AW: AW: Activate ingress policies on suse enterprise serv er 9

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: AW: AW: [LARTC] Activate ingress policies on suse enterprise server 9

 
Good Morning,

Thanks for your hint, now I can see the dropped packages!
But it is only working for port 8080 why not for port 8099??

(If you need some indices please let me know)

Thanks
Gernot

> GRAMES Gernot
> __________________________________
>       SIEMENS AG Austria
>       PSE SMC AI 21   
>       *       Tel.: +43 (0) 5 1707 24356
>       *       FAX: +43 (0) 5 1707 54600
>       *       E-Mail: mailto:Gernot.Grames@xxxxxxxxxxx
>       Siemensstrasse 88 - 92
>       A-1210 VIENNA
> __________________________________
>

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@xxxxxxxxxxxxx]
Gesendet: Montag, 18. April 2005 16:05
An: Grames Gernot
Cc: 'lartc@xxxxxxxxxxxxxxx'
Betreff: Re: AW: [LARTC] Activate ingress policies on suse enterprise server 9

Grames Gernot wrote:
> Hi,
>
> Thanks for the fast response,
>
> .)Okay I tried your suggestion for my port 8099 and nothing happened:
> The tcp ip information goes from a firewall to my port 8099 and this port is
> than routed to the original 8080, I do that because I don`t want to dirturb
> my port 8080.
> But it seams the ingress filter doesn`t work on it!!
>
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> .)I tried then for the port 8080 and something happened but no drop of the
> packages:
> #tcpdump port 8080
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
>
> 3 packets captured
> 3 packets received by filter
> 0 packets dropped by kernel

tcpdump will see packets before policer - so they could still be
dropped. Just to confuse matters though, depending on kernel options the
ingress policer may see packets before or after prerouting.

use tc -s qdisc ls dev eth0 to see drops.

Andy. 

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux