10-27 21:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-19 9:31 [LARTC] Pakets marked but no shapeing is done =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
2003-10-19 17:22 ` Dragoa Cinteza
2003-10-20 15:40 ` Dragos Cinteza
2003-10-20 18:47 ` Stef Coene
2003-10-27 21:26 ` Dragos Cinteza [this message]
2003-10-28 7:41 ` Catalin BOIE
2003-10-28 18:18 ` Stef Coene
2003-11-01 12:35 ` =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?=
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106743162107344@msgid-missing \
--to=dragos_cinteza@web.de \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox