iptables, shaping of passive ftp traffic

I'm running a linux box as a transparent firewall with the briding
module. I want to shape and prioritize traffic comming from the outside
and in, and from inside the network and out to the internet.

The following line catches ftp transfers both ways. (I'm using 'watch -n
1 -d iptables -t mangle -nvL' to watch what filters are matched) And I'm
using tc to handle the mark 10 afterwards.

#FTP Port mode
iptables -A PREROUTING -t mangle -p tcp --sport 20 \
-m state --state ESTABLISHED -j MARK --set-mark 10


My problem is with passive ftp transfers. Since both the source and
destination port are random ports over 1024, I cannot relate them
directly to ftp. And I don't want to mark all other trafic which might
use arbitrary data ports.

So my question is if there is a way to detect that a packet is related
to an ftp data transfer?

Regards,
Mikael Svenson

Mikael Svenson wrote:

> I'm running a linux box as a transparent firewall with the briding
> module. I want to shape and prioritize traffic comming from the outside
> and in, and from inside the network and out to the internet.

You want to give FTP the lowest priority, isn't it?


> So my question is if there is a way to detect
> that a packet is related to an ftp data transfer?

You can sniff all FTP control connections
and extract FTP data port numbers from there.
But it seems to me that simpler way is
to assign a lowest priority to all connections
having both ports above 1024 :-)



--
qq~~~~\ [ úá IP âåú ãåîúõòù ]
/ /\ \
\ /_/ / Linux console internationalization http://www.comtv.ru/~av95/linux/console/
\____/

Mikael Svenson wrote:

> So my question is if there is a way to detect that a packet is related
> to an ftp data transfer?

Use Netfilter's connection tracking module. Use --ctstate instead of
--state. Experiment with --ctproto.

--
I am currently looking for contract work: http://ianakiev.com/contract

In a way this is what I want to do, but I'm also bandwidth shaping
different kinds of traffic, and would like to isolate ftp for itself.
But the suggestion is not a bad one. Just lowering the priorities would
help as well.


-m

Innocenti Maresin wrote:
>
> Mikael Svenson wrote:
>
> > I'm running a linux box as a transparent firewall with the briding
> > module. I want to shape and prioritize traffic comming from the outside
> > and in, and from inside the network and out to the internet.
>
> You want to give FTP the lowest priority, isn't it?
>
> > So my question is if there is a way to detect
> > that a packet is related to an ftp data transfer?
>
> You can sniff all FTP control connections
> and extract FTP data port numbers from there.
> But it seems to me that simpler way is
> to assign a lowest priority to all connections
> having both ports above 1024 :-)
>
> --
> qq~~~~\ [ úá IP âåú ãåîúõòù ]
> / /\ \
> \ /_/ / Linux console internationalization http://www.comtv.ru/~av95/linux/console/
> \____/

Thanks. I'll give it a go.

-m

Lazar Ianakiev wrote:
>
> Mikael Svenson wrote:
>
> > So my question is if there is a way to detect that a packet is related
> > to an ftp data transfer?
>
> Use Netfilter's connection tracking module. Use --ctstate instead of
> --state. Experiment with --ctproto.
>
> --
> I am currently looking for contract work: http://ianakiev.com/contract