search for: l7proto

...0x1 $NF -m tos --tos Minimize-Cost -j RETURN $NF -m tos --tos Maximize-Throughput -j MARK --set-mark 0x4 $NF -m tos --tos Maximize-Throughput -j RETURN $NF -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 $NF -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN # by layer 7 $NFl7 --l7proto http -j MARK --set-mark 0x3 $NFl7 --l7proto http -j RETURN $NFl7 --l7proto ftp -j MARK --set-mark 0x3 $NFl7 --l7proto ftp -j RETURN $NFl7 --l7proto skype -j MARK --set-mark 0x2 $NFl7 --l7proto skype -j RETURN $NFl7 --l7proto msnmessenger -j MARK --set-mark 0x1 $NFl7 --l7proto msnmessenger -j RETURN...

...ernel 2.6.14.3 includes iptables 1.3.4 with layer 7 My network diagram below: - INTERNET --- LINUX_ROUTER_FW --- PCs Below is my simple iptables script: - echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j MARK --set-mark 1 iptables...

...ms-all -o $INTER_OUT -j ms-chain-$INTER_OUT-1:11 NUM_file=12 while [ $NB_file -ge 0 ] do while [ $((NB_filtre_$NUM_file)) -ge 1 ] do case $NUM_file in 12) case $NB_filtre_12 in 1) $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_12_1 -j CLASSIFY --set-class 1:$NUM_file $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_12_1 -j RETURN ;; esac NB_filtre_12=$(($NB_filtre_12 - 1)) ;; 13) case $NB_filtre_13 in 1...

I''ve compiled my kernel (2.6.12.3) and iptables (1.3.3) and now -m layer7 option from iptables works (i don''t get any error when run the iptables command with -m layer7). The problem is that no packet is matched. For example iptables -A INPUT -p tcp -m layer7 --l7proto http -j ACCEPT doesn''t match http packets. The same for dns and ssh. So, what am I doing wrong? Is this extension for iptables really working?? I’ve tried on 2 systems (fc3 and slack 10.1) Here is my iptables test script: #!/bin/bash iptables -F iptables -A INPUT -i lo -j ACCEPT iptable...

...it in log file and use data after get it for plotting graph later my IPTABLES command like this iptables -t mangle -N all iptables -t mangle -A POSTROUTING -j all iptables -t mangle -A POSTROUTING -p udp --sport 4444 -j CLASSIFY --set-class 1:11 iptables -t mangle -A POSTROUTING -m layer7 --l7proto mms -j CLASSIFY --set-class 1:12 iptables -t mangle -A POSTROUTING -m layer7 --l7proto telnet -j CLASSIFY --set-class 1:13 iptables -t mangle -A POSTROUTING -m layer7 --l7proto ftp ftp-data -j CLASSIFY --set-class 1:14 iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j CLASSIFY --set-...

...iptables -t mangle -A ${dev[2]}_SKYPE -p udp --sport 1:1024 -j RETURN iptables -t mangle -A ${dev[2]}_SKYPE -p tcp --dport 1:1024 -j RETURN iptables -t mangle -A ${dev[2]}_SKYPE -p udp --dport 1:1024 -j RETURN while [ ${j} -le ${i} ]; do iptables -t mangle -A ${dev[2]}_SKYPE -m layer7 --l7proto `sed -n ${j}p /tmp/2` -j RETURN j=$(($j+1)) done iptables -t mangle -A ${dev[2]}_SKYPE -m layer7 --l7proto skypetoskype -j ${dev[2]}_CON_VOIP iptables -t mangle -A ${dev[2]}_SKYPE -m layer7 --l7proto skypeout -j ${dev[2]}_CON_VOIP>/dev/null 1>/dev/null 2>/dev/null 3>/dev/null 4...

...y bandwidth, I''ll post my iptables rules for marking the bittorrent packets and the htb rules I use (using tcng): ### IPTABLES RULES ### iptables -t mangle -F iptables -t mangle -X iptables -t mangle -N lay7 iptables -t mangle -A POSTROUTING -j lay7 iptables -t mangle -A lay7 -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A lay7 -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:2 iptables -t mangle -A lay7 -m layer7 --l7proto smtp -j MARK --set-mark 2 iptables -t mangle -A lay7 -o eth1 -m mark --mark 2 -j CLASSIFY --set-class 2:3 ### HTB RULES ### #define UPLO...

...kernel Now I tried to mark some packets with layer 7 so that I can shape them with tc afterwards. But nothing changed, outgoing connection still didn''t changed. So I changed the line in the iptables-script to this: $IPTABLES -t filter -A OUTPUT -m layer7 --l7dir /etc/l7-protocols --l7proto ftp -j DROP before it was: $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto ftp -j MARK --set-mark 322 but nothing of them worked (I could still connect over ftp). The /proc/net/layer7_numpackets is 08 (don''t know which 8 packets got identified there, but the number is not goin...

...ip rule add fwmark 3 table 22 prio 20 ip route add default via $P1 dev $IF1 table 21 ip route add default via $P2 dev $IF2 table 22 ip route flush cache Here the iptables mangles rules : ############# MSN Services ##################### iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto msnmessenger -j MARK --set-mark 2 ############### SSL Services ########### iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl -j MARK --set-mark 2 I add the rules from DNS...

...g them in three groups: high priority(2), medium priority(3) and low priority(4). Protocols (or applications) like ssh, VOIP or games suit in the high priority category, and P2P apps go in the low priority category. iptables commands are like this: iptables -t mangle -A POSTROUTING -m layer7 --l7proto ssh -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -m layer7 --l7proto h323 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j MARK --set-mark 4 iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 4 iptables -t man...

...prot opt in out source > destination > 1 13957 1482K 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 ipp2p v0.8.2 --ipp2p > 2 81516 66M 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 LAYER7 l7proto edonkey > > Regards > > El Mar, 12 de Diciembre de 2006, 11:27, Sébastien CRAMATTE escribió: > >> Hello >> >> I''ve setuped a QOS bridge under debian 3.1 using 2.6.18.3 kernel + >> iptables 1.3.6 >> >> I''ve patched the kernel an...

...n 3.1 using 2.6.18.3 kernel + iptables 1.3.6 I''ve patched the kernel an Iptables with esfq+layer7 without problems. This simple script doesn''t log nothing ... And I''m sure to have eMule traffic (I''ve checked with tcpdump ) If I remove " -m layer7 --l7proto edonkey \" line I can see iptables log in /var/log/kern.log I''ve test with other protocols like skype or messenger ... layer7 filter seems to be simply ignored ... Syslog or kern.log still empty ... #!/bin/sh DEV=eth0 BR=br0 SHAPPER=CPE iptables -t mangle -N ${SHAPPER} iptab...

...FC6 Box -------------------- Emule Box external ADSL : Dynamic Internal ADSL : 192.168.254.1 external FC6 : 192.168.254.3 internal FC6 : 192.168.253.1 Emule Box : 192.168.253.3 I guess that everything is ok with layer7 . Here my mangle rules . # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2 # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix "PREROUTING MARK : " iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK --set-mark 2 iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix "FORWARD MARK :...

...e months ago but didn''t solve it back then. I have patched my kernel with Layer 7 support and patched my iptables to support it, too. Now I inserted this line in my firewall script on my router for testing purpose: $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp -m layer7 --l7proto http -j DROP It works, BUT only if the connection is established by a pc BEHIND the router (the connection is blocked). If I try to establish a http connection from the router itself it works completely (layer 7 is NOT working, the connection is working, thats what I wanted to say *g*. Now I ch...

Hi, Thanks for the reply. Mohan Sundaram wrote : > mark in iptables and use tc to classify using mark. Mark like this ? iptables -A INPUT -m layer7 --l7proto bittorrent -j MARK --set-mark 3 and then.. tc filter add dev eth0 protocol ip parent 1:0 1 handle 3 fw flowid 1:10 and lets say we have a flowid 1:3 declared to use at 60kbit ceil 60kbit Is that proper ? If so then it doesn''t want to work for me. I can see that layer7 marks the packets...

...-t mangle -s 192.168.0.0/24 -p tcp --dport 80 -j MARK --set-mark 1 iptables -A PREROUTING -t mangle -s 192.168.0.0/24 -p tcp --dport 22 -j MARK --set-mark 2 This works fine, but only for standard ports. Now I would like to use layer7: iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -m layer7 --l7proto http -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -m layer7 --l7proto ftp -j MARK --set-mark 2 Do not work. An iptables -t mange -L -n -v does not show traffic on the MARK rules. But if I do this without the source rule: iptables -t mangle -A PREROUTING -m layer7 --l7p...

...pp2p --ipp2p -j MARK --set-mark $P2PMARK $IPT -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark $P2PMARK $IPT -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark $P2PMARK # referente ao skype SKYPEMARK="21" $IPT -t mangle -A PREROUTING -p tcp -m layer7 --l7proto skypetoskype -j MARK --set-mark $SKYPEMARK $IPT -t mangle -A PREROUTING -p tcp -m layer7 --l7proto skypeout -j MARK --set-mark $SKYPEMARK $IPT -t mangle -A PREROUTING -p udp -m layer7 --l7proto skypetoskype -j MARK --set-mark $SKYPEMARK $IPT -t mangle -A PREROUTING -p udp -m layer7 --l7proto sky...

...-m mark ! --mark 0 -j ACCEPT iptables -t mangle -A ipp2pPRE -p tcp -m ipp2p --ipp2p -j MARK --set-mark 3 iptables -t mangle -A ipp2pPRE -p udp -m ipp2p --bit -j MARK --set-mark 3 iptables -t mangle -A ipp2pPRE -p tcp -m mark --mark 3 -j CONNMARK --save-mark iptables -t mangle -A lay7PRE -m layer7 --l7proto smtp -j MARK --set-mark 1 iptables -t mangle -A lay7PRE -m layer7 --l7proto ssh -j MARK --set-mark 2 iptables -t mangle -A lay7PRE -m mark --mark 2 -j CONNMARK --save-mark ### POSTROUTING RULES ### iptables -t mangle -A ipp2pPOST -o eth1 -m mark --mark 3 -j CLASSIFY --set-class 1:30 iptables -t m...

Hi, I have simple question about Skype. What are the methods of selecting packets which belongs to Skype?? I know about 7layer but I don''t belive that is only way. Is 7layer realy good and stable solution for routers which must handle more than 1000 users ? Thanks in advance Pozdrawiam Szymon Turkiewicz

Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish