Discussion:
traffic not getting into class
richard lucassen
2007-12-17 11:09:52 UTC
Permalink
Hello list,

I have these sorts of filters, putting traffic into the appropiate
classid (1:15 is the default class):

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip sport 22 0xffff \
classid 1:11 # ssh

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 22 0xffff \
classid 1:11 # ssh

{and a few more 1:11 filters]

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x11 0xff \
match ip sport 123 0xffff \
classid 1:11 # return packets NTP

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x06 0xff \
match u8 0x05 0x0f at 0 \
match u8 0x10 0xff at 33 \
match u16 0x000 0xffc0 at 2 \
classid 1:11 # ACK's

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 80 0xffff \
classid 1:12 # Webserver

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 3 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip sport 443 0xffff \
classid 1:13 # webmail server

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 21 0xffff \
classid 1:14 # ftp-server

This works fine, but traffic for 1:14 (ftp) never gets into 1:14.

Is there a certain rule order in which filters must be written? As far
as I can see I haven't made any mistakes in these filters...

Anyone a hint?

R.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
Shane McKinley
2007-12-18 14:38:12 UTC
Permalink
Wouldn't it depend on if you are using passive FTP or not?

http://www.slacksite.com/other/ftp.html


Shane McKinley
Habersham EMC

-----Original Message-----
From: richard lucassen [mailto:***@lucassen.org]
Sent: Monday, December 17, 2007 6:10 AM
To: ***@mailman.ds9a.nl
Subject: [LARTC] traffic not getting into class

Hello list,

I have these sorts of filters, putting traffic into the appropiate
classid (1:15 is the default class):

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip sport 22 0xffff \
classid 1:11 # ssh

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 22 0xffff \
classid 1:11 # ssh

{and a few more 1:11 filters]

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x11 0xff \
match ip sport 123 0xffff \
classid 1:11 # return packets NTP

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
match ip protocol 0x06 0xff \
match u8 0x05 0x0f at 0 \
match u8 0x10 0xff at 33 \
match u16 0x000 0xffc0 at 2 \
classid 1:11 # ACK's

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 80 0xffff \
classid 1:12 # Webserver

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 3 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip sport 443 0xffff \
classid 1:13 # webmail server

${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 21 0xffff \
classid 1:14 # ftp-server

This works fine, but traffic for 1:14 (ftp) never gets into 1:14.

Is there a certain rule order in which filters must be written? As far
as I can see I haven't made any mistakes in these filters...

Anyone a hint?

R.

--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak aloud
and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
Andrei Kovacs
2007-12-20 13:00:03 UTC
Permalink
Post by richard lucassen
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
match ip protocol 0x6 0xff \
match ip dport 21 0xffff \
classid 1:14 # ftp-server
This works fine, but traffic for 1:14 (ftp) never gets into 1:14.
Is there a certain rule order in which filters must be written? As far
as I can see I haven't made any mistakes in these filters...
Anyone a hint?
Port 21 is used only by the control connection of FTP. Active mode FTP
uses port 20 to do the actual downloading and Passive mode uses random
ports. I think you need to mark packets in iptables using
ip_conntrack_ftp helper to identify ftp packets.
Gustin Johnson
2007-12-23 22:51:48 UTC
Permalink
<snip>
Post by richard lucassen
${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
match ip protocol 0x6 0xff \ match ip dport 21 0xffff \ classid 1:14
# ftp-server
This works fine, but traffic for 1:14 (ftp) never gets into 1:14.
Is there a certain rule order in which filters must be written? As
far as I can see I haven't made any mistakes in these filters...
FTP is more complicated to filter than ssh. There is a control
connection and a data connection.
Post by richard lucassen
Anyone a hint?
The following sites give some info on the ftp protocal, though there is
a ton of more info if you use google.

http://www.slacksite.com/other/ftp.html
http://www.troubleshootingnetworks.com/ftpinfo.html

As an aside, ftp services really should be replaced with one of the
better alternatives.

Loading...