Hi Marcos , <br><br><br>Now works with l7 and this iptables lines . I the first email we got only 4 lines and now we have 5 . Its working nice . <br><br>Thanks the help . <br><br>Saulo Silva<br><br><div><span class="gmail_quote">
2007/6/9, Marco Aurelio <<a href="mailto:marco.casaroli@gmail.com">marco.casaroli@gmail.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
from ipp2p news page<br>""quote""<br><br>I suggest the following tcp and udp for connection tracking (see docu section)<br><br>01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark<br>
02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT<br>03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK<br>--set-mark 1<br>04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j
<br>CONNMARK --save-mark<br>05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK<br>--set-mark 1<br><br><br>detect TCP FIRST, SAVE MARK , and detect udp after you saved the mark !!<br>You will have now every p2p packet marked, but a dramtic reduce of udp
<br>missmatches.<br><br>""quote""<br><br>On 6/8/07, Salatiel Filho <<a href="mailto:salatiel.filho@gmail.com">salatiel.filho@gmail.com</a>> wrote:<br>><br>><br>> On 6/8/07, Saulo Silva <
<a href="mailto:sauloaugustosilva@gmail.com">sauloaugustosilva@gmail.com</a>> wrote:<br>> > HI Marcos ,<br>> ><br>> > I tried your rules, but without success . Thank for that help .<br>> > And , how about ip2pp ? Is this application could do that ? Help me to
<br>> shape edonkey traffic ???<br>> ><br>> > Best Regards,<br>> ><br>> > Saulo Silva<br>> ><br>> ><br>> > 2007/6/8, Marco Aurelio <<a href="mailto:marco.casaroli@gmail.com">
marco.casaroli@gmail.com</a>>:<br>> ><br>> > > l7's edonkey filter does not match all edonkey traffic, it does not<br>> > > match data packets (that you want to shape). It matches however the
<br>> > > signaling packets that can be related to data connections.<br>> > ><br>> > > I never tried L7 but I think these may help you<br>> > ><br>> > > iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
<br>> > > iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT<br>> > > iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK<br>> --set-mark 2<br>> > > iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK
<br>> --save-mark<br>> > ><br>> > ><br>> > > On 6/8/07, Saulo Silva < <a href="mailto:sauloaugustosilva@gmail.com">sauloaugustosilva@gmail.com</a>> wrote:<br>> > > > Hi All ,
<br>> > > ><br>> > > > My first message and I have a little problem with my FC6 box trying to<br>> block<br>> > > > emule traffic using layer7 .<br>> > > ><br>> > > > Here my network :
<br>> > > ><br>> > > > Internet --------- ADSL Router ------------------- FC6 Box<br>> > > > -------------------- Emule Box<br>> > > ><br>> > > > external ADSL : Dynamic
<br>> > > > Internal ADSL : <a href="http://192.168.254.1">192.168.254.1</a><br>> > > ><br>> > > > external FC6 : <a href="http://192.168.254.3">192.168.254.3</a><br>> > > > internal FC6 :
<a href="http://192.168.253.1">192.168.253.1</a><br>> > > ><br>> > > > Emule Box : <a href="http://192.168.253.3">192.168.253.3</a><br>> > > ><br>> > > > I guess that everything is ok with layer7 . Here my mangle rules .
<br>> > > ><br>> > > > # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK<br>> > > > --set-mark 2<br>> > > > # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG
<br>> --log-prefix<br>> > > > "PREROUTING MARK : "<br>> > > ><br>> > > ><br>> > > > iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK<br>> --set-mark
<br>> > > > 2<br>> > > > iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix<br>> "FORWARD<br>> > > > MARK : "<br>> > > ><br>> > > > The output from log is :
<br>> > > ><br>> > > > Jun 8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1<br>> > > > SRC= <a href="http://203.91.83.127">203.91.83.127</a> DST=<a href="http://192.168.253.3">
192.168.253.3</a> LEN=180 TOS=0x00 PREC=0x00<br>> TTL=105<br>> > > > ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH<br>> URGP=0<br>> > > ><br>> > > > Jun 8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT=
<br>> > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00<br>> > > > SRC=<a href="http://200.209.170.138">200.209.170.138</a> DST= <a href="http://192.168.254.3">192.168.254.3</a> LEN=139 TOS=0x00 PREC=0x00
<br>> TTL=115<br>> > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH<br>> URGP=0<br>> > > > Jun 8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC=<br>
> > > > <a href="http://200.209.170.138">200.209.170.138</a> DST= <a href="http://192.168.253.3">192.168.253.3</a> LEN=139 TOS=0x00 PREC=0x00 TTL=114<br>> > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH
<br>> URGP=0<br>> > > ><br>> > > > Jun 8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT=<br>> > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC=<br>> > > >
<a href="http://200.244.104.10">200.244.104.10</a> DST= <a href="http://192.168.254.3">192.168.254.3</a> LEN=40 TOS=0x00 PREC=0x00 TTL=117<br>> ID=7042<br>> > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
<br>> > > ><br>> > > > Jun 8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC=<br>> > > > <a href="http://200.244.104.10">200.244.104.10</a> DST= <a href="http://192.168.253.3">
192.168.253.3</a> LEN=40 TOS=0x00 PREC=0x00 TTL=116<br>> ID=7042<br>> > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0<br>> > > ><br>> > > > So it's look like mark is working .
<br>> > > ><br>> > > > So now I use the cbq.init script with that configuration :<br>> > > ><br>> > > > cat /etc/sysconfig/cbq/cbq- 0002.emule_in<br>> > > ><br>> > > > DEVICE=eth0,100Mbit,10Mbit
<br>> > > > RATE=3Kbit<br>> > > > WEIGHT=1Kbit<br>> > > > PRIO=5<br>> > > > BOUNDED=yes<br>> > > > ISOLATED=yes<br>> > > > MARK=2<br>> > > >
<br>> > > > cat /etc/sysconfig/cbq/cbq-0002.emule_out<br>> > > > DEVICE=eth1,100Mbit,10Mbit<br>> > > > RATE=3Kbit<br>> > > > WEIGHT=1Kbit<br>> > > > PRIO=5<br>> > > > BOUNDED=yes
<br>> > > > ISOLATED=yes<br>> > > > MARK=2<br>> > > ><br>> > > > that generate this tc codes .<br>> > > ><br>> > > > /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt
<br>> 3000<br>> > > > cell 8<br>> > > > /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514<br>> > > ><br>> > > > /sbin/tc qdisc del dev eth1 root<br>> > > > /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt
<br>> 3000<br>> > > > cell 8<br>> > > > /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514<br>> > > ><br>> > > > /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth
<br>> 100Mbit rate<br>> > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000<br>> bounded<br>> > > > isolated<br>> > > > /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit buffer
<br>> 10Kb/8<br>> > > > limit 15Kb mtu 1500<br>> > > > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 2<br>> fw<br>> > > > classid 1:2<br>> > > ><br>
> > > > /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth<br>> 100Mbit rate<br>> > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000<br>> bounded<br>> > > > isolated
<br>> > > > /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit buffer<br>> 10Kb/8<br>> > > > limit 15Kb mtu 1500<br>> > > > /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2
<br>> fw<br>> > > > classid 1:2<br>> > > ><br>> > > > Can anyone explain me what is wrong . Why I cannot shape this traffic<br>> ????<br>> > > ><br>> > > > Any help will be appreciated .
<br>> > > ><br>> > > > Best Regards ,<br>> > > ><br>> > > > Saulo Silva<br>> > > ><br>> > > > _______________________________________________<br>> > > > LARTC mailing list
<br>> > > > <a href="mailto:LARTC@mailman.ds9a.nl">LARTC@mailman.ds9a.nl</a><br>> > > > <a href="http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc">http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
</a><br>> > > ><br>> > > ><br>> > ><br>> > ><br>> > > --<br>> > > Marco Casaroli<br>> > > SapucaiNet Telecom<br>> > > +55 35 34712377 ext 5<br>
> > ><br>> ><br>> ><br>> > _______________________________________________<br>> > LARTC mailing list<br>> > <a href="mailto:LARTC@mailman.ds9a.nl">LARTC@mailman.ds9a.nl</a><br>> >
<a href="http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc">http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc</a><br>> ><br>> ><br>> I block all P2P traffic with ipp2p , it works great.<br>> iptables -t mangle -i eth0 -A FORWARD -m ipp2p --ipp2p -j DROP
<br>><br>><br>> --<br>> []'s<br>> Salatiel<br>><br>> "O maior prazer do inteligente é bancar o idiota<br>> diante de um idiota que banca o inteligente".<br><br><br>--<br>Marco Casaroli
<br>SapucaiNet Telecom<br>+55 35 34712377 ext 5<br>_______________________________________________<br>LARTC mailing list<br><a href="mailto:LARTC@mailman.ds9a.nl">LARTC@mailman.ds9a.nl</a><br><a href="http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc">
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc</a><br></blockquote></div><br>