[lms] Re: HTB+layer7

Wojciech Ziniewicz napisał(a):

06-08-01, Grzegorz Cichowski byko@lazurowa.net napisał(a):

...

a jak filtrujesz ftp? jak sie laczy pasywnie to po innym porcie leci

l7 to wylapuje . po prostu caly ruch ftp (przez l7) przerzucasz do lancucha omijajacego htb. dziala bez zarzutu.

Mam tak ale to tylko czesc kodu... :) i mi niedziala jakasa pomoc ?

$IPT -t mangle -N LIMITS $IPT -t mangle -I FORWARD -i $WAN -j LIMITS $IPT -t mangle -I FORWARD -o $WAN -j LIMITS

$IPT -t mangle -I FORWARD -i $LAN -j LIMITS $IPT -t mangle -I FORWARD -o $LAN -j LIMITS

$ECHO " Kolejkowanie wlaczone "

# Ustawiamy bity TOS w naglowku IP

....

# IMQ - kolejkowanie $IPT -t mangle -A PREROUTING -j CONNMARK --restore-mark # Ruch FTP $IPT -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPT -t mangle -A PREROUTING -m layer7 --l7proto ftp -j MARK --set-mark 0x32 $IPT -t mangle -A PREROUTING -m connmark --mark 0x32 -j IMQ --todev imq0 $IPT -t mangle -A PREROUTING -m mark --mark 0x32 -j CONNMARK --save-mark # $IPT -t mangle -A POSTROUTING -m mark --mark 0x32 -j RETURN $IPT -t mangle -A FORWARD -m layer7 --l7proto ftp -j MARK --set-mark 0x32

$IPT -A POSTROUTING -t mangle -o $LAN -j IMQ --todev 1 $IPT -A POSTROUTING -t mangle -o $WAN -j IMQ --todev 0

# Ruch routera

$IPT -t mangle -A POSTROUTING -s $SERVIP -j MARK --set-mark 0x20 $IPT -t mangle -A POSTROUTING -s $SERVIP -j RETURN

# ------------ Tworzenie kolejek - odbieranie --------------- ### Tworzenie korzenia kolejek $TC qdisc add dev imq0 root handle 1:0 htb default 3 r2q 2 $TC class add dev imq0 parent 1:0 classid 1:1 htb rate 99000kbit ceil 99000kbit quantum 1500 $TC class add dev imq0 parent 1:1 classid 1:2 htb rate 1024kbit ceil 1024kbit $TC class add dev imq0 parent 1:1 classid 1:3 htb rate 97720kbit ceil 97720kbit prio 9 quantum 1500 $TC qdisc add dev imq0 parent 1:3 esfq perturb 16 hash dst

# Priorytety for ICMP, TOS 0x10 and ports 22 and 53 $TC class add dev imq0 parent 1:2 classid 1:20 htb rate 128kbit ceil 512kbit quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0 $TC qdisc add dev imq0 parent 1:20 esfq perturb 16 hash dst $TC filter add dev imq0 parent 1:0 protocol ip prio 2 u32 match ip sport 22 0xffff flowid 1:20 $TC filter add dev imq0 parent 1:0 protocol ip prio 2 u32 match ip sport 53 0xffff flowid 1:20 $TC filter add dev imq0 parent 1:0 protocol ip prio 1 u32 match ip tos 0x10 0xff flowid 1:20 $TC filter add dev imq0 parent 1:0 protocol ip prio 1 u32 match ip protocol 1 0xff flowid 1:20

# Ruch routera $TC class add dev imq0 parent 1:2 classid 1:40 htb rate 128kbit ceil 512kbit quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 1 $TC qdisc add dev imq0 parent 1:40 esfq perturb 16 hash dst $TC filter add dev imq0 parent 1:0 protocol ip prio 1 u32 match ip dst $SERVIP flowid 1:40

# Ruch FTP $TC class add dev imq0 parent 1:2 classid 1:60 htb rate 128kbit ceil 512kbit quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 2 $TC qdisc add dev imq0 parent 1:60 esfq perturb 16 hash dst $TC filter add dev imq0 parent 1:0 protocol ip prio 3 handle 0x32 fw flowid 1:60

# serwer -> LAN #$TC filter add dev imq0 parent 1:0 protocol ip prio 4 handle 1 fw flowid 1:3

# outgoing traffic $TC qdisc add dev imq1 root handle 2:0 htb default 11 r2q 1 $TC class add dev imq1 parent 2:0 classid 2:1 htb rate 2048kbit ceil 2048kbit

# priorities for ACK, ICMP, TOS 0x10, ports 22 and 53 $TC class add dev imq1 parent 2:1 classid 2:10 htb rate 128kbit ceil 512kbit quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0 $TC qdisc add dev imq1 parent 2:10 esfq perturb 16 $TC filter add dev imq1 parent 2:0 protocol ip prio 1 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 1 mat ch u8 0x10 0xff at 33 flowid 2:10 $TC filter add dev imq1 parent 2:0 protocol ip prio 1 u32 match ip dport 22 0xffff flowid 2:10 $TC filter add dev imq1 parent 2:0 protocol ip prio 1 u32 match ip dport 53 0xffff flowid 2:10 $TC filter add dev imq1 parent 2:0 protocol ip prio 1 u32 match ip tos 0x10 0xff flowid 2:10 $TC filter add dev imq1 parent 2:0 protocol ip prio 1 u32 match ip protocol 1 0xff flowid 2:10 # serwer -> Internet $TC class add dev imq1 parent 2:1 classid 2:11 htb rate 256kbit ceil 1024kbit quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 1 $TC qdisc add dev imq1 parent 2:11 esfq perturb 16 $TC filter add dev imq1 parent 2:0 protocol ip prio 3 handle 0x20 fw flowid 2:11

# $TC filter add dev imq1 parent 2:0 protocol ip prio 9 u32 match ip dst 0/0 flowid 2:11

# Ruch FTP $TC class add dev imq1 parent 2:1 classid 2:50 htb rate 128kbit ceil 512kbit quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 2 $TC qdisc add dev imq1 parent 2:50 esfq perturb 16 hash src $TC filter add dev imq1 parent 2:0 protocol ip prio 2 handle 0x32 fw flowid 2:50

# jakis user $IPT -t mangle -A LIMITS -s 172.10.11.10 -j MARK --set-mark 108 $IPT -t mangle -A LIMITS -d 172.10.11.10 -j MARK --set-mark 108 #$IPT -t mangle -A POSTROUTING -s 172.10.11.10 -d 0/0 -j MARK --set-mark 108 #$IPT -t mangle -A POSTROUTING -s 172.10.11.10 -d 0/0 -j RETURN

$TC class add dev imq0 parent 1:2 classid 1:108 htb rate 128.0000kbit ceil 1024.0000kbit $BURST prio 2 quantum 1500 $TC qdisc add dev imq0 parent 1:108 esfq perturb 10 hash dst $TC filter add dev imq0 parent 1:0 protocol ip prio 5 handle 108 fw flowid 1:108

$TC class add dev imq1 parent 2:1 classid 2:108 htb rate 128.0000kbit ceil 1024.0000kbit $BURST prio 2 quantum 1500 $TC qdisc add dev imq1 parent 2:108 esfq perturb 10 hash src $TC filter add dev imq1 parent 2:0 protocol ip prio 5 handle 108 fw flowid 2:108