Andy Furniss wrote: > > >>> I am running proftpd on (192.168.1.101) with the port set to 65437 and > >>> with passive ports set to 50000-51000. Proftpd allows you to specify a > >>> range of ports to use on passive transfers. I need to be able to limit > >>> my outbound ftp traffic to 40 Kbytes per second. > > Could you post the bits of the proftpd config that do this - I have (but > rarely use) proftpd and could test. > > >>> The only way I can see to do this is limit by marking packets with > >>> iptables. I am marking traffic on 65436 which is the active ftp data > >>> port (65437-1) and 50000-60000. Outbound shaping is working > >>> fine....however....inbound ftp traffic is also being shaped to 40K. I > >>> have no idea why. > > Is this when there is ftp traffic both ways or just inbound? > > >>> > >>> Seems to me the below rules should mark outbound packets and shape only > >>> outbound packets. I dont understand why inbound packets are getting > >>> shaped. > >>> > >>> Here is the script: > >>> #!/bin/bash > >>> #shaping passive and active outbound ftp traffic on an internal computer > >>> without affecting inbound and lan speed > >>> > >>> # mark the outbound passive ftp packets on ports 50000-51000 > >>> iptables -t mangle -N MYSHAPER-OUT > >>> iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT > >>> > >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK > >>> --set-mark 20 > >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK > >>> --set-mark 20 > >>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK > >>> --set-mark 26 > >>> > >> > >> > >> 1) Are you sure these rules are correctly marking and that the marks > >> exist at the time the tc filter sees the packet? My hunch is NOT. > >> ASIDE: We _really_ need a way for filters to report hit counts! > >> > >> > >> > > No, I am not sure. I have used the command 'watch -n1 tc -s class ls > > dev eth0' to see the packets flying but i dont really know how to make > > sure they are being marked correctly. I must assume that ALL packets on > > ports 65436 and 50000-510000 are being marked because they are being > > shaped. Just not sure why incoming packets are being markek and > > shaped. Outbound shaping is working just fine. > > You can see counters for iptables rules with iptables -t mangle -L -v -n > > Andy. I have been thinking about this without getting much of anywhere, but here's what I think. Let me start by paraphasing your setup: You have a cable modem that is connecting to a NATting box that runs only IPCOP. This IPCOP box forwards everything to the LAN. On the LAN side of IPCOP all the packets you wish to shape have an IP ending 1.101. The computer with IP 1.100 can be ignored for shaping purposes. If you MARK in iptables on IPCOP, I think the mark is internal only so that 101 will never see the mark. You may not even be able to MARK on the IPCOP box (I know nothing of IPCOP). If you are able to on the IPCOP machine, consider setting the TOS field in the mangle table for externally initiated FTP such that either all bits are on or all are off (or some other unique value); then on 101 examine TOS and MARK appropriately on the 101 machine or, preferably, just u32 match the TOS there. If mangling TOS on IPCOP is possible and fruitful, be sure to do your homework regarding mangle and PREROUTING (or whatever chain does what you need). The IPCOP computer will "know" by the interface and --dport / --sport which FTP sessions were initiated from the internet versus those initiated on your LAN, but I can't see how 101 ever could. IPCOP might also run one or more of netfilter's conntracks for FTP if that were needed. If I come up with anything after sleeping on this, I'll let you know. But for now the above is all I can conceive. gyxpy _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
