[prev in list] [next in list] [prev in thread] [next in thread]
List: lartc
Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables?
From: Oskar Andreasson <blueflux () koffein ! net>
Date: 2003-08-30 21:05:05
[Download RAW message or body]
Just thought I would throw in one warning about the string match, which I
haven't seen raised so far in this thread.
Netfilter only works on a per packet basis, not on a stream basis. If you
want to do any work on an application layer level, and remain certain that
this policy will always be in effect... don't use the string match in
netfilter:).
One simple way of getting around that match is to simply set the MTU
sufficiently small to not allow the whole string to be matched inside a
single packet, and the rule/policy has been negated. And there are more
ways, of course.
Anyways, just thought I should point this out if it is important to you
that the policy is not broken.
On Fri, 29 Aug 2003, Martin A. Brown wrote:
>
> Hi there Derek,
>
> There are two approaches to dropping traffic once you have identified it.
> I'll assume you have identified with an fwmark the traffic you wish to
> drop.
>
> : After I got the byte patterns and such, how might I go about blocking
> : that? I can't very well set the rate to 0k or anything like that, so
> : Ive been scratching my head on how to actually _block_ something with
> : iproute2.
>
> You can route it to a blackhole or you can create a policer with a drop
> action.
>
> Here are some examples, assuming an fwmark of 7:
>
> # echo "7 blackhole" >> /etc/iproute2/rt_tables
> # ip route add blackhole default table blackhole
> # ip rule add fwmark 7 table blackhole
>
> This creates a routing table number 7 called "blackhole", which contains
> exactly one route, a default route to a blackhole. Now, simply add a rule
> to your RPDB to select this routing table for packets with fwmark 7, and
> you are dropping all of these packets.
>
> If you'd prefer to use a policer, you can use something like this
> (untested):
>
> # tc filter add dev ppp0 parent 1:1 protocol ip \
> > handle 6 fw flowid 1:8 \
> > police rate 1bps burst 1 action drop/drop
>
> With that said, why don't you just use a -j DROP netfilter target?
> Wouldn't that be easier if you are already using netfilter?
>
> Best of luck,
>
> -Martin
>
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic