----- Original Message ----- From: <lartc-request@xxxxxxxxxxxxxxx> To: <lartc@xxxxxxxxxxxxxxx> Sent: Thursday, October 23, 2003 11:05 AM Subject: LARTC digest, Vol 1 #1420 - 10 msgs > Send LARTC mailing list submissions to > lartc@xxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ds9a.nl/mailman/listinfo/lartc > or, via email, send a message with subject or body 'help' to > lartc-request@xxxxxxxxxxxxxxx > > You can reach the person managing the list at > lartc-admin@xxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of LARTC digest..." > > > Today's Topics: > > 1. Re: "Help with routing" (Robert Kurjata) > 2. Need Suggestion on CBQ Rules. (Raghuveer K) > 3. Per host Traffic Shaping bridge, using DSCP (Warwick Chapman) > 4. nexthop reachability (Vadiraj C S) > 5. Re: 'Help with routing' (nixo@xxxxxxxxxxx) > 6. Split access problems. (Mike Taekema) > 7. Re: Per host Traffic Shaping bridge, using DSCP (Stef Coene) > 8. esfq (ThE PhP_KiD) > 9. RE: Missing parameter descriptions (Marko Buuri) > 10. iptables question (Walter D. Wyndroski) > > --__--__-- > > Message: 1 > Date: Wed, 22 Oct 2003 08:59:05 +0200 > From: Robert Kurjata <rkurjata@xxxxxxxxxxxxx> > Reply-To: Robert Kurjata <rkurjata@xxxxxxxxxxxxx> > To: nixo@xxxxxxxxxxx > Cc: lartc@xxxxxxxxxxxxxxx > Subject: Re: "Help with routing" > > Hi nixo, > > I suppose you don't preserve properly output address see my postting > with script from 15th October this year :) > (append prohibit default:) > > > nnca> the scheme of my LAN is the next: > > nnca> eth0 isp1 /32 > nnca> eth1 lan de isp1 (LAN With public IP /24) > nnca> eth2 isp2 /32 > nnca> eth3 lan de isp2 (LAN With public IP /26) > > nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 > nnca> ip route add default via 200.47.4.x table 1 > > > nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 > nnca> ip route add default via 200.80.32.x table 2 > > > > nnca> ip rule add from 200.47.4.x table 1 > nnca> ip rule add from 200.80.32.x table 2 > > nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0 nexthop > nnca> via > nnca> 200.80.32.x dev eth2 > > nnca> ****** > > nnca> My problem is this: when I trace from the NETWORK of ISP1, sometimes the > nnca> tracer go out from the gateway of ISP2 and vice versa > > nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as before > nnca> complete the gateway from ISP2 y vice versa. > > > nnca> Mi question is: what is wrong in my config...??? What I need to put or is > nnca> anything wrong with this config???. > nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. > > > nnca> _______________________________________________ > nnca> LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > nnca> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > -- > Greetings, > Robert mailto:rkurjata@xxxxxxxxxxxxx > > > --__--__-- > > Message: 2 > Date: Wed, 22 Oct 2003 13:12:21 +0530 > From: Raghuveer K <rvk@xxxxxxxxxxx> > Reply-To: Raghuveer K <rvk@xxxxxxxxxxx> > Organization: Global Security One Ltd. > To: Stef Coene <stef.coene@xxxxxxxxx> > Cc: lartc@xxxxxxxxxxxxxxx, > "Martin A. Brown" <mabrown-lartc@xxxxxxxxxxxxxx> > Subject: Need Suggestion on CBQ Rules. > > Stef Coene wrote: > > >On Tuesday 23 September 2003 07:56, Raghuveer wrote: > > > > > >>Here are the rules Iam applying to control outgoing traffic at WAN(eth0) > >>interface for public hosted services. > >>Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0 ip is > >>192.168.1.2 > >> > >>tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell > >>8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > >>497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > >>bounded > >>/* Hosted http server bandwidth = 64Kbit */ > >>tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate > >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > >>192.168.1.2 match ip sport 80 0xffff classid 1:2 > >> > >>/* Hosted ftp server bandwidth = 64Kbit */ > >>tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate > >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > >>192.168.1.2 match ip sport 21 0xffff classid 1:3 > >> > >>/* Default : Rest/Other traffic */ > >>tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate > >>369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > >>/* Here I want replace the below rule with a simple rule based only on > >>port i.e by using some default port other than 80, 21 as sport, which > >>according to your last mail is not possible, hence pls check whether the > >>below rule will do for remaining traffic */ > >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > >>0/0 match ip dst 0/0 classid 1:4 > >> > >>Pls let me know whether the above rules are framed correctly or can be > >>done in a better way. > >> > >> > >I can't do it better then you did :) > > > > > Stef, > Traffic Control is not taking place after applying the above rules. Here > follows the test setup:- > 1. The linux m/c 's eth0(100Mbits, WAN) is connected to 128 Kbits ADSL > and eth1 to the LAN. > 2. I tried doing traffic control for incoming(at eth1) and outgoing(at > eth0) traffic using CBQ(above rules). > 3. In LAN, I connected 3 m/c's(all linux). > 4. The ISP rate taken is 97% of 128Kbits. > 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c's. > > I have few observations and queries, as follows:-- > 1. Here the ISP rate is fluctuating in the range of 21Kbits to 131 Kbits > for 128Kbits ADSL. > 2. I have not added any filter for the parent class. Is it required...? > What happens if I add...? > 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on > each LAN m/c. > 4. Whether shall I take outgoing and incoming ISP rate's in 30:70 ratio, > i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming > Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL). > > Can you pls guide me where amI going wrong..? > > Regards > -Raghu > > >Stef > > > > > > > > > -- > ****** This email is confidential and is intended for the original recipient(s) > only. If you have erroneously received this mail, please delete it immediately > and notify the sender. Unauthorized copying, disclosure or distribution of the > material in this mail is prohibited. Views expressed in this mail are those of > the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless > the sender has done so expressly with due authority of Gsec1.****** > > > > > --__--__-- > > Message: 3 > Date: Wed, 22 Oct 2003 11:39:51 +0200 > From: Warwick Chapman <warwick@xxxxxxxxxxx> > To: lartc@xxxxxxxxxxxxxxx > Cc: anthon@xxxxxxxx > Subject: Per host Traffic Shaping bridge, using DSCP > > Howdy > > We would like to set up a Linux Bridge to replace a FreeBSD/ipfw box > doing shaping. Currently, we can only chape per IP/protocol on the > FreeBSD box, and not by type of traffic (local/international). > > Our upstream provider, Internet Solutions (www.is.co.za) differentiates > between Local and International Bandwidth as follows: > "Local traffic DSCP bit is set to 20. International is set to 18." > > What steps would be involved in, say, setting up shaping to a host to > give it a 32kb International and 64 local. Would it be possible to > allow bursting when bandwidth is available? > > I have read the LARTC Guide at lartc.org, which has an example of how to > shape an particular host, but not how to incorporate matching the DSCP bit. > > I'm assuming iptables is used to match the DSCP bit, something like the > following: > # iptables -t mangle -A INPUT -m dscp --dscp 16 -j ???? > > Once it is matched, though, how does on force it into a queue? Or am I > thinking of this in the wrong way? > > Regards > > Warwick Chapman > Marketing and Operations > Thusa Business Support cc > > Cellular: +27 83 7797 094 > Telephone: +27 31 563 1180 > Facsimile: +27 31 563 1182 > Website: http://www.thusa.co.za > > -- There are 10 types of people in this world. Those > who understand binary, and those who don't. > > > > --__--__-- > > Message: 4 > Date: Wed, 22 Oct 2003 16:49:39 +0530 (IST) > From: Vadiraj C S <vadiraj@xxxxxxxxxxxxxx> > To: lartc@xxxxxxxxxxxxxxx > Subject: nexthop reachability > > Hello all, > > I was just wondering If i could do this.. > > > Local___ public_________Gateway1 > Subnet IP > > > local net |------192.168.1.1--| Internet > 192.168.1.0-----| |-------202.202.1.1 > |------202.202.1.6--| > > here goes my routing table > > at any subnet say 192.168.1.2 i want some thing like this > > 1] route to 202.202.1.0/24 via 192.168.1.1 > > 2] default gateway via 202.202.1.1 > > but at second routing configuration I get host unreachable error by both > route and ip route command.. > Though there is route to 202 network via 192.168.1.1 it says unreachable > but I can ping to 202 network.. > > what should I do to achieve this? > > Why I need to do is for dead gateway detection, I do not want to check > the nexthop reachable or not, i need to know if ISP is reachable.. > > Any support will be grateful!! > > > regards > Vadiraj C S > > > --__--__-- > > Message: 5 > Date: Wed, 22 Oct 2003 15:13:29 -0300 (ART) > Subject: Re: 'Help with routing' > From: <nixo@xxxxxxxxxxx> > To: <rkurjata@xxxxxxxxxxxxx> > Cc: <nixo@xxxxxxxxxxx>, <lartc@xxxxxxxxxxxxxxx> > > Thank you very much for the solution, but I still have a problem and I > need help :) . The problem number one has been solved. When I trace from > any computer of my LAN, It`s go out from the right ISP. But after a short > time, is like if the rute was chached and it back to the same problem. > (I´m getting paranoic :-P ) > > The Problem number two still happens when someone from outside trace an IP > from mi LAN. Always the before complete jump is responded for the > interface who correnspond to the other ISP. > > Do you have an idea what can be the failure... or, can I call this a > failure in my config? > > THANKS VERY MUCH > Nicolas Fillon > Argentina > > > Hi nixo, > > > > I suppose you don't preserve properly output address see my postting > > with script from 15th October this year :) > > (append prohibit default:) > > > > > > nnca> the scheme of my LAN is the next: > > > > nnca> eth0 isp1 /32 > > nnca> eth1 lan de isp1 (LAN With public IP /24) > > nnca> eth2 isp2 /32 > > nnca> eth3 lan de isp2 (LAN With public IP /26) > > > > nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 > > nnca> ip route add default via 200.47.4.x table 1 > > > > > > nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 > > nnca> ip route add default via 200.80.32.x table 2 > > > > > > > > nnca> ip rule add from 200.47.4.x table 1 > > nnca> ip rule add from 200.80.32.x table 2 > > > > nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0 > > nexthop nnca> via > > nnca> 200.80.32.x dev eth2 > > > > nnca> ****** > > > > nnca> My problem is this: when I trace from the NETWORK of ISP1, > > sometimes the nnca> tracer go out from the gateway of ISP2 and vice > > versa > > > > nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as > > before nnca> complete the gateway from ISP2 y vice versa. > > > > > > nnca> Mi question is: what is wrong in my config...??? What I need to > > put or is nnca> anything wrong with this config???. > > nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. > > > > > > nnca> _______________________________________________ > > nnca> LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > > nnca> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > > http://lartc.org/ > > > > > > > > -- > > Greetings, > > Robert mailto:rkurjata@xxxxxxxxxxxxx > > > > > --__--__-- > > Message: 6 > From: "Mike Taekema" <mike@xxxxxxxxxxxxx> > To: <lartc@xxxxxxxxxxxxxxx> > Date: Wed, 22 Oct 2003 12:03:56 -0700 > Subject: Split access problems. > > Good day, > > I seem to be having getting my split access scripts to run properly. Here is > my split_access script: > > IF1=eth0 > IF2=eth1 > IP1=10.123.124.52 > IP2=10.123.124.240 > P1=10.123.124.1 > P2=10.123.124.251 > P1_NET=10.123.124.0/25 > P2_NET=10.123.124.128/25 > IFE0=eth0 > IFE1=eth1 > > > ip route flush all > > ip route add $P1_NET dev $IF1 src $IP1 table $IFE0 > ip route add default via $P1 table $IFE0 > ip route add $P2_NET dev $IF2 src $IP2 table $IFE1 > ip route add default via $P2 table $IFE1 > > ip route add $P1_NET dev $IF1 src $IP1 > ip route add $P2_NET dev $IF2 src $IP2 > > ip route add default via $P1 > > ip rule add from $IP1 table $IFE0 > ip rule add from $IP2 table $IFE1 > > exit 0 > > Now here is my rt_tables file: > > # > # reserved values > # > 255 local > 254 main > 253 default > 0 unspec > 2 eth0 > 4 eth1 > # > # local > # > 1 inr.ruhep > > Now when I run the script I get these errors: (run script using sh -x > split_access) > > + IF1=eth0 > + IF2=eth1 > + IP1=10.123.124.52 > + IP2=10.123.124.240 > + P1=10.123.124.1 > + P2=10.123.124.251 > + P1_NET=10.123.124.0/25 > + P2_NET=10.123.124.128/25 > + IFE0=eth0 > + IFE1=eth1 > + ip route flush all > + ip route add 10.123.124.0/25 dev eth0 src 10.123.124.52 table eth0 > + ip route add default via 10.123.124.1 table eth0 > + ip route add 10.123.124.128/25 dev eth1 src 10.123.124.240 table eth1 > + ip route add default via 10.123.124.251 table eth1 > RTNETLINK answers: File exists > + ip route add 10.123.124.0/25 dev eth0 src 10.123.124.52 > RTNETLINK answers: File exists > + ip route add 10.123.124.128/25 dev eth1 src 10.123.124.240 > RTNETLINK answers: File exists > + ip route add default via 10.123.124.1 > RTNETLINK answers: File exists > + ip rule add from 10.123.124.52 table eth0 > RTNETLINK answers: Invalid argument > + ip rule add from 10.123.124.240 table eth1 > RTNETLINK answers: Invalid argument > + exit 0 > > > Why am I getting "file exists and Invalid arguments again? > > > Thanks in advance > > > -Mike T. > > > > > --__--__-- > > Message: 7 > From: Stef Coene <stef.coene@xxxxxxxxx> > To: Warwick Chapman <warwick@xxxxxxxxxxx>, lartc@xxxxxxxxxxxxxxx > Subject: Re: Per host Traffic Shaping bridge, using DSCP > Date: Wed, 22 Oct 2003 22:06:04 +0200 > Cc: anthon@xxxxxxxx > > On Wednesday 22 October 2003 11:39, Warwick Chapman wrote: > > Howdy > > > > We would like to set up a Linux Bridge to replace a FreeBSD/ipfw box > > doing shaping. Currently, we can only chape per IP/protocol on the > > FreeBSD box, and not by type of traffic (local/international). > > > > Our upstream provider, Internet Solutions (www.is.co.za) differentiates > > between Local and International Bandwidth as follows: > > "Local traffic DSCP bit is set to 20. International is set to 18." > > > > What steps would be involved in, say, setting up shaping to a host to > > give it a 32kb International and 64 local. Would it be possible to > > allow bursting when bandwidth is available? > > > > I have read the LARTC Guide at lartc.org, which has an example of how to > > shape an particular host, but not how to incorporate matching the DSCP bit. > > > > I'm assuming iptables is used to match the DSCP bit, something like the > > following: > > # iptables -t mangle -A INPUT -m dscp --dscp 16 -j ???? > > > > Once it is matched, though, how does on force it into a queue? Or am I > > thinking of this in the wrong way? > If the packets are marked with iptables, you can use the fw filter to put the > packets in a class. > iptables -t mangle -A INPUT -m dscp --dscp 16 -j MARK --set-mark 2 > > Stef > > -- > stef.coene@xxxxxxxxx > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > > > --__--__-- > > Message: 8 > From: "ThE PhP_KiD" <gregoriandres@xxxxxxxxxxxx> > To: <lartc@xxxxxxxxxxxxxxx> > Date: Wed, 22 Oct 2003 17:45:22 -0300 > Subject: esfq > > hi, > > I want to try esfq in order to make a load balance > in my linux router, (both, lan side and interent side) > > I want that all hosts of my lan haves the same bandwidth > avaible. > > Since linux router are connected to an ISP which privide > a variable bandwidth, I think that can't use HTB. > > Also, in this situation, how can I do to priorize some > LAN hosts from others ? > > Thanks you very much in advance. > > Andres. > > > > > --__--__-- > > Message: 9 > Reply-To: <marko@xxxxxxxxxx> > From: "Marko Buuri" <marko@xxxxxxxxxx> > To: <lartc@xxxxxxxxxxxxxxx> > Subject: RE: Missing parameter descriptions > Date: Mon, 20 Oct 2003 10:53:34 +0300 > > >Damion de Soto wrote: > >Marko Buuri wrote: > >> I've been looking for descriptions of qdisc parameter > >"estimator" and u32 > >> parameter "police" (defined by POLICE_SPEC), but in vain. I > >hope someone on > >> this list can explain these. > >Have you seen : > >http://lartc.org/howto/lartc.adv-filter.policing.html > >with examples for 'police' > >http://lartc.org/howto/lartc.cookbook.synflood-protect.html > >and > >http://lartc.org/howto/lartc.cookbook.ultimate-tc.html > > Thank you for replying! > > I find that POLICE_SPEC (term from tc command syntax, not found in the > HOWTO) isn't very well or perhaps clearly documented. I figure the first > page you sent is trying to say is that the syntax is more or less: > > POLICE_SPEC = police [buffer [buffer] | maxburst [maxburst]] [mtu [mtu] > | minburst [minburst]] [mpu [mpu]] [rate [rate]] (continue | drop | pass > | reclassify) > > However, the examples you sent are using parameter "burst" not listed > above. A novice as myself can find learning Linux traffic control a bit > confusing with this kind of discrepancies between the HOWTO, the command > syntax and the man pages. > > >I'm not sure where examples are of 'estimator' usage. > > If someone else here knows, please do tell. > > > Marko > > > --__--__-- > > Message: 10 > From: "Walter D. Wyndroski" <wdwrn@xxxxxxxxxxxxxxxx> > To: <lartc@xxxxxxxxxxxxxxx> > Date: Wed, 22 Oct 2003 23:45:01 -0400 > Subject: iptables question > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0107_01C398F6.82AC90F0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > First off, I know this is the LARTC list, but I've been living on this list= > for over a year now. :) Now with that said, I'm probably going to get flam= > ed for my question. :) > > I've read that iptables is a first match wins system. My recent experience = > is showing that it is a last match wins. I understand that if a packet is m= > atched in prerouting chain, it may be matched again in a subsequent chain u= > nless the jump target was drop. > > NOTE: I am not using iptables as a true firewall, much as most people on th= > is list do not. I'm primarily using iptables to mark packets and drop them = > for securing my network and to deny all traffic to my router except for a f= > ew exclusive port.s > > > > The following is an excerpt from my router script on how I'm handling certa= > in traffic to my router and this works: (This example is a last match wins) > > #Deny All Traffic to Interface except SSH and ICMP > $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT = > #CMTS Link > $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP = > #CMTS Link > $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22= > -j DROP #CMTS Link > > ##Allow SNMP Calls Via MRTG To This Interface Only > $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5= > -p udp --dport 161 -j ACCEPT > $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5= > -p udp --dport 162 -j ACCEPT > > This is how I was doing it and it worked: (This example is a first match wi= > ns) > (note: I was routing the fwmark 1 to blackhole) > > ##Allow SNMP Calls Via MRTG To This Interface Only > $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.= > 0.5 -p udp --dport 161 -j ACCEPT > $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.= > 0.5 -p udp --dport 162 -j ACCEPT > > #Deny All Traffic to Interface except SSH and ICMP > $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEP= > T #CMTS Link > $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j MARK= > --set-mark 1 #CMTS Link > $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport != > 22 -j MARK --set-mark 1 #CMTS Link > > I just need someone to tell me when is iptables using first match wins vers= > us last match wins. I think I am missing something but I am not sure. I sta= > y so busy with other tasks that I cannot devote the time that I need and wo= > uld like to this. Anyway, many thanks in advance. > > > Walt Wyndroski > ***************************************************************************= > ******************* > * This message has been scanned by CityNET's email scanner for viruses and = > dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For m= > ore information * > * concerning MailScanner, visit http://www.mailscanner.info = > * > ***************************************************************************= > ******************* > > > ------=_NextPart_000_0107_01C398F6.82AC90F0 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML><HEAD> > <META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"> > <META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR> > <STYLE></STYLE> > </HEAD> > <BODY bgColor=3D#ffffff> > <DIV><FONT face=3DArial size=3D2>First off, I know this is the LARTC list, = > but I've=20 > been living on this list for over a year now. :) Now with that said, I'm=20 > probably going to get flamed for my question. :)</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>I've read that iptables is a first match w= > ins=20 > system. My recent experience is showing that it is a last match wins. I=20 > understand that if a packet is matched in prerouting chain, it may be match= > ed=20 > again in a subsequent chain unless the jump target was drop.</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>NOTE: I am not using iptables as a true fi= > rewall,=20 > much as most people on this list do not. I'm primarily using iptables to ma= > rk=20 > packets and drop them for securing my network and to deny all traffic to my= > =20 > router except for a few exclusive port.s</FONT></DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2></FONT> </DIV> > <DIV><FONT face=3DArial size=3D2>The following is an excerpt from my router= > script=20 > on how I'm handling certain traffic to my router and this works: (This exam= > ple=20 > is a last match wins)</DIV> > <DIV> </DIV> > <DIV>#Deny All Traffic to Interface except SSH and ICMP</DIV> > <DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j=20 > ACCEPT &nb= > sp; =20 > #CMTS Link</DIV> > <DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j=20 > DROP  = > ; =20 > #CMTS Link</DIV> > <DIV>$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport= > ! 22=20 > -j DROP #CMTS Link</DIV> > <DIV> </DIV> > <DIV>##Allow SNMP Calls Via MRTG To This Interface Only<BR>$IPTABLES -A FOR= > WARD=20 > -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -= > j=20 > ACCEPT<BR>$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst= > =20 > 172.20.0.5 -p udp --dport 162 -j ACCEPT<BR></DIV> > <DIV>This is how I was doing it and it worked: (This example is a firs= > t=20 > match wins)</DIV> > <DIV> > <DIV> > <DIV>(note: I was routing the fwmark 1 to blackhole)</DIV> > <DIV> </DIV> > <DIV>##Allow SNMP Calls Via MRTG To This Interface Only<BR>$IPTABLES -A=20 > PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --= > dport=20 > 161 -j ACCEPT<BR>$IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.= > 226=20 > --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT<BR></DIV></DIV> > <DIV>#Deny All Traffic to Interface except SSH and ICMP</DIV> > <DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icm= > p -j=20 > ACCEPT &nb= > sp; = > =20 > #CMTS Link</DIV> > <DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp=20 > -j MARK --set-mark=20 > 1 &n= > bsp; =20 > #CMTS Link</DIV> > <DIV>$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dp= > ort !=20 > 22 -j MARK --set-mark 1 #CMTS Link</DIV> > <DIV> </DIV> > <DIV>I just need someone to tell me when is iptables using first match wins= > =20 > versus last match wins. I think I am missing something but I am not sure. I= > stay=20 > so busy with other tasks that I cannot devote the time that I need and woul= > d=20 > like to this. Anyway, many thanks in advance.</DIV> > <DIV> </DIV> > <DIV> </DIV> > <DIV>Walt Wyndroski</DIV></DIV></FONT></BODY><br> > <br> > <table border=3D"1" cellpadding=3D"0" cellspacing=3D"0" width=3D"100%" bord= > ercolor=3D"#800000"> > <tr> > <td width=3D"100%"> > <p align=3D"center"> This message has been scanned by CityNET's = > email scanner for viruses and dangerous content <br> > and is believed to be clean. CityNET is proud to use MailScann= > er. For more information <br> > concerning MailScanner, visit http://www.mailscanner.info</td> > </tr> > </table> > </HTML> > > ------=_NextPart_000_0107_01C398F6.82AC90F0-- > > > > > --__--__-- > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc > > > End of LARTC Digest > _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
