Re: AW: [LARTC] Activate ingress policies on suse enterprise server 9
Grames Gernot wrote: Hi, Thanks for the fast response, .)Okay I tried your suggestion for my port 8099 and nothing happened: The tcp ip information goes from a firewall to my port 8099 and this port is than routed to the original 8080, I do that because I don`t want to dirturb my port 8080. But it seams the ingress filter doesn`t work on it!! iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere iacapp3.local tcp dpt:8099 to:192.168.0.10:8080 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .)I tried then for the port 8080 and something happened but no drop of the packages: #tcpdump port 8080 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 3 packets captured 3 packets received by filter 0 packets dropped by kernel tcpdump will see packets before policer - so they could still be dropped. Just to confuse matters though, depending on kernel options the ingress policer may see packets before or after prerouting. use tc -s qdisc ls dev eth0 to see drops. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
AW: [LARTC] Activate ingress policies on suse enterprise server 9
Title: AW: [LARTC] Activate ingress policies on suse enterprise server 9 Hi, Thanks for the fast response, .)Okay I tried your suggestion for my port 8099 and nothing happened: The tcp ip information goes from a firewall to my port 8099 and this port is than routed to the original 8080, I do that because I don`t want to dirturb my port 8080. But it seams the ingress filter doesn`t work on it!! iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere iacapp3.local tcp dpt:8099 to:192.168.0.10:8080 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .)I tried then for the port 8080 and something happened but no drop of the packages: #tcpdump port 8080 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S 3628241160:3628241160(0) win 64240 3 packets captured 3 packets received by filter 0 packets dropped by kernel Thanks, Gernot > GRAMES Gernot > __ > SIEMENS AG Austria > PSE SMC AI 21 > * Tel.: +43 (0) 5 1707 24356 > * FAX: +43 (0) 5 1707 54600 > * E-Mail: mailto:[EMAIL PROTECTED] > Siemensstrasse 88 - 92 > A-1210 VIENNA > __ > -Ursprüngliche Nachricht- Von: Andy Furniss [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 18. April 2005 15:01 An: Grames Gernot Cc: 'lartc@mailman.ds9a.nl' Betreff: Re: [LARTC] Activate ingress policies on suse enterprise server 9 Grames Gernot wrote: > Hi, > > what is needed to activate ingress policies for enterprise server 9! > tc qdisc add dev eth0 ingress > tc filter add dev eth0 parent : protocol ip u32 match ip dport 8099 > 0x police rate 1kbit burst 1kbit mtu 1 drop flowid :1 I get a memory allocation error if I try to add that. Playing around it seems policer doesn't like small burst and mtu together. Burst is a value and will act like MTU so the rule below should work and do what you want - drop everything with dport 8099. tc filter add dev eth0 parent : protocol ip u32 match ip dport 8099 0x police rate 1kbit burst 1 drop flowid :1 Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Activate ingress policies on suse enterprise server 9
Grames Gernot wrote: Hi, what is needed to activate ingress policies for enterprise server 9! tc qdisc add dev eth0 ingress tc filter add dev eth0 parent : protocol ip u32 match ip dport 8099 0x police rate 1kbit burst 1kbit mtu 1 drop flowid :1 I get a memory allocation error if I try to add that. Playing around it seems policer doesn't like small burst and mtu together. Burst is a value and will act like MTU so the rule below should work and do what you want - drop everything with dport 8099. tc filter add dev eth0 parent : protocol ip u32 match ip dport 8099 0x police rate 1kbit burst 1 drop flowid :1 Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Activate ingress policies on suse enterprise server 9
Hi, what is needed to activate ingress policies for enterprise server 9! My current loaded modules: in the attachments my kernel: Linux linux 2.6.5-7.97-smp #1 SMP Fri Jul 2 14:21:59 UTC 2004 i686 i686 i386 GNU/Linux So you can see the module sch_ingress is loaded and also the package iprout2 is installed. I have set also a filter for ingress policies but i don`t think it is working, because i have never dropped packages: tc qdisc add dev eth0 ingress tc filter add dev eth0 parent : protocol ip u32 match ip dport 8099 0x police rate 1kbit burst 1kbit mtu 1 drop flowid :1 # tc -s qdisc ls dev eth0qdisc ingress : Sent 83463 bytes 1002 pkts (dropped 0, overlimits 0)qdisc pfifo_fast 0: [Unknown qdisc, optlen=20] Sent 316975056 bytes 1093222 pkts (dropped 0, overlimits 0) a example tcpdump: # tcpdump -v port 8099tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes13:19:25.340470 IP (tos 0x0, ttl 63, id 31421, offset 0, flags [DF], length: 48) 158.226.150.44.4870 > iacapp3.local.8099: S [tcp sum ok] 2049470510:2049470510(0) win 64240 13:19:25.341584 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 48) iacapp3.local.8099 > 158.226.150.44.4870: S [tcp sum ok] 1753072926:1753072926(0) ack 2049470511 win 5840 13:19:25.341042 IP (tos 0x0, ttl 63, id 31422, offset 0, flags [DF], length: 40) 158.226.150.44.4870 > iacapp3.local.8099: . [tcp sum ok] ack 1 win 6424013:19:25.342163 IP (tos 0x0, ttl 63, id 31423, offset 0, flags [DF], length: 704) 158.226.150.44.4870 > iacapp3.local.8099: P 1:665(664) ack 1 win 6424013:19:25.342188 IP (tos 0x0, ttl 64, id 52551, offset 0, flags [DF], length: 40) iacapp3.local.8099 > 158.226.150.44.4870: . [tcp sum ok] ack 665 win 664013:19:25.357938 IP (tos 0x0, ttl 64, id 52552, offset 0, flags [DF], length: 297) iacapp3.local.8099 > 158.226.150.44.4870: P 1:258(257) ack 665 win 664013:19:25.490836 IP (tos 0x0, ttl 63, id 31429, offset 0, flags [DF], length: 399) 158.226.150.44.4870 > iacapp3.local.8099: P 665:1024(359) ack 258 win 6398313:19:25.491986 IP (tos 0x0, ttl 64, id 52553, offset 0, flags [DF], length: 1288) iacapp3.local.8099 > 158.226.150.44.4870: P 258:1506(1248) ack 1024 win 796813:19:25.691613 IP (tos 0x0, ttl 63, id 31436, offset 0, flags [DF], length: 40) 158.226.150.44.4870 > iacapp3.local.8099: . [tcp sum ok] ack 1506 win 64240 9 packets captured9 packets received by filter0 packets dropped by kernel what is missing!? Or is my filter false! Thanks, Gernot lsmod Description: Binary data packages Description: Binary data ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc