On Sep/25/2001, Shanker Balan wrote: > Hello: > > Ivan Lopez wrote, > > you just filter by ftp-data port (20) and by passive ports range (most > > ftp daemons gives you the chance to define a determinate range of > > ports to use in passive mode) > > But i have no control over the FTP clients users behind my Linux router > will use. Moreover, i have full NAT for my internal network. > > > i discourage you from shaping ftp control traffic (21), because of the > > annoying delay you introduce in the interactiveness of the ftp session > > Ok. Will take out port 21 then. > > > this is how i do it using iptables marking and fw tc filter > > > > #for matching ftp-data iptables -A OUTPUT -o $IF_EXT -p tcp --sport 20 > > -j MARK 1 #for matching passive ports range that i configured in my > > ftp daemon iptables -A OUTPUT -o $IF_EXT -p tcp --sport 5000:5100 -j > > MARK 1 > > For this to work, all FTP clients should be configured to use only ports > between 5000 and 5100 right? it's not the clients, but the server configuration when using passive mode, is the server who selects which port is going to be used for the data transfer, so you can configure the range of ports to be used, and my example setup is for this case: shaping the available download bandwith to external clients from your server but if what you want is to limit the available download bandwith to your internal clients from external ftp servers, you must shape the outgoing packets in the internal interface (coming from internet to your clients): for active mode (ftp-data transfers by port 20) it can be done with iptables -A POSTROUTING -t mangle -o $IF_INT -p tcp --sport 20 -j MARK 1 but, because of the above commented behavior of the passive mode, you cannot predict which ports will be used by your clients... and i don't know any *good* thing for matching accurately this ftp passive connections (anyone else here knows how :?) ivan PD: note my mistake in the previous reply in the iptables lines, they lack the -t mangle option, sorry O:)
