RE: [LARTC] Pakets marked but no shapeing is done
In the last mail I only put the results of listing chains and classes. This it is how the chains are made: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 0 > /proc/sys/net/ipv4/tcp_sack echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Flush all rules and delete all custom chains /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -X # Set up policies /sbin/iptables -P INPUT DROP #Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT # This chain will log, then DROPs "Xmas" and Null packets which might # indicate a port-scan attempt /sbin/iptables -N PSCAN /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? " /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? " /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? " /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? " /sbin/iptables -A PSCAN -j DROP # Disallow packets frequently used by port-scanners, XMas and Null /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN # Limit Packets- helps reduce dos/syn attacks /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j
rãspuns la: "[LARTC] Pakets marked but no shapeing is done" din 10/20/2003
--===-- Stef> On Monday 20 October 2003 17:40, Dragos Cinteza wrote: >> Here it is now in plain text, just pls help me understand, cuz seems >> verry ilogic what happends. Sorry for sending this 3 times. I hope it >> is ok now. Stef> Euh. I don't see a tc filter statement. And where is the iptables line that Stef> matches the packets ??? Also, post your tc commands and your iptables rules. Stef> Stef In the last mail I only put the results of listing chains and classes. This it is how the chains are made: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo0 > /proc/sys/net/ipv4/tcp_window_scaling echo0 > /proc/sys/net/ipv4/tcp_timestamps echo0 > /proc/sys/net/ipv4/tcp_sack echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Flush all rules and delete all custom chains /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -X # Set up policies /sbin/iptables -P INPUT DROP #Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT # This chain will log, then DROPs "Xmas" and Null packets which might # indicate a port-scan attempt /sbin/iptables -N PSCAN /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? " /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? " /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? " /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? " /sbin/iptables -A PSCAN -j DROP # Disallow packets frequently used by port-scanners, XMas and Null /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN # Limit Packets- helps reduce dos/syn attacks /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A FORW
[LARTC] Pakets marked but no shapeing is done
Here it is now in plain text, just pls help me understand, cuz seems verry ilogic what happends. Sorry for sending this 3 times. I hope it is ok now. Hello lartc users, I mark pakets (by MAC and IP), works on my lan except for 1 single host. This host is able to fuck-up the entire network because not a single bit of his traffic is shaped. this way when he is downloading there is no more internet in the entire LAN. Here is what I get: ~ # iptables -L -n -v Chain INPUT (policy DROP 129 packets, 18244 bytes) pkts bytes target prot opt in out source destination 121K 89M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 2106 103K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5 121K 89M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 117K 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 215 7951 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 21 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 671 40197 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30 54 4471 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E 1417 87806 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40 734 56195 ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12 394 28308 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B 0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48 109 11947 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16 0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 129 18244 RED all -- * * 0.0.0.0/0 0.0.0.0/0 129 18244 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 113 16529 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT ' Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 198K 62M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0 198K 62M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 198K 62M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 190K 61M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30 1 48 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E 429 54514 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40 6831 832K ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12 478 28669 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995 0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48 72 5774 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16 0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DMZHOLES all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT ' Chain OUTPUT (policy ACCEPT 141K packets, 85M bytes) pkts bytes target prot opt in out source destination 141K 85M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0 Chain CUSTOMFORWARD (1 references) pkts bytes target prot opt in out source destination The bad host is 192.168. 1.1. As you can see his pakets are marked, but then the shapeing is not done at all. ~ # tc -d -s class show dev eth1 class htb 10:10 root rate 125Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 7 Sent 45405999 bytes 110084 pkts (dropped 0, overlimits 0) rate 90bps 1pps lended: 35284 borrowed: 0 giants: 0 tokens: 2086912 ctokens: 79872 class htb 10:1 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 14563554 ctokens: 90112 class htb 10:2 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 14563554 ctokens: 90112 class htb 10:3 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 446562 bytes 6804 pkts (dropped 0, overlimits 0) rate 5bps lended: 6804 borrowed: 0 giants: 0 tokens: 14344532 ctokens: 58573 class htb 10:4 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 44734592 bytes 102026 pkts (dropped 0, overlimits 0) rate 37bps lended: 66742 borrowed: 35284 giants: 0 tokens: 14518044 ctokens: 83560 class htb 10:5 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 216317 bytes 1153 pkts (dropped 0, ove