Andy Furniss wrote:
I am running proftpd on (192.168.1.101) with the port set to 65437 and
with passive ports set to 50000-51000. Proftpd allows you to specify a
range of ports to use on passive transfers. I need to be able to limit
my outbound ftp traffic to 40 Kbytes per second.
Could you post the bits of the proftpd config that do this - I have (but rarely use) proftpd and could test.
PassivePorts 50000 51000 # Port 21 is the standard FTP port. Port 65437
The only way I can see to do this is limit by marking packets with iptables. I am marking traffic on 65436 which is the active ftp data port (65437-1) and 50000-60000. Outbound shaping is working fine....however....inbound ftp traffic is also being shaped to 40K. I have no idea why.
Is this when there is ftp traffic both ways or just inbound?
Both ways.
No, I am not sure. I have used the command 'watch -n1 tc -s class ls dev eth0' to see the packets flying but i dont really know how to make sure they are being marked correctly. I must assume that ALL packets on ports 65436 and 50000-510000 are being marked because they are being shaped. Just not sure why incoming packets are being markek and shaped. Outbound shaping is working just fine.
Seems to me the below rules should mark outbound packets and shape only
outbound packets. I dont understand why inbound packets are getting shaped.
Here is the script:
#!/bin/bash
#shaping passive and active outbound ftp traffic on an internal computer
without affecting inbound and lan speed
# mark the outbound passive ftp packets on ports 50000-51000 iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65436 -j MARK
--set-mark 20
iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK
--set-mark 20
iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26
1) Are you sure these rules are correctly marking and that the marks
exist at the time the tc filter sees the packet? My hunch is NOT. ASIDE: We _really_ need a way for filters to report hit counts!
You can see counters for iptables rules with iptables -t mangle -L -v -n
Andy.
Thanks for helping.
_______________________________________________ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
