[bwm-tools-tech] No Traffic Control !
Brought to you by:
nkukard
Menu
▾
▴
[bwm-tools-tech] No Traffic Control !
|
From: <ral...@ra...> - 2005-04-29 17:28:50
|
ralph buchmann
Hi Nigel,
ok, now i write the simpel firewall what i can .... i allow all traffic by INPUT, OUTPUT and FORWARD.
When i use the -j ACCEPT target, no problem.
But with the -j bwmd target all over forward runs, and nothing over the INPUT-way
And when you look over the bwmd-rule, you see no traffic.
Please tell me, what is wrong with my machine ??
Is there a problem with the installation from the bwm_tool ?
Now here my firewall.xml and the answer:
<global>
<modules>
<load name="ip_queue"/>
<load name="ip_conntrack_ftp"/>
<load name="ip_conntrack_irc"/>
<load name="ip_nat_ftp"/>
<load name="ip_nat_irc"/>
</modules>
# For Filter
<class name="lo">
<address src-iface="lo"/>
</class>
<class name="eth0">
<address src-iface="eth0"/>
</class>
<class name="eth1">
<address src-iface="eth1"/>
</class>
<class name="eth0_out">
<address dst-iface="eth0"/>
</class>
<class name="eth1_out">
<address dst-iface="eth1"/>
</class>
<class name="loo">
<address dst-iface="lo"/>
</class>
# For Nat
<class name="proxy_redirect">
<address cmd-line="-i eth1 -p tcp -m tcp --dport 80"/>
</class>
<class name="internal_traffic">
<address dst-iface="eth0"/>
</class>
# For Traffic
<class name="out_other">
<address name="out_other_tcp" src-iface="eth1" proto="tcp"/>
<address name="out_other_udp" src-iface="eth1" proto="udp"/>
</class>
<class name="out_RaBuLap">
<address name="out_RaBuLap_tcp" src-iface="eth1" proto="tcp" src="192.168.125.5" dst="! 192.168.125.0/24"/>
<address name="out_RaBuLap_udp" src-iface="eth1" proto="udp" src="192.168.125.5" dst="! 192.168.125.0/24"/>
</class>
<class name="out_karsten">
<address name="out_karsten_tcp" src-iface="eth1" proto="tcp" src="192.168.125.102" dst="! 192.168.125.0/24"/>
<address name="out_karsten_udp" src-iface="eth1" proto="udp" src="192.168.125.102" dst="! 192.168.125.0/24"/>
</class>
<class name="out_test">
<address name="out_test_tcp" src-iface="eth1" proto="tcp" src="192.168.125.110" dst="! 192.168.125.0/24"/>
<address name="out_test_udp" src-iface="eth1" proto="udp" src="192.168.125.110" dst="! 192.168.125.0/24"/>
</class>
<class name="in_other">
<address name="in_other_tcp" src-iface="eth1" proto="tcp"/>
<address name="in_other_udp" src-iface="eth1" proto="udp"/>
</class>
<class name="in_RaBuLap">
<address name="in_RaBuLap_tcp" src-iface="eth1" proto="tcp" src="192.168.125.5" dst="! 192.168.125.0/24"/>
<address name="in_RaBuLap_udp" src-iface="eth1" proto="udp" src="192.168.125.5" dst="! 192.168.125.0/24"/>
</class>
<class name="in_karsten">
<address name="in_karsten_tcp" src-iface="eth1" proto="tcp" src="192.168.125.102" dst="! 192.168.125.0/24"/>
<address name="in_karsten_udp" src-iface="eth1" proto="udp" src="192.168.125.102" dst="! 192.168.125.0/24"/>
</class>
<class name="in_test">
<address name="in_test_tcp" src-iface="eth1" proto="tcp" src="192.168.125.110" dst="! 192.168.125.0/24"/>
<address name="in_test_udp" src-iface="eth1" proto="udp" src="192.168.125.110" dst="! 192.168.125.0/24"/>
</class>
</global>
# ACL
<acl>
<table name="filter">
# Custom Rules
<chain name="PREROUTING">
</chain>
<chain name="POSTROUTING">
</chain>
<chain name="INPUT" default="DROP">
<rule target="bwmd">
eth1
</rule>
<rule target="bwmd">
eth0
</rule>
<rule target="bwmd">
lo
</rule>
</chain>
<chain name="FORWARD" default="ACCEPT">
</chain>
<chain name="OUTPUT" default="DROP">
<rule target="bwmd">
eth0_out
eth1_out
loo
</rule>
</chain>
</table>
# NAT
<table name="nat">
<chain name="PREROUTING">
<rule target="REDIRECT --to-ports 3128">
proxy_redirect
</rule>
</chain>
<chain name="POSTROUTING">
<rule target="MASQUERADE">
internal_traffic
</rule>
</chain>
</table>
</acl>
# Traffic flows
<traffic>
# Rate can be specified in either IN, OUT or TOTAL (rate-total)
# If rate-total == 0, no rate limits
<flow name="out_dsl" stats-len="5" queue-size="524288" queue-len="4000" max-rate="358225" burst-rate="384000" report-timeout="60">
<flow name="out_other" max-rate="14400" burst-rate="16000" queue-size="8192" stats-len="5" report-timeout="60">
<queue prio="90" nfmark="1300">
out_other;
</queue>
</flow>
<flow name="out_RaBuLap" max-rate="230400" burst-rate="256000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="10" nfmark="1251">
out_RaBuLap;
</queue>
</flow>
<flow name="out_karsten" max-rate="115200" burst-rate="128000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="30" nfmark="1252">
out_karsten;
</queue>
</flow>
<flow name="out_test" max-rate="57600" burst-rate="64000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="50" nfmark="1253">
out_test;
</queue>
</flow>
</flow>
<flow name="in_dsl" stats-len="5" queue-size="262144" queue-len="3000" max-rate="58982" burst-rate="65536" report-timeout="60">
<flow name="in_other" max-rate="922" burst-rate="1024" queue-size="8192" stats-len="5" report-timeout="60">
<queue prio="90" nfmark="2300">
out_other;
</queue>
</flow>
<flow name="in_RaBuLap" max-rate="29491" burst-rate="32768" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="10" nfmark="2251">
out_RaBuLap;
</queue>
</flow>
<flow name="in_karsten" max-rate="14746" burst-rate="16384" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="30" nfmark="2252">
out_karsten;
</queue>
</flow>
<flow name="in_test" max-rate="7373" burst-rate="8192" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="50" nfmark="2253">
out_test;
</queue>
</flow>
</flow>
</traffic>
</firewall>
And here you see, NO traffic over the bwmd-rule ! Why, i don't understand it ?
iptables -L -v -n
Chain INPUT (policy DROP 105 packets, 17875 bytes)
pkts bytes target prot opt in out source destination
74 15074 bwmd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
31 2801 bwmd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 bwmd all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 8285 packets, 4178K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 76 packets, 3144 bytes)
pkts bytes target prot opt in out source destination
4 240 bwmd all -- * eth0 0.0.0.0/0 0.0.0.0/0
72 2904 bwmd all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 bwmd all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (0 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (0 references)
pkts bytes target prot opt in out source destination
Chain bwmd (6 references)
pkts bytes target prot opt in out source destination
0 0 QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination
##################
iptables -L -t mangle -v -n
Chain PREROUTING (policy ACCEPT 34635 packets, 17M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 98 packets, 17050 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 7361 packets, 3704K bytes)
pkts bytes target prot opt in out source destination
3508 1758K MARK tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x514
128 7898 MARK udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x514
0 0 MARK tcp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x4e3
0 0 MARK udp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x4e3
0 0 MARK tcp -- eth1 * 192.168.125.102 !192.168.125.0/24 MARK set 0x4e4
0 0 MARK udp -- eth1 * 192.168.125.102 !192.168.125.0/24 MARK set 0x4e4
0 0 MARK tcp -- eth1 * 192.168.125.110 !192.168.125.0/24 MARK set 0x4e5
0 0 MARK udp -- eth1 * 192.168.125.110 !192.168.125.0/24 MARK set 0x4e5
3508 1758K MARK tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x8fc
128 7898 MARK udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x8fc
0 0 MARK tcp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x8cb
0 0 MARK udp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x8cb
0 0 MARK tcp -- eth1 * 192.168.125.102 !192.168.125.0/24 MARK set 0x8cc
0 0 MARK udp -- eth1 * 192.168.125.102 !192.168.125.0/24 MARK set 0x8cc
0 0 MARK tcp -- eth1 * 192.168.125.110 !192.168.125.0/24 MARK set 0x8cd
0 0 MARK udp -- eth1 * 192.168.125.110 !192.168.125.0/24 MARK set 0x8cd
Chain OUTPUT (policy ACCEPT 73 packets, 3024 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 34504 packets, 17M bytes)
pkts bytes target prot opt in out source destination
Wait for a little hint, Thanks.
Best Regards
Ralph
To: nk...@lb...
Cc: bwm...@li...
|
