<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1528" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Verdana size=2>Jody,</FONT></DIV>
<DIV><FONT face=Verdana size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2>My question is not about P2P filters. This is
working fine at my gateway box. My question concerns to my autentication
gateway, where I use PPPoE to autenticante my LAN clients at a Radius server
into my DMZ.</FONT></DIV>
<DIV><FONT face=Verdana size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2>This PPPoE server, when I have a new conection,
make some rules using IPTABLES and CBQ/HTB to control my clients internet speed.
The script I use when a client conects is this:</FONT></DIV>
<DIV><FONT face=Verdana size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2><STRONG>=== /etc/ppp/ip-up
===</STRONG></FONT></DIV>
<DIV><FONT face="Courier New" size=2>#!
/bin/bash<BR>IPT="/usr/local/sbin/iptables"</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New"
size=2>interface=$1<BR>remoteIP=$5<BR>download=`grep Download
/var/run/radattr.$interface | awk '{ print $2; }'`<BR>upload=`grep Upload
/var/run/radattr.$interface | awk '{ print $2; }'`<BR>cliente=`grep Cliente
/var/run/radattr.$interface | awk '{ print $2; }'`<BR>contamark=`echo $interface
| cut -c 4-99`<BR>mark=`expr $contamark + 500`</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>echo "$download" >
/tmp/$interface.download<BR>echo "$upload" > /tmp/$interface.upload<BR>echo
"$cliente" > /tmp/$interface.cliente</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><BR><FONT face="Courier New" size=2>#if [ $cliente == "cliente"
]<BR>#then<BR>#$IPT -I FORWARD -d $remoteIP -p tcp --dport 1:1024 -j
DROP<BR>#$IPT -I FORWARD -d $remoteIP -p tcp --dport 6000:9000 -j
DROP<BR>#fi</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><BR><FONT size=2><FONT face="Courier New">/sbin/tc qdisc add dev $interface
root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8<BR>/sbin/tc class add dev
$interface parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$download"Kbit
weight `expr $download / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded<BR>/sbin/tc qdisc add dev $interface parent 1:$mark handle $mark sfq
perturb 10<BR>/sbin/tc filter add dev $interface parent 1:0 protocol ip prio 200
handle $mark fw classid 1:$mark<BR><FONT color=#ff0000>$IPT -t mangle -A
POSTROUTING -d $remoteIP -j MARK --set-mark $mark</FONT></FONT></FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><BR><FONT size=2><FONT face="Courier New">/sbin/tc qdisc add dev eth0 root
handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8<BR>/sbin/tc class add dev eth0
parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$upload"Kbit weight `expr
$upload / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000
bounded<BR>/sbin/tc qdisc add dev eth0 parent 1:$mark handle $mark sfq
perturb 10<BR>/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200
handle $mark fw classid 1:$mark<BR><FONT color=#ff0000>$IPT -t mangle -A FORWARD
-s $remoteIP -j MARK --set-mark $mark</FONT></FONT></FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><BR><FONT face=Verdana><FONT size=2><FONT face="Courier New">echo "PPP
started at $(date):<BR>interface = $interface<BR>Remote IP =
$remoteIP<BR>download = $download<BR>upload = $upload<BR>mark = $mark<BR>"
>/tmp/$interface</FONT><BR><STRONG>=== END ===</STRONG></FONT></FONT></DIV>
<DIV><FONT face=Verdana size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2>My doubt is, what you said is that only one
package in a mark will me matched without that other comands, so, the lines I
have put in red are correct? Today it is working fine, but I have never made a
test longer than 20 or 30 minutes...</FONT></DIV>
<DIV><FONT face=Verdana size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2>Att,</FONT></DIV>
<DIV><FONT face=Verdana size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2>Nataniel Klug</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial"><FONT face=Verdana>----- Original Message -----
</FONT></DIV>
<DIV style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><FONT
face=Verdana><B>From:</B> </FONT><A title=jody.shumaker@gmail.com
href="mailto:jody.shumaker@gmail.com"><FONT face=Verdana>Jody
Shumaker</FONT></A><FONT face=Verdana> </FONT></DIV>
<DIV style="FONT: 10pt arial"><FONT face=Verdana><B>To:</B> </FONT><A
title=nata@cnett.com.br href="mailto:nata@cnett.com.br"><FONT
face=Verdana>Nataniel Klug</FONT></A><FONT face=Verdana> </FONT></DIV>
<DIV style="FONT: 10pt arial"><FONT face=Verdana><B>Cc:</B> </FONT><A
title=lartc@mailman.ds9a.nl href="mailto:lartc@mailman.ds9a.nl"><FONT
face=Verdana>lartc@mailman.ds9a.nl</FONT></A><FONT face=Verdana> </FONT></DIV>
<DIV style="FONT: 10pt arial"><FONT face=Verdana><B>Sent:</B> Wednesday,
January 11, 2006 3:11 AM</FONT></DIV>
<DIV style="FONT: 10pt arial"><FONT face=Verdana><B>Subject:</B> Re: [LARTC]
control p2p upload bandwidth rate</FONT></DIV>
<DIV><FONT face=Verdana><BR><FONT size=2></FONT></FONT></DIV><FONT
face=Verdana><FONT size=2><SPAN class=e id=q_108b7103c3a7d4ea_4>#accepts the
packet if it has a mark besides the default 0 and prevents the saved mark from
being changed <BR>iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0
-j ACCEPT<BR><BR>That section after the restore-mark rule will cause any saved
marks to skip the rest of the chain. This results in only the first
packets of a tcp connection having to hit their individual --set-mark
rule. If you do have concerns about cpu usage or some such, I'd
suggest trying trying out the ipp2p match module instead of the more generic
l7match module. It's more specific to p2p and tends to be much faster
than doing regular expressions. <BR></SPAN><BR></FONT></FONT>
<DIV><SPAN class=gmail_quote><FONT face=Verdana size=2>On 1/10/06, <B
class=gmail_sendername>Nataniel Klug</B> <</FONT><A
href="mailto:nata@cnett.com.br"><FONT face=Verdana
size=2>nata@cnett.com.br</FONT></A><FONT face=Verdana size=2>>
wrote:</FONT></SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV><FONT face=Verdana size=2>I have a script that makes connections for
every user with his auth. So, in this script, I have two mark tags. Can I
use this tip you give to ro0ot? My doubt is if I use this every time some
user log it will be all executed again, it will not make me
trouble?</FONT></DIV></BLOCKQUOTE>
<DIV><BR><FONT face=Verdana size=2>I'm not sure exactly what you mean by this.
If my above explanation doesn't apply, could you possibly explain or give an
example?<BR></FONT></DIV><BR><FONT face=Verdana size=2>-
Jody<BR></FONT></DIV><BR></BLOCKQUOTE></BODY></HTML>