[LARTC] CBQ + Layer7 x Emule
Saulo Silva
sauloaugustosilva at gmail.com
Sat Jun 9 18:29:38 CEST 2007
Hi Marcos ,
Now works with l7 and this iptables lines . I the first email we got only 4
lines and now we have 5 . Its working nice .
Thanks the help .
Saulo Silva
2007/6/9, Marco Aurelio <marco.casaroli at gmail.com>:
>
> from ipp2p news page
> ""quote""
>
> I suggest the following tcp and udp for connection tracking (see docu
> section)
>
> 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
> 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
> 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK
> --set-mark 1
> 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j
> CONNMARK --save-mark
> 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK
> --set-mark 1
>
>
> detect TCP FIRST, SAVE MARK , and detect udp after you saved the mark !!
> You will have now every p2p packet marked, but a dramtic reduce of udp
> missmatches.
>
> ""quote""
>
> On 6/8/07, Salatiel Filho <salatiel.filho at gmail.com> wrote:
> >
> >
> > On 6/8/07, Saulo Silva <sauloaugustosilva at gmail.com> wrote:
> > > HI Marcos ,
> > >
> > > I tried your rules, but without success . Thank for that help .
> > > And , how about ip2pp ? Is this application could do that ? Help me to
> > shape edonkey traffic ???
> > >
> > > Best Regards,
> > >
> > > Saulo Silva
> > >
> > >
> > > 2007/6/8, Marco Aurelio <marco.casaroli at gmail.com>:
> > >
> > > > l7's edonkey filter does not match all edonkey traffic, it does not
> > > > match data packets (that you want to shape). It matches however the
> > > > signaling packets that can be related to data connections.
> > > >
> > > > I never tried L7 but I think these may help you
> > > >
> > > > iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
> > > > iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
> > > > iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK
> > --set-mark 2
> > > > iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK
> > --save-mark
> > > >
> > > >
> > > > On 6/8/07, Saulo Silva < sauloaugustosilva at gmail.com> wrote:
> > > > > Hi All ,
> > > > >
> > > > > My first message and I have a little problem with my FC6 box
> trying to
> > block
> > > > > emule traffic using layer7 .
> > > > >
> > > > > Here my network :
> > > > >
> > > > > Internet --------- ADSL Router ------------------- FC6 Box
> > > > > -------------------- Emule Box
> > > > >
> > > > > external ADSL : Dynamic
> > > > > Internal ADSL : 192.168.254.1
> > > > >
> > > > > external FC6 : 192.168.254.3
> > > > > internal FC6 : 192.168.253.1
> > > > >
> > > > > Emule Box : 192.168.253.3
> > > > >
> > > > > I guess that everything is ok with layer7 . Here my mangle rules .
> > > > >
> > > > > # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j
> MARK
> > > > > --set-mark 2
> > > > > # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG
> > --log-prefix
> > > > > "PREROUTING MARK : "
> > > > >
> > > > >
> > > > > iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK
> > --set-mark
> > > > > 2
> > > > > iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix
> > "FORWARD
> > > > > MARK : "
> > > > >
> > > > > The output from log is :
> > > > >
> > > > > Jun 8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
> > > > > SRC= 203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00
> > TTL=105
> > > > > ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK
> PSH
> > URGP=0
> > > > >
> > > > > Jun 8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT=
> > > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00
> > > > > SRC=200.209.170.138 DST= 192.168.254.3 LEN=139 TOS=0x00 PREC=0x00
> > TTL=115
> > > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK
> PSH
> > URGP=0
> > > > > Jun 8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
> SRC=
> > > > > 200.209.170.138 DST= 192.168.253.3 LEN=139 TOS=0x00 PREC=0x00
> TTL=114
> > > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK
> PSH
> > URGP=0
> > > > >
> > > > > Jun 8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT=
> > > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC=
> > > > > 200.244.104.10 DST= 192.168.254.3 LEN=40 TOS=0x00 PREC=0x00
> TTL=117
> > ID=7042
> > > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
> > > > >
> > > > > Jun 8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
> SRC=
> > > > > 200.244.104.10 DST= 192.168.253.3 LEN=40 TOS=0x00 PREC=0x00
> TTL=116
> > ID=7042
> > > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
> > > > >
> > > > > So it's look like mark is working .
> > > > >
> > > > > So now I use the cbq.init script with that configuration :
> > > > >
> > > > > cat /etc/sysconfig/cbq/cbq- 0002.emule_in
> > > > >
> > > > > DEVICE=eth0,100Mbit,10Mbit
> > > > > RATE=3Kbit
> > > > > WEIGHT=1Kbit
> > > > > PRIO=5
> > > > > BOUNDED=yes
> > > > > ISOLATED=yes
> > > > > MARK=2
> > > > >
> > > > > cat /etc/sysconfig/cbq/cbq-0002.emule_out
> > > > > DEVICE=eth1,100Mbit,10Mbit
> > > > > RATE=3Kbit
> > > > > WEIGHT=1Kbit
> > > > > PRIO=5
> > > > > BOUNDED=yes
> > > > > ISOLATED=yes
> > > > > MARK=2
> > > > >
> > > > > that generate this tc codes .
> > > > >
> > > > > /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit
> avpkt
> > 3000
> > > > > cell 8
> > > > > /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514
> > > > >
> > > > > /sbin/tc qdisc del dev eth1 root
> > > > > /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit
> avpkt
> > 3000
> > > > > cell 8
> > > > > /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514
> > > > >
> > > > > /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth
> > 100Mbit rate
> > > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000
> > bounded
> > > > > isolated
> > > > > /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit
> buffer
> > 10Kb/8
> > > > > limit 15Kb mtu 1500
> > > > > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200
> handle 2
> > fw
> > > > > classid 1:2
> > > > >
> > > > > /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth
> > 100Mbit rate
> > > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000
> > bounded
> > > > > isolated
> > > > > /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit
> buffer
> > 10Kb/8
> > > > > limit 15Kb mtu 1500
> > > > > /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200
> handle 2
> > fw
> > > > > classid 1:2
> > > > >
> > > > > Can anyone explain me what is wrong . Why I cannot shape this
> traffic
> > ????
> > > > >
> > > > > Any help will be appreciated .
> > > > >
> > > > > Best Regards ,
> > > > >
> > > > > Saulo Silva
> > > > >
> > > > > _______________________________________________
> > > > > LARTC mailing list
> > > > > LARTC at mailman.ds9a.nl
> > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Marco Casaroli
> > > > SapucaiNet Telecom
> > > > +55 35 34712377 ext 5
> > > >
> > >
> > >
> > > _______________________________________________
> > > LARTC mailing list
> > > LARTC at mailman.ds9a.nl
> > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > >
> > >
> > I block all P2P traffic with ipp2p , it works great.
> > iptables -t mangle -i eth0 -A FORWARD -m ipp2p --ipp2p -j DROP
> >
> >
> > --
> > []'s
> > Salatiel
> >
> > "O maior prazer do inteligente é bancar o idiota
> > diante de um idiota que banca o inteligente".
>
>
> --
> Marco Casaroli
> SapucaiNet Telecom
> +55 35 34712377 ext 5
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070609/022ff72c/attachment.htm
More information about the LARTC
mailing list