Re: [bwm-tools-tech] bwm tools traffic shaping issue
Brought to you by:
nkukard
Menu
▾
▴
Re: [bwm-tools-tech] bwm tools traffic shaping issue
|
From: Kobe L. <ko...@mo...> - 2005-05-25 10:43:14
|
Hi,
This all looks perfect. Execpt you'r wrongly marking FTP traffiic.
FTP Data traffic is NOT going over port 21, but over port 20 (if
using active mode) or over some other portrange the server descides
(usually somthing in the high port ranges 50.000+).
Try to limit HTTP traffic (port 80) and download a huge file from
somewhere, you'll see it work.
Greetz
Kobe
vishal singh wrote:
> Hi Nigel
>
> In brief, let me first describe what I am trying to do:
>
> I have configured one Linux Box, 192.168.1.69 as a router and
> installed bwm tools. This has the default gateway of 192.168.1.114
>
> Also, I have configured another Linux Box, 192.168.1.163 and made the
> previous box as its default gateway. So anything that not on the local
> net, goes to 192.168.1.69.
>
> This is my bwm firewall file:
>
>
> <firewall>
> <global>
> <modules>
> <load name="ip_queue"/>
> <load name="ip_conntrack_ftp"/>
> <load name="ip_nat_ftp"/>
> </modules>
>
>
> #Classes
>
> <class name= "http_public_traffic_inout">
> <address name="http_inout" proto="tcp" dst-port="80"/>
> </class>
>
>
> <class name= "https_public_traffic_inout">
> <address name="https_inout" proto="tcp" dst-port="443"/>
> </class>
>
>
> <class name= "ftp_public_traffic_inout">
> <address name="ftp_inout" proto="tcp" dst-port="21"/>
> </class>
>
>
>
> <class name= "DNS_traffic_inout">
> <address name="DNS_inout" proto="udp" dst-port="53"/>
> </class>
>
>
> <class name= "icmp_traffic_inout">
> <address name="icmp_inout" proto="icmp" />
> </class>
>
>
>
>
>
>
> <class name= "http_private_traffic_inout">
> <address name="http_inout" dst="192.168.0.0/16" proto="tcp"
> dst-port="80"/>
> </class>
>
> <class name= "ftp_private_traffic_inout">
> <address name="ftp_inout" dst="192.168.0.0/16" proto="tcp"
> dst-port="21"/>
> </class>
>
>
> <class name= "telnet_private_traffic_inout">
> <address name="telnet_inout" dst="192.168.0.0/16" proto="tcp"
> dst-port="23"/>
> </class>
>
>
> <class name= "ssh_private_traffic_inout">
> <address name="ssh_inout" dst="192.168.0.0/16" proto="tcp"
> dst-port="22"/>
> </class>
>
>
> <class name= "smtp_private_traffic_inout">
> <address name="http_inout" src="192.168.1.112" proto="tcp"
> dst-port="25"/>
> </class>
>
>
> <class name= "pop3_private_traffic_inout">
> <address name="pop3_inout" src="192.168.1.112" dst="63.80.142.98"
> proto="tcp" dst-port="110"/>
> </class>
>
>
>
>
> <class name= "icmp_private_traffic_inout">
> <address name="icmp_inout" dst="192.168.0.0/16" proto="icmp" />
> </class>
>
>
>
>
>
>
> <class name= "http_private_traffic_outin">
> <address name="http_outin" dst="192.168.0.0/16" proto="tcp"
> dst-port="80" />
> </class>
>
> <class name= "ftp_private_traffic_outin">
> <address name="ftp_outin" dst="192.168.0.0/16" proto="tcp"
> dst-port="21"/>
> </class>
>
>
> <class name= "telnet_private_traffic_outin">
> <address name="telnet_outin" dst="192.168.0.0/16" proto="tcp"
> dst-port="23"/>
> </class>
>
>
> <class name= "ssh_private_traffic_outin">
> <address name="ssh_outin" dst="192.168.0.0/16" proto="tcp"
> dst-port="22"/>
> </class>
>
>
> <class name= "icmp_private_traffic_outin">
> <address name="icmp_outin" proto="icmp" />
> </class>
>
>
>
>
> <class name= "snmp_private_traffic">
> <address name="snmpprivate" proto="tcp" dst-port="161"/>
> </class>
> </global>
>
> <acl>
> <table name="filter">
> <chain name="INPUT">
> <rule target="bwmd">
> </rule>
> </chain>
> <chain name="OUTPUT">
> <rule target="bwmd">
> </rule>
> </chain>
> <chain name="FORWARD">
> <rule target="bwmd">
> </rule>
> </chain>
> </table>
> </acl>
>
>
> <traffic>
> <flow name="total_in" max-rate="64000" report-timeout="60">
> <flow name="http_https_public" max-rate="16000"
> burst-rate="120000" nfmark="100">
> http_public_traffic_inout
> https_public_traffic_inout
> http_private_traffic_inout
> </flow>
> <flow name="ftp_public" max-rate="16000" burst-rate="64000"
> nfmark="101">
> ftp_public_traffic_inout
> </flow>
> <flow name="dns_icmp_public" max-rate="4000" burst-rate="4500"
> nfmark="102">
> DNS_traffic_inout
> icmp_private_traffic_outin
> </flow>
> <flow name="ftp_private" max-rate="128000" burst-rate="128000"
> nfmark="103">
> ftp_private_traffic_inout
> </flow>
> </flow>
>
> </traffic>
>
>
> </firewall>
>
>
> This is the o/p of iptables -L -n -v
>
>
> [root@bplinux60 bwm_tools]# iptables -L -n -v
> Chain INPUT (policy ACCEPT 64100 packets, 8753K bytes)
> pkts bytes target prot opt in out source
> destination
> 8701 1178K bwmd all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT 41 packets, 1772 bytes)
> pkts bytes target prot opt in out source
> destination
> 47 2163 bwmd all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 37501 packets, 5413K bytes)
> pkts bytes target prot opt in out source
> destination
> 270 28205 bwmd all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain bwmd (3 references)
> pkts bytes target prot opt in out source
> destination
> 14 807 QUEUE all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match !0x0
> 5136 703K ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> And this the o/p of iptables -L -n -v -t mangle
>
> [root@bplinux60 bwm_tools]# iptables -L -n -v -t mangle
> Chain PREROUTING (policy ACCEPT 327K packets, 45M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 10826 packets, 1463K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 47 packets, 2163 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 MARK set 0x64
> 0 0 MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:443 MARK set 0x64
> 0 0 MARK tcp -- * * 0.0.0.0/0
> 192.168.0.0/16 tcp dpt:80 MARK set 0x64
> 10 471 MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:21 MARK set 0x65
> 0 0 MARK udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:53 MARK set 0x66
> 4 336 MARK icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK set 0x66
> 10 471 MARK tcp -- * * 0.0.0.0/0
> 192.168.0.0/16 tcp dpt:21 MARK set 0x67
>
> Chain OUTPUT (policy ACCEPT 2500 packets, 341K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 66605 packets, 9144K bytes)
> pkts bytes target prot opt in out source
> destination
>
>
>
>
> My problem is; when I fire bwmd and thereafter run bwm_monitor, the
> monitor does display some counters , but I see no traffic limiting.
> For example, if I limit ftp traffic to 8kb, it makes no effect. And
> strangely, ftp counters arent updated.
>
> Please help!!!
>
>
> Vishal Singh
>
>
>
> Vishal Singh
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Yahoo.
> Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
> Search APIs Find out how you can build Yahoo! directly into your own
> Applications - visit
> http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
> _______________________________________________
> bwm-tools-tech mailing list
> bwm...@li...
> https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech
>
>
|
