răspuns la: " Pakets marked but no shapeing is done" din 10/20/2003

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

--====----====----====----====----====----====----====----====----====----===--

Stef> On Monday 20 October 2003 17:40, Dragos Cinteza wrote:
>> Here  it  is now in plain text, just pls help me understand, cuz seems
>> verry  ilogic what happends. Sorry for sending this 3 times. I hope it
>> is ok now.
Stef> Euh.  I don't see a tc filter statement.  And where is the iptables line that 
Stef> matches the packets ???  Also, post your tc commands and your iptables rules.

Stef> Stef

================================================================================
In the last mail I only put the results of listing chains and classes.
This it is how the chains are made:
        echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        # Reduce DoS'ing ability by reducing timeouts
        echo   30 > /proc/sys/net/ipv4/tcp_fin_timeout
        echo    0 > /proc/sys/net/ipv4/tcp_window_scaling
        echo    0 > /proc/sys/net/ipv4/tcp_timestamps
        echo    0 > /proc/sys/net/ipv4/tcp_sack
        echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog

        # Flush all rules and delete all custom chains
        /sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
        /sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X

        # Set up policies
        /sbin/iptables -P INPUT DROP
#Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP
/sbin/iptables -P FORWARD DROP
        /sbin/iptables -P OUTPUT ACCEPT
       /sbin/iptables -t nat -P PREROUTING ACCEPT

        # This chain will log, then DROPs "Xmas" and Null packets which might
        # indicate a port-scan attempt
        /sbin/iptables -N PSCAN
        /sbin/iptables -A PSCAN -p tcp  -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
        /sbin/iptables -A PSCAN -p udp  -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
        /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
        /sbin/iptables -A PSCAN -f      -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
        /sbin/iptables -A PSCAN -j DROP

        # Disallow packets frequently used by port-scanners, XMas and Null
        /sbin/iptables -A INPUT   -p tcp --tcp-flags ALL ALL  -j PSCAN
        /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL  -j PSCAN
        /sbin/iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j PSCAN
        /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN

# Limit Packets- helps reduce dos/syn attacks
        /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec

        # CUSTOM chains, can be used by the users themselves
        /sbin/iptables -N CUSTOMINPUT
        /sbin/iptables -A INPUT -j CUSTOMINPUT 
        /sbin/iptables -N CUSTOMFORWARD
        /sbin/iptables -A FORWARD -j CUSTOMFORWARD
        /sbin/iptables -t nat -N CUSTOMPREROUTING
        /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING

        # Accept everyting connected
        /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

        # localhost and ethernet.
        /sbin/iptables -A INPUT   -i lo         -j ACCEPT
        /sbin/iptables -A INPUT   -p icmp       -j ACCEPT


/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT

/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT

/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP
/sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP

/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j MARK --set-mark 5
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.6 -j MARK --set-mark 6
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7

/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-30 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-5E -j MARK --set-mark 2
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-59-71-40 -j MARK --set-mark 3
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-D0-09-D5-6B-12 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-50-FC-9D-7A-5B -j MARK --set-mark 5
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-80-5F-8F-C2-48 -j MARK --set-mark 6
/sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-06-4F-05-FB-16 -j MARK --set-mark 7

/sbin/iptables -A INPUT   -i ipsec+ -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT


# Custom prerouting chains (for transparent proxy and port forwarding)
        /sbin/iptables -t nat -N SQUID
        /sbin/iptables -t nat -A PREROUTING -j SQUID
        /sbin/iptables -t nat -N PORTFW
        /sbin/iptables -t nat -A PREROUTING -j PORTFW


        # last rule in input and forward chain is for logging.
        /sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
        /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "


        # Accept everyting connected
        /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

        # localhost and ethernet.
        /sbin/iptables -A INPUT -i lo -j ACCEPT
        /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT


 $GREEN_DEV is the LAN interface



and here are the tc commands:

# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev eth1 root    2> /dev/null > /dev/null
tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null
tc qdisc del dev eth0 root    2> /dev/null > /dev/null
tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null



tc qdisc add dev eth1 root handle 10: htb r2q 1
tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 125kbit quantum 2250 burst 60k

tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k

tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1
 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1
 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1

tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k

tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1
 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.2 flowid 10:2
 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.2 flowid 10:2


tc class add dev eth1 parent 10:10 classid 10:3 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k

tc filter add dev eth1 parent 10: protocol ip handle 3 fw classid 10:3
 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.3 flowid 10:3
 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.3 flowid 10:3

tc class add dev eth1 parent 10:10 classid 10:4 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k

tc filter add dev eth1 parent 10: protocol ip handle 4 fw classid 10:4
 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.4 flowid 10:4
 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.4 flowid 10:4

tc class add dev eth1 parent 10:10 classid 10:5 htb rate 20kbit ceil 125kbit quantum 1500 prio 2 burst 60k

tc filter add dev eth1 parent 10: protocol ip handle 5 fw classid 10:5
 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.5 flowid 10:5
 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.5 flowid 10:5

tc class add dev eth1 parent 10:10 classid 10:6 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k

tc filter add dev eth1 parent 10: protocol ip handle 6 fw classid 10:6
 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.6 flowid 10:6
 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.6 flowid 10:6

tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil 125kbit quantum 1500 prio 3  burst 60k

tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7
 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.7 flowid 10:7
 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.7 flowid 10:7


_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux