[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[K12OSN] DNS records was: Instant Messanger



On Fri, 2003-10-03 at 00:27, Terrell Prude', Jr. wrote:
> If AOL didn't change its IP addresses all the time, I would agree. 
> Unfortunately for us, they have and do rather often, I'm guessing to
> get around folks who block by IP adrs.  
> 
> The other way, I suppose, to do it is to have an internal DNS server
> (assumes you have split DNS) and make it authoritative for the aol.com
> domain.  Then you can do what you want to that domain--black hole
> parts of it, whatever.  Of course, then that means that if
> <anythingelse>.aol.com ever changes *its* IP address, then you've got
> to manage all that, too. 
> 
> It was simply easier for me to do it with our existing route policies,
> since we already needed to block Code Red and Nimda. 


yeah, just mangle aol's DNS.  Who knows how to do this ?

Fixing this with tc is not that simple, as I don't know what to match.


> 
> BTW, what's tc? 


tc is the Linux Traffic Control method.  The `tc` executable inserts
queuing disciplines into the kernel "insmod-style".

tcng is "tc next-generation"

tcc is the "compiler" for tcng.

example ;

[steve linuxathome steve]$ cat network.tc

dev eth0  { egress {

    // classification
    class (<$mesh_unpriv>)
        if ip_dst == 10.10.10.0/30;

    class (<$ltsp>)
        if ip_dst == 192.168.0.0/24;

    class (<$other>)
            if 1;

    // queuing

    prio {
            $mesh_unpriv = class (1) {
                fifo (limit 20kbit);
            }

        $ltsp = class (2) {
                fifo (limit 100Mbit);
            }

        $other = class (3) {
                fifo (limit 20kbit);
           }
      }
   }
}


----------------------------------------------------------

Now we "compile" the script with tcc.  An executable shell script will
be generated.

[steve linuxathome steve]$ tcc network.tc | tee network.sh

# ================================ Device eth0
================================

tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 default_index 0
tc qdisc add dev eth0 handle 2:0 parent 1:0 prio
tc qdisc add dev eth0 handle 3:0 parent 2:1 bfifo limit 2560
tc qdisc add dev eth0 handle 4:0 parent 2:2 bfifo limit 13107200
tc qdisc add dev eth0 handle 5:0 parent 2:3 bfifo limit 2560
tc filter add dev eth0 parent 2:0 protocol all prio 1 tcindex mask 0x3
shift 0
tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 3 tcindex
classid 2:3
tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 2 tcindex
classid 2:2
tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 1 tcindex
classid 2:1
tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32
0xa0a0a00 0xffffffff at 16 classid 1:1
tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32
0xc0a80000 0xffffffff at 16 classid 1:2
tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32 0x0
0x0 at 0 classid 1:3
[steve linuxathome steve]$


Now run this script as root.

[steve linuxathome steve]$ chmod 700 network.sh && sudo ./network.sh

Note the "u32 match" command selecting a binary pattern in the packet.

If you play with this and take your network down, simply delete the root
qdisc, thusly ;

# tc qdisc del dev eth0 root



/steve





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]