[LARTC] port filtering for UDP packets?
This is what I did to filter outbound UDP packets with the desination port number 6003 thru HTB queue 1:1. tc filter add dev eth0 parent 1: protocol ip prio 1 \ u32 match ip dport 6003 0x flowid 1:1 However, it only worked for TCP port, not UDP. Does anyone know why this happens and how to solve it? Your help would be greatly appreciated.. thanks in advance! Q-ha Park ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[i-kan-webmaster] Your message to LARTC awaits moderator approval
~e-WebMaster~ Your mail to 'LARTC' with the subject Mail Delivery System Is being held until the list moderator can review it for approval. The reason it is being held: Post by non-member to a members-only list Either the message will get posted to the list, or you will receive notification of the moderator's decision. I-KAN ~ e-WebMaster WEB-- http://hub.xc.org/scripts/lyris.pl?enter=i-kan-webmaster SUBSCRIBE-- To: [EMAIL PROTECTED], Isi/Body: kosong UNSUBSCRIBE-- To: [EMAIL PROTECTED], Isi/Body: kosong
Re: [LARTC] port filtering for UDP packets?
opsi... i dont want u32 filter I need libpcap(tcpdump) expression so that i can watch to which direction these stuff goes from/to which address... et cetera.. |This is what I did to filter outbound UDP packets with the desination |port number 6003 thru HTB queue 1:1. | |tc filter add dev eth0 parent 1: protocol ip prio 1 \ |u32 match ip dport 6003 0x flowid 1:1 | |However, it only worked for TCP port, not UDP. Does anyone know why this |happens and how to solve it? | |Your help would be greatly appreciated.. thanks in advance! | |Q-ha Park | | | |___ |LARTC mailing list / [EMAIL PROTECTED] |http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ | ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IMQ update ?
Hi Andres, there is a patch for 2.4.24 available at www.linuximq.net ... have a try on it and please let us know if you have any trouble using it. tks Andre ThE LinuX_KiD wrote: Hello I'm trying the excelent IMQ patch for iptbles and kernel 2.4.21 and works very well... but, there is a IMQ patch for 2.4.24 ? I've tested IMQ for kernels 2,4,21 but patch fails ! Best regards andres ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] IMQ update ?
Hi, I've patched 2.4.24 with IMQ successfully !! thank you Andres - -Mensaje original- - De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] - nombre de Andre Correa - Enviado el: Martes, 03 de Febrero de 2004 09:56 a.m. - Para: ThE LinuX_KiD - CC: lartc - Asunto: Re: [LARTC] IMQ update ? - - - - Hi Andres, there is a patch for 2.4.24 available at www.linuximq.net ... - have a try on it and please let us know if you have any trouble using it. - - tks - - Andre - - - ThE LinuX_KiD wrote: - Hello - - I'm trying the excelent IMQ patch for - iptbles and kernel 2.4.21 and works - very well... - - but, there is a IMQ patch for 2.4.24 ? - - I've tested IMQ for kernels 2,4,21 but - patch fails ! - - Best regards - andres - ___ - LARTC mailing list / [EMAIL PROTECTED] - http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ - - - - ___ - LARTC mailing list / [EMAIL PROTECTED] - http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ - ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] RE: LARTC digest, Vol 1 #1564 - 6 msgs
Hi Martin,
The scenario I am working on is the second one - there is one internal
network and two ISPs.
How can I do fwmark based on the outgoing interface? Remember that there
is just one physical WAN interface, with two IP addresses. Is it
possible to fwmark somehow based on the routing decision?
Thanks
Aron
-Original Message-
From: Martin A. Brown [mailto:[EMAIL PROTECTED]
Sent: Friday, January 30, 2004 12:00 AM
To: Aron Brand
Cc: [EMAIL PROTECTED]
Subject: Re: [LARTC] RE: LARTC digest, Vol 1 #1564 - 6 msgs
Aron,
: If I understand whay you are suggesting, there is a problem in your
: design: It will only work if you use Hide NAT.
...and multiple public IPs.
: The problem is that the ip_src == IP0 rule is wrong: The ip_src is
not
: changed by the router and it is not equal to the IP of any of the
: machine interfaces.
OK--maybe the 'ip_src == IP0' rule is not applicable to your situation,
but that doesn't make it wrong. You describe a different network
configuration than I was envisioning based on Gordan's description.
: Can you think of a solution that will work in the following
reasonable
: scenario:
I can try!
: Lets say I have two T1 internet connections connected to one ethernet
: interface. I do not use Hide-NAT. I want to guarantee at least
512kbps
: to HTTP traffic on each line (separately) in the 'virtual circuit'
: method that you mentioned.
Are you pushing different networks across each T1? If you have
Network-A from ISP-A and Network-B from ISP-B, then you have different
addresses to use in your configuration.
See an untested configuration with some fabricated addresses and
netmasks below.
#define NETA 216.109.118.64
#define NETAMASK 28
#define NETB 63.209.4.192
#define NETBMASK 27
dev eth0 {
egress {
class ( $neta ) if ip_src:NETAMASK == NETA/NETAMASK ;
class ( $netb ) if ip_src:NETBMASK == NETB/NETBMASK ;
htb () {
$neta = class ( rate 512kbps, ceil 512kbps ) ;
$netb = class ( rate 512kbps, ceil 512kbps ) ;
}
}
}
I would think this should provide a skeleton configuration for limiting
outbound (transmitted) traffic originating from separate IP networks on
the same host.
: I see no way do do this unless I can attach a qdisc to a specific
: virtual interface.
If you are using a single IP network and you have two different
providers (you're using BGP or similar), then you could consider marking
the packets
(fwmark) based on outgoing interface, and perform traffic control based
on this mechanism.
These are just some thoughts based on how I interpret your description
of your network.
Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] iproute2 and ethX:X subdevices
Hi, Quick question -- is it possible to create eth0:0 - style psuedo-devices using the 'ip' tool? I see they recognise them when using 'ip addr show': 5: eth2: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 inet 192.168.0.1/24 brd 192.168.0.255 scope global eth2:0 But I can't see a way of creating them. Is it possible? (I know somebody may say why would I want to -- it's just for neatness, so that people using 'ifconfig' can still see all the addresses in use.) Thanks, -- Alan Ford * [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re:[LARTC] adsl on/off
Hi, Try to look in your modem userguide if it is capable to do it. []'s Anderson Good day all Now I'm from South- Africa,here we have adsl router/modems You set the router to do the dialup and authentication and the set it as your gateways box's gateway.Now sometimes the links get s drop and is off for a while.Are there any way,for linux,my gateway of l etting me now that the link was/is down.Note that the box is not dial ing so there is no adsl-status. What I NEED to do it be able to know if the link is dow n,and if the link is down use a modem dialup and when the link get back u p stop the modem.Any Ideas Thanks ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: ht tp://lartc.org/ __ Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - É grátis! http://antipopup.uol.com.br/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] limiting p2p
Hi all, Do you have a firewall enabled? If yes, did you try to flush the rules to see if it still happening? []'s Anderson On Fri, Nov 07, 2003 at 12:27:25PM - 0300, ThE PhP_KiD wrote: Hi List ! I'm trying excelent module ipt_p2p from Filipe Almeida in a Linux Box with several connections, in order to block p2p traffic with next rule: [...] how ever, I've noted that after two days running, that Linux Box (RH 7,2 updated - Kernel 2.4.22 - iptables 1.2.8 with String and ConnMark modules, Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, eth1 and eth2), begins to drop others packets and a simple ping look like this: # ping 192.168.210.3(by example) PING 192.168.210.3 (192.168.210.3) from 192.168.210.2 54 : 56(84) bytes of data. 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=4 99 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=4 78 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=4 89 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted Hi! I have the same problem... Have you solved it? I can't see any answer for your email :( best -- michal ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: ht tp://lartc.org/ __ Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - É grátis! http://antipopup.uol.com.br/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Ip layer 7
Hi, I'm trying to install under 2.4.24 layer 7 patch I've patched kernel with http://sf.net/projects/l7-filter Kernel 2.4 QoS patch and next iptables 1.2.9 with patch taken from same url. when I make menuconfig, I can set new layer 7 options under QoS (network options) but no new options under netfilter secion Of course, iptables 1.2.9 doesn't compile layer7 module A patch is missing for this combination? (iptables 1.2.9 and kernel 2.4.24) regards andres ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Problems with HTB (ceil being overpassed)
It seems you have hit timer innacuracy issues: http://www.docum.org/stef.coene/qos/faq/cache/40.html Well, I've tried this on a vanilla 2.4.24 kernel but was not able to load sched_htb anymore. The system was a P4 1700MHz - wich should support it. I'm also experiencing HTB overlimiting as I describe here at the list a while ago. Regards, Mike. -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] limiting p2p
Now I'm testing ipt_ipp2p netfilter 3rd module You can reach it at: http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html Thanks for making this public I just forgot about posting the link to the list :-) But I haven't tested ipt_ipp2p module strongly with a large LAN Well we ran it at a campus network for about 6 weeks without any issue. Some results of our delay investigations are coming soon - the first graphs look not to bad (0.1-1ms average delay introduced by the bridging firewall). Cheers, Mike. -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute2 and ethX:X subdevices
Alan Ford, Tue, Feb 03, 2004 at 05:41:06PM +: Hi, Quick question -- is it possible to create eth0:0 - style psuedo-devices using the 'ip' tool? ip addr add 10.0.0.1/24 dev eth0 label eth0:0 g pgp0.pgp Description: PGP signature
[LARTC] wondershaper
Hi, I have wondershaper running on my firewall/router. It has 2 ethernet cards (eth0 and eth1). Eth1 connects to a cablemodem (2mbit down, 384kbit up) and eth0 connects to a switch. I run a ftp server on a machine connected to the swicth. I want to be able to keep my ftp server from affecting my browsing speed. Problem: I don't see any difference with wondershaper running. I have tried all different speeds and both eth0 and eth1 in wondershaper. Am I doing something wrong? I am testing by pinging yahoo.com. Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wondershaper htb
I got wshaper.htb working.however I have 1 question. How can i limit just ftp server traffic? I have ftp server on port 21 with passive ports of 5-6. I currently have wondershaper with htb working on my routerbut im afraid that it is also affecting all of my send trafficnot just the ftp server. I want to be able to limit the ftp server traffic only. Thanks, Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wondershaper
Hi Mark, I have wondershaper running on my firewall/router. It has 2 ethernet cards (eth0 and eth1). Eth1 connects to a cablemodem (2mbit down, 384kbit up) and eth0 connects to a switch. I run a ftp server on a machine connected to the swicth. I want to be able to keep my ftp server from affecting my browsing speed. Problem: I don't see any difference with wondershaper running. I have tried all different speeds and both eth0 and eth1 in wondershaper. You will want to run the wondershaper on eth1. If you run it on eth0 it will be backwards. You should be able to drop the speeds down to something like DOWNLINK=1800 UPLINK=300 and see some difference. Are you using the htb wondershaper or the old cbq one? Am I doing something wrong? I am testing by pinging yahoo.com. That's probabaly not the best test, you should probably check with real HTTP requests. Are you trying to throttle people uploading TO your ftp server (same as you downloads) or downloading FROM your ftp server ? (you uploading) Regards, -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute2 and ethX:X subdevices
Alan, : Quick question -- is it possible to create eth0:0 - style : psuedo-devices using the 'ip' tool? They aren't really pseudo-devices, but we understand what you mean. In the days prior to the iproute2 tools, when a device would have one interface, which would have one IP address, they were called IP aliases. : I see they recognise them when using 'ip addr show': : : 5: eth2: BROADCAST,MULTICAST,ALLMULTI,UP mtu 1500 qdisc pfifo_fast qlen 1000 : inet 192.168.0.1/24 brd 192.168.0.255 scope global eth2:0 : : But I can't see a way of creating them. Is it possible? The answer is yes, there is a way to create interfaces using the ip address tool, so that they are recognizable to ifconfig. You are looking for the label keyword to the ip address add command [0]. : (I know somebody may say why would I want to -- it's just for : neatness, so that people using 'ifconfig' can still see all the : addresses in use.) I know exactly why an administrator would wish to do this. Some administrators, who a) have not joined the 21st century with Linux, or b) do not commonly use Linux, but rather other UNIX-like operating systems, may not know about the ip utility, but they certainly know about ifconfig! So, if only for the humans, this can be helpful. -Martin [0] http://linux-ip.net/html/tools-ip-address.html#ex-tools-ip-address-del -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] RE: LARTC digest, Vol 1 #1564 - 6 msgs
Aron, I do not understand your network. In a prior note, I thought I understood that you had multiple serial (T1) interfaces. If you have multiple interfaces, then your statement about having one physical WAN interface is misleading. You may have only one T1 card (physical device), with several logical interfaces (for example, wan0, wan1 ...), which is not an uncommon configuration. Anyway, I don't understand your network, so cannot help. Please give ip addr and a small ASCII netmap. : The scenario I am working on is the second one - there is one internal : network and two ISPs. Then you have two WAN interfaces? : How can I do fwmark based on the outgoing interface? iptables -t mangle -A POSTROUTING -o wan0 -j MARK --set-mark $wan0_mark iptables -t mangle -A POSTROUTING -o wan1 -j MARK --set-mark $wan1_mark : Remember that there is just one physical WAN interface, with two IP : addresses. Is it possible to fwmark somehow based on the routing : decision? I'm not sure. Maybe somebody else can pick up that question. It's certainly possible to use -j ROUTE based on the fwmark, though [0]. I don't really think that will be required in your situation, but I won't know until I understand your network better. Best of luck, -Martin [0] http://netfilter.gnumonks.org/documentation/pomlist/pom-extra.html#ROUTE -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] IRC channel archives are up
Hi all. I finally managed to get some work done with my bot. You maybe already noticed o42bot in #lartc, it will log channel conversations from now on. Archives are accessible via http://bot.otaku42.de . This service could help for example when you want to take a look at what happened while you were not in the channel, or if there was a conversation that you want to refer to inside the list without quoting complete conversation logs. There is a help available that explains most of the features. One thing that still needs improvement is navigation inside the calendar. I'll try to fix the known issues during the next days. If you have any suggestions or notice problems, feel free to contact me, either here or off-list. Bye, Mike ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
