[LARTC] tc filter isn't work !

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

->  Hi!
->  
->  I've a Linux Box that I want to apply a filter
->  in order to limit FTP salient traffic from my
->  linux box to internet.
->  
->  I've a:
->  	Red Hat 7.2
->  	Kernel 2.4.20 (with HTB built in!)
->  	iptables 1.2.7a
->  
->  Also, I get "tc" binnary package from HTB home page.
->  
->  I have a script in order to manage everything.
->  
->  After to do a FTP session, and sent a file to INTERNET from 
->  my Linux BOX, and traffic seems catched by iptables, but 
->  not by tc filter (dropped 0, overlimits 0)
->  
->  What is wrong ???
->  Please see below my script, and diagnostics.
->  
->  Thank you !!
->  
->  Mac
->  
->  -------------------------------------------------------
->  
->  #!/bin/bash
->  
->  # Clear everything
->  
->  tc qdisc del dev eth0 root 2> /dev/null > /dev/null
->  tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
->  iptables -F OUTPUT -t mangle 
->  iptables -F INPUT -t mangle 
->  iptables -F PREROUTING -t mangle 
->  iptables -F POSTROUTING -t mangle 
->  iptables -F FORWARD -t mangle 
->  
->  # HTB qdisc
->  
->  tc qdisc add dev eth0 root handle 1: htb
->  tc class add dev eth0 parent 1: classid 1:1 htb rate 32kbit 
->  ceil 32kbit burst 2kbit
->  
->  # FTP traffic class
->  tc class add dev eth0 parent 1:1 classid 1:10 htb rate 
->  16kbit ceil 16kbit
->  
->  # sfq
->  tc qdisc add dev eth0 parent 1:10 handle 40: sfq perturb 10
->  
->  # Filter FTP traffic
->  tc filter add dev eth0 parent 1: protocol ip prio 1 handle 
->  1 fw classid 1:10
->  
->  # iptables to get FTP traffic
->  
->  iptables -A OUTPUT -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A OUTPUT -t mangle -p tcp --dport 20 
->  -j MARK --set-mark 1 iptables -A OUTPUT -t mangle -p udp 
->  --dport 21 -j MARK --set-mark 1 iptables -A OUTPUT -t 
->  mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A PREROUTING -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A PREROUTING -t mangle -p tcp 
->  --dport 20 -j MARK --set-mark 1 iptables -A PREROUTING -t 
->  mangle -p udp --dport 21 -j MARK --set-mark 1 iptables -A 
->  PREROUTING -t mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A FORWARD -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A FORWARD -t mangle -p tcp --dport 
->  20 -j MARK --set-mark 1 iptables -A FORWARD -t mangle -p 
->  udp --dport 21 -j MARK --set-mark 1 iptables -A FORWARD -t 
->  mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  iptables -A POSTROUTING -t mangle -p tcp --dport 21 -j MARK 
->  --set-mark 1 iptables -A POSTROUTING -t mangle -p tcp 
->  --dport 20 -j MARK --set-mark 1 iptables -A POSTROUTING -t 
->  mangle -p udp --dport 21 -j MARK --set-mark 1 iptables -A 
->  POSTROUTING -t mangle -p udp --dport 20 -j MARK --set-mark 1
->  
->  -------------------------------------------------------
->  
->  [root@xxxxxxxx macwww]# iptables -L -t mangle -nvx
->  
->  Chain PREROUTING (policy ACCEPT 190679 packets, 163312488 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->         1       40 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain INPUT (policy ACCEPT 161324 packets, 160097182 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->  
->  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain OUTPUT (policy ACCEPT 130426 packets, 136583975 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->        33     1989 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:20 MARK set 0x1
->  
->  Chain POSTROUTING (policy ACCEPT 130426 packets, 136583975 bytes)
->      pkts      bytes target     prot opt in     out     
->  source               destination
->        33     1989 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 MARK set 0x1
->         0        0 MARK       tcp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0          udp dpt:21 MARK set 0x1
->         0        0 MARK       udp  --  *      *       
->  0.0.0.0/0            0.0.0.0/0   
->  
->  
->  -------------------------------------------------------
->  
->  [root@xxxxxxxx macwww]# tc -s -d qdisc show dev eth0
->  qdisc sfq 60: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
->  
->   qdisc sfq 50: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
->  
->   qdisc sfq 40: quantum 1514b limit 128p flows 128/1024 
->  perturb 10sec  Sent 2451 bytes 33 pkts (dropped 0, overlimits 0)
->  
->   qdisc htb 1: r2q 10 default 0 direct_packets_stat 7233 ver 
->  3.7  Sent 9630794 bytes 7266 pkts (dropped 0, overlimits 0)
->
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux