Re: Preventing uploads on a specific port to internet.

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 06/18/02 

From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Tue, 18 Jun 2002 16:26:26 +0200

Michael Burnem wrote:
>
> "Kasper Dupont" <kasperd@daimi.au.dk> wrote in message
> news:3D0E3043.D5DE9C52@daimi.au.dk...
> > Michael Burnem wrote:
> > >
> > > I need a simple iptables rule to prevent uploads through port 2000, but
> > > downloads still has to be possible.
> > > I figure i should just make a --sport -j drop rule in PREROUTING
> > > But that didn't work out too well..
> >
> > You must be more specific. Are you configuring server or client?
> > Are you talking about port 2000 on server or client? What
> > protocol are you using?
>
> The protocol is tcp.

Of course it is tcp, but there are a large number of file
transfering protocols using tcp. Which one are you using.

> I've configured my router to route all --dport 2000 packages to 192.168.0.1
> on my network, so i can get a active connection.
> But now i want to limit upload's on that port, but not downloads.

If the ports are exactly the same there is little you can
do on the tcp level. You should do it on a higher level
and setup the server knowing the protocol to do what you
want. Of course you could break the tcp connection after
some number of bytes on the upstream, but you would need
to know how large a download request could be, and it is
still not an advisable solution.

>
> I've limited upload on ppp0(to limit modem queues, since i've got adsl)
> Do you know how to use tc handle on the ppp0 interface(so i could limit
> upload's on port 2000), on the eth0 interface it's easy, but that only goes
> for downloads.
> (Sorry, i've really not gotten the logic of iproute2)

There does exist some QoS mechanisms that can match
packets with rules similar to iptables and put them in
different queues for transmision. But I don't know the
details.

Do you want to prevent uploads or just to keep the rate
of packets low? In the later case you would probably
want to just keep the transmission window in one
direction small. 

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:razor-report@daimi.au.dk

Relevant Pages

  • Re: Windows 2000 - MS Access XP and Sql Server 2005.
    ... The library is the library for the named pipes protocol; ... adding tcp: before the name of the server. ... the right port to use) at the end. ... I can't connect a client computer with windows 2000 to sql server 2005: ...
    (microsoft.public.access.adp.sqlserver)
  • Re: VPN Error 720
    ... The Zywall is configured for passthrough of port 1723 and GRE ... I got other error messages before that was done. ... avoidance of client/server terminology) makes a TCP (IP protocol 6) call to ... TCP Port 1723 on the other endpoint. ...
    (microsoft.public.windows.server.sbs)
  • Re: RMI binding to SAME port but DIFFERENT IP address on SAME host
    ... >> The host computer simply knows which protocol it is hosting on each ... >> You can't have two different protocols hosted on the same port, ... At the TCP level the host neither knows nor cares about ...
    (comp.lang.java)
  • Re: RMI binding to SAME port but DIFFERENT IP address on SAME host
    ... >> The host computer simply knows which protocol it is hosting on each ... >> You can't have two different protocols hosted on the same port, ... At the TCP level the host neither knows nor cares about ...
    (comp.lang.java.programmer)
  • Re: W2K VPN Setup
    ... GRE is as IP protocol, just like TCP or UDP. ... because it is not a port. ...
    (microsoft.public.win2000.ras_routing)