thr3ads.net - Shorewall users - block p2p [Mar 2008]

If this information is useful, please help other people find it:
Share via:

Enrique Carpenter

2008-Mar-19 19:43 UTC

block p2p

Hello,

I am trying to block or at least drastically reduced the amount of
wasted bandwidth—due to p2p—on a building wide network. My first
attempt, was to block it out right. I am running debian etch on my
router/proxy/dhcp/dns server. I loaded the ipp2p kernel module and the
iptables module. Then I put the following rule in my rules file:


SECTION ESTABLISHED

REJECT loc net ipp2p:all ipp2p

REJECT net loc ipp2p:all ipp2p


This did seem to stop bittorrent but not ares. So first question: is
this the correct rule? Has some one successfully done this before?


My second attempt was to at least make the use of p2p frustratingly
slow. I seemed to have better results. Below are my tcrules, tcclasses,
and tcdevices files.


tcrules

#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS 

# PORT(S) 

5 0.0.0.0/0 0.0.0.0/0 icmp echo-request 

5 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 


RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 

CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 

7 0.0.0.0/0 0.0.0.0/0 ipp2p:all 

SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 


tcclasses


#INTERFACE MARK RATE CEIL PRIORITY OPTIONS 

eth0 5 full/3 full 1 tcp-ack,tos-minimize-delay 

eth0 6 full/3 full 2 default 

eth0 7 1kbit 1kbit 3 

eth1 5 full/3 full 1 tcp-ack,tos-minimize-delay 

eth1 6 full/3 full 2 default 

eth1 7 1kbit 1kbit 3 


tcdevices

#INTERFACE IN-BANDWITH OUT-BANDWIDTH 

eth0 1536kbit 512kbit

eth1 1536kbit 512kbit


I left the p2p reject rule in my rules file (I thought it couldn't
hurt). The results were that bittorent was completely stopped, and ares
was slow and would bounce up to 5k once in a while and then slowly (over
the course of 30 sec or so) reduce to 0k and report “connecting.” Does
anyone have any suggestions? Please tell me if any additional
information would help. Also, since I have squid running I have blocked
port 80 and forwarded www traffic to port 3128 with the following rule
in the rules file:


# Squid block port 80 accept on port 3128 

REDIRECT loc 3128 tcp www 

ACCEPT loc $FW tcp 3128 

ACCEPT $FW net tcp 80,443



Thanks,

Banio



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Maybe Matching Threads

Search for more maybe matching threads

Shorewall users - Mar 2008 - block p2p

block p2p

Maybe Matching Threads

Wisdom of the Ancients