Firewall functions: IPTABLES
For example, you can define the value of a certain mark so the data stream can flow into a specific
QoS class. See below:
set iptables -t mangle -A POSTROUTING -m layer7 --l7proto rtp -j MARK --set-mark 1234
with the above command you mark the TRP traffic with 1234 value, after that you can apply the QoS
commands to prioritize those packets:
set qos-ext policy test-l7filter
set qos-ext policy test-l7filter qdisc htb
set qos-ext policy test-l7filter interface eth1
set qos-ext policy test-l7filter bandwidth 2000
set qos-ext class FTP-RTP
set qos-ext class FTP-RTP policy test-l7filter
set qos-ext class FTP-RTP bandwidth 1000
set qos-ext class FTP-RTP filter priority 1
set qos-ext class FTP-RTP filter match mark 1234
set qos-ext class FTP-RTP filter set dscp 46
set qos-ext class BESTEFFORT
set qos-ext class BESTEFFORT policy test-l7filter
set qos-ext class BESTEFFORT default
set qos-ext class BESTEFFORT bandwidth percent 100
set qos-ext class BESTEFFORT filter priority 2
set qos-ext on
Another example of action: block the e-mail traffic
set iptables –A FORWARD –m layer7 –l7proto pop3 –j DROP
set iptables –A FORWARD –m layer7 –l7proto imap –j DROP
or log the SSL traffic
set iptables –A FORWARD –m layer7 –l7proto ssl –j LOG
CONNECTION TRACKING
Introduction
The Connection Tracking keeps in memory tables of incoming and outgoing packets in order to
have a control not only according to the characteristics of packets but also according to its
relationship with the previous packets, i.e. to the status of the connection (connection-tracking).
The iptables option which allows to use this functionality is the extension –m state, with the
option --state which allows to specify a list of session status separated a comma.
There are 4 different type of status:
NEW For a packet which creates a new connection (i.e. a TCP packet with SYN flag
or UDP or ICMP packets not originating from connections already validated)
ESTABLISHED For a packet which is part of a connection already established, i.e. that has
already received reply packets.
To Next Page
Loading...
Need help?
General
