thr3ads.net - LARTC - CBQ + Layer7 x Emule [Jun 2007]

If this information is useful, please help other people find it:
Share via:

Saulo Silva

2007-Jun-08 17:26 UTC

CBQ + Layer7 x Emule

Hi All ,

My first message and I have a little problem with my FC6 box trying to block
emule traffic using layer7 .

Here my network :

Internet ---------   ADSL  Router ------------------- FC6  Box
--------------------   Emule Box

external ADSL : Dynamic
Internal ADSL  : 192.168.254.1

external FC6  : 192.168.254.3
internal FC6 : 192.168.253.1

Emule Box : 192.168.253.3

I guess that everything is ok with layer7 . Here my mangle rules .

# iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK
--set-mark 2
# iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix
"PREROUTING MARK : "


iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK --set-mark
2
iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix "FORWARD
MARK : "

The output from log is :

Jun  8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
SRC203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00 TTL=105 ID=18725
PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH URGP=0

Jun  8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0
OUTMAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC=200.209.170.138
DST192.168.254.3 LEN=139 TOS=0x00 PREC=0x00 TTL=115 ID=18002 DF PROTO=TCP
SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jun  8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
SRC200.209.170.138 DST=192.168.253.3 LEN=139 TOS=0x00 PREC=0x00 TTL=114
ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0

Jun  8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0
OUTMAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC=200.244.104.10
DST192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=7042 PROTO=TCP SPT=50675
DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0

Jun  8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
SRC200.244.104.10 DST=192.168.253.3 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=7042
PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0

So it''s look like mark is working .

So now I use the cbq.init script with that configuration :

cat /etc/sysconfig/cbq/cbq-0002.emule_in

DEVICE=eth0,100Mbit,10Mbit
RATE=3Kbit
WEIGHT=1Kbit
PRIO=5
BOUNDED=yes
ISOLATED=yes
MARK=2

cat /etc/sysconfig/cbq/cbq-0002.emule_out
DEVICE=eth1,100Mbit,10Mbit
RATE=3Kbit
WEIGHT=1Kbit
PRIO=5
BOUNDED=yes
ISOLATED=yes
MARK=2

that generate this tc codes .

/sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt 3000
cell 8
/sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514

/sbin/tc qdisc del dev eth1 root
/sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt 3000
cell 8
/sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514

/sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth 100Mbit rate
3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded
isolated
/sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8
limit 15Kb mtu 1500
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 2 fw
classid 1:2

/sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth 100Mbit rate
3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded
isolated
/sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8
limit 15Kb mtu 1500
/sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw
classid 1:2

Can anyone explain me what is wrong . Why I cannot shape this traffic ????

Any help will be appreciated .

Best Regards ,

Saulo Silva


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Marco Aurelio

2007-Jun-08 18:50 UTC

head link

Re: CBQ + Layer7 x Emule

l7''s edonkey filter does not match all edonkey traffic, it does not
match data packets (that you want to shape). It matches however the
signaling packets that can be related to data connections.

I never tried L7 but I think these may help you

iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark


On 6/8/07, Saulo Silva <sauloaugustosilva@gmail.com>
wrote:> Hi All ,
>
> My first message and I have a little problem with my FC6 box trying to
block
> emule traffic using layer7 .
>
> Here my network :
>
> Internet ---------   ADSL  Router ------------------- FC6  Box
> --------------------   Emule Box
>
> external ADSL : Dynamic
> Internal ADSL  : 192.168.254.1
>
> external FC6  : 192.168.254.3
> internal FC6 : 192.168.253.1
>
> Emule Box : 192.168.253.3
>
> I guess that everything is ok with layer7 . Here my mangle rules .
>
> # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK
> --set-mark 2
> # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix
> "PREROUTING MARK : "
>
>
> iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK --set-mark
> 2
> iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix
"FORWARD
> MARK : "
>
> The output from log is :
>
> Jun  8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
> SRC=203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00 TTL=105
> ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH URGP=0
>
> Jun  8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT>
MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00
> SRC=200.209.170.138 DST=192.168.254.3 LEN=139 TOS=0x00 PREC=0x00 TTL=115
> ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH
URGP=0
> Jun  8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC>
200.209.170.138 DST=192.168.253.3 LEN=139 TOS=0x00 PREC=0x00 TTL=114
> ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH
URGP=0
>
> Jun  8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT>
MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC> 200.244.104.10
DST=192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=7042
> PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
>
> Jun  8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC>
200.244.104.10 DST=192.168.253.3 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=7042
> PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
>
> So it''s look like mark is working .
>
> So now I use the cbq.init script with that configuration :
>
> cat /etc/sysconfig/cbq/cbq-0002.emule_in
>
> DEVICE=eth0,100Mbit,10Mbit
> RATE=3Kbit
> WEIGHT=1Kbit
> PRIO=5
> BOUNDED=yes
> ISOLATED=yes
> MARK=2
>
> cat /etc/sysconfig/cbq/cbq-0002.emule_out
> DEVICE=eth1,100Mbit,10Mbit
> RATE=3Kbit
> WEIGHT=1Kbit
> PRIO=5
> BOUNDED=yes
> ISOLATED=yes
> MARK=2
>
> that generate this tc codes .
>
> /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt 3000
> cell 8
> /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514
>
> /sbin/tc qdisc del dev eth1 root
> /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt 3000
> cell 8
> /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514
>
> /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth 100Mbit
rate
> 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded
> isolated
> /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit buffer
10Kb/8
> limit 15Kb mtu 1500
> /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 2 fw
> classid 1:2
>
> /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth 100Mbit
rate
> 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded
> isolated
> /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit buffer
10Kb/8
> limit 15Kb mtu 1500
> /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw
> classid 1:2
>
> Can anyone explain me what is wrong . Why I cannot shape this traffic ????
>
> Any help will be appreciated .
>
> Best Regards ,
>
> Saulo Silva
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>

-- 
Marco Casaroli
SapucaiNet Telecom
+55 35 34712377 ext 5

Saulo Silva

2007-Jun-09 00:55 UTC

head link

Re: CBQ + Layer7 x Emule

HI Marcos ,

I tried your rules,  but without success  . Thank for that help .
And , how about ip2pp ? Is this application could do that ? Help me to shape
edonkey traffic ???

Best Regards,

Saulo Silva

2007/6/8, Marco Aurelio
<marco.casaroli@gmail.com>:>
> l7''s edonkey filter does not match all edonkey traffic, it does
not
> match data packets (that you want to shape). It matches however the
> signaling packets that can be related to data connections.
>
> I never tried L7 but I think these may help you
>
> iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK
> --save-mark
>
>
> On 6/8/07, Saulo Silva <sauloaugustosilva@gmail.com> wrote:
> > Hi All ,
> >
> > My first message and I have a little problem with my FC6 box trying to
> block
> > emule traffic using layer7 .
> >
> > Here my network :
> >
> > Internet ---------   ADSL  Router ------------------- FC6  Box
> > --------------------   Emule Box
> >
> > external ADSL : Dynamic
> > Internal ADSL  : 192.168.254.1
> >
> > external FC6  : 192.168.254.3
> > internal FC6 : 192.168.253.1
> >
> > Emule Box : 192.168.253.3
> >
> > I guess that everything is ok with layer7 . Here my mangle rules .
> >
> > # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK
> > --set-mark 2
> > # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG
--log-prefix
> > "PREROUTING MARK : "
> >
> >
> > iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK
> --set-mark
> > 2
> > iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix
> "FORWARD
> > MARK : "
> >
> > The output from log is :
> >
> > Jun  8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
> > SRC=203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00 TTL=105
> > ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH
> URGP=0
> >
> > Jun  8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT>
> MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00
> > SRC=200.209.170.138 DST=192.168.254.3 LEN=139 TOS=0x00 PREC=0x00
TTL=115
> > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH
> URGP=0
> > Jun  8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
SRC> > 200.209.170.138 DST=192.168.253.3 LEN=139 TOS=0x00 PREC=0x00
TTL=114
> > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH
> URGP=0
> >
> > Jun  8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT>
> MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC> > 200.244.104.10
DST=192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117
> ID=7042
> > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
> >
> > Jun  8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
SRC> > 200.244.104.10 DST=192.168.253.3 LEN=40 TOS=0x00 PREC=0x00 TTL=116
> ID=7042
> > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
> >
> > So it''s look like mark is working .
> >
> > So now I use the cbq.init script with that configuration :
> >
> > cat /etc/sysconfig/cbq/cbq-0002.emule_in
> >
> > DEVICE=eth0,100Mbit,10Mbit
> > RATE=3Kbit
> > WEIGHT=1Kbit
> > PRIO=5
> > BOUNDED=yes
> > ISOLATED=yes
> > MARK=2
> >
> > cat /etc/sysconfig/cbq/cbq-0002.emule_out
> > DEVICE=eth1,100Mbit,10Mbit
> > RATE=3Kbit
> > WEIGHT=1Kbit
> > PRIO=5
> > BOUNDED=yes
> > ISOLATED=yes
> > MARK=2
> >
> > that generate this tc codes .
> >
> > /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt
> 3000
> > cell 8
> > /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514
> >
> > /sbin/tc qdisc del dev eth1 root
> > /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt
> 3000
> > cell 8
> > /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514
> >
> > /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth
100Mbit
> rate
> > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000
> bounded
> > isolated
> > /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit buffer
> 10Kb/8
> > limit 15Kb mtu 1500
> > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 2
fw
> > classid 1:2
> >
> > /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth
100Mbit
> rate
> > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000
> bounded
> > isolated
> > /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit buffer
> 10Kb/8
> > limit 15Kb mtu 1500
> > /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2
fw
> > classid 1:2
> >
> > Can anyone explain me what is wrong . Why I cannot shape this traffic
> ????
> >
> > Any help will be appreciated .
> >
> > Best Regards ,
> >
> > Saulo Silva
> >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >
>
>
> --
> Marco Casaroli
> SapucaiNet Telecom
> +55 35 34712377 ext 5
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Salatiel Filho

2007-Jun-09 01:04 UTC

head link

Re: CBQ + Layer7 x Emule

On 6/8/07, Saulo Silva <sauloaugustosilva@gmail.com>
wrote:>
> HI Marcos ,
>
> I tried your rules,  but without success  . Thank for that help .
> And , how about ip2pp ? Is this application could do that ? Help me to
> shape edonkey traffic ???
>
> Best Regards,
>
> Saulo Silva
>
> 2007/6/8, Marco Aurelio <marco.casaroli@gmail.com>:
> >
> > l7''s edonkey filter does not match all edonkey traffic, it
does not
> > match data packets (that you want to shape). It matches however the
> > signaling packets that can be related to data connections.
> >
> > I never tried L7 but I think these may help you
> >
> > iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
> > iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
> > iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK
> > --set-mark 2
> > iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK
> > --save-mark
> >
> >
> > On 6/8/07, Saulo Silva <sauloaugustosilva@gmail.com> wrote:
> > > Hi All ,
> > >
> > > My first message and I have a little problem with my FC6 box
trying to
> > block
> > > emule traffic using layer7 .
> > >
> > > Here my network :
> > >
> > > Internet ---------   ADSL  Router ------------------- FC6  Box
> > > --------------------   Emule Box
> > >
> > > external ADSL : Dynamic
> > > Internal ADSL  : 192.168.254.1
> > >
> > > external FC6  : 192.168.254.3
> > > internal FC6 : 192.168.253.1
> > >
> > > Emule Box : 192.168.253.3
> > >
> > > I guess that everything is ok with layer7 . Here my mangle rules
.
> > >
> > > # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j
MARK
> > > --set-mark 2
> > > # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG
> > --log-prefix
> > > "PREROUTING MARK : "
> > >
> > >
> > > iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK
> > --set-mark
> > > 2
> > > iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG
--log-prefix
> > "FORWARD
> > > MARK : "
> > >
> > > The output from log is :
> > >
> > > Jun  8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
> > > SRC=203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00
TTL=105
> > > ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK
PSH
> > URGP=0
> > >
> > > Jun  8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0
OUT> > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00
> > > SRC=200.209.170.138 DST=192.168.254.3 LEN=139 TOS=0x00 PREC=0x00
> > TTL=115
> > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK
PSH
> > URGP=0
> > > Jun  8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
SRC> > > 200.209.170.138 DST=192.168.253.3 LEN=139 TOS=0x00 PREC=0x00
TTL=114
> > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK
PSH
> > URGP=0
> > >
> > > Jun  8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0
OUT> > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC> >
> 200.244.104.10 DST=192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117
> > ID=7042
> > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
> > >
> > > Jun  8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
SRC> > > 200.244.104.10 DST=192.168.253.3 LEN=40 TOS=0x00 PREC=0x00
TTL=116
> > ID=7042
> > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
> > >
> > > So it''s look like mark is working .
> > >
> > > So now I use the cbq.init script with that configuration :
> > >
> > > cat /etc/sysconfig/cbq/cbq- 0002.emule_in
> > >
> > > DEVICE=eth0,100Mbit,10Mbit
> > > RATE=3Kbit
> > > WEIGHT=1Kbit
> > > PRIO=5
> > > BOUNDED=yes
> > > ISOLATED=yes
> > > MARK=2
> > >
> > > cat /etc/sysconfig/cbq/cbq-0002.emule_out
> > > DEVICE=eth1,100Mbit,10Mbit
> > > RATE=3Kbit
> > > WEIGHT=1Kbit
> > > PRIO=5
> > > BOUNDED=yes
> > > ISOLATED=yes
> > > MARK=2
> > >
> > > that generate this tc codes .
> > >
> > > /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit
avpkt
> > 3000
> > > cell 8
> > > /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514
> > >
> > > /sbin/tc qdisc del dev eth1 root
> > > /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit
avpkt
> > 3000
> > > cell 8
> > > /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514
> > >
> > > /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth
> > 100Mbit rate
> > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt
3000
> > bounded
> > > isolated
> > > /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit
buffer
> > 10Kb/8
> > > limit 15Kb mtu 1500
> > > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200
handle 2
> > fw
> > > classid 1:2
> > >
> > > /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth
> > 100Mbit rate
> > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt
3000
> > bounded
> > > isolated
> > > /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit
buffer
> > 10Kb/8
> > > limit 15Kb mtu 1500
> > > /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200
handle 2
> > fw
> > > classid 1:2
> > >
> > > Can anyone explain me what is wrong . Why I cannot shape this
traffic
> > ????
> > >
> > > Any help will be appreciated .
> > >
> > > Best Regards ,
> > >
> > > Saulo Silva
> > >
> > > _______________________________________________
> > > LARTC mailing list
> > > LARTC@mailman.ds9a.nl
> > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > >
> > >
> >
> >
> > --
> > Marco Casaroli
> > SapucaiNet Telecom
> > +55 35 34712377 ext 5
> >
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> I block all P2P traffic with ipp2p , it works great.iptables  -t mangle -i eth0 -A FORWARD -m ipp2p --ipp2p -j DROP


-- 
[]''s
Salatiel

"O maior prazer do inteligente é bancar o  idiota
   diante de um  idiota que banca o inteligente".


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Marco Aurelio

2007-Jun-09 07:17 UTC

head link

Re: CBQ + Layer7 x Emule

from ipp2p news page
""quote""

I suggest the following tcp and udp for connection tracking (see docu section)

01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 1
04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j
CONNMARK --save-mark
05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK
--set-mark 1


detect TCP FIRST, SAVE MARK , and detect udp after you saved the mark !!
You will have now every p2p packet marked, but a dramtic reduce of udp
missmatches.

""quote""

On 6/8/07, Salatiel Filho <salatiel.filho@gmail.com>
wrote:>
>
> On 6/8/07, Saulo Silva <sauloaugustosilva@gmail.com> wrote:
> > HI Marcos ,
> >
> > I tried your rules,  but without success  . Thank for that help .
> > And , how about ip2pp ? Is this application could do that ? Help me to
> shape edonkey traffic ???
> >
> > Best Regards,
> >
> > Saulo Silva
> >
> >
> > 2007/6/8, Marco Aurelio <marco.casaroli@gmail.com>:
> >
> > > l7''s edonkey filter does not match all edonkey traffic,
it does not
> > > match data packets (that you want to shape). It matches however
the
> > > signaling packets that can be related to data connections.
> > >
> > > I never tried L7 but I think these may help you
> > >
> > > iptables -t mangle -A PREROUTING -p tcp -j CONNMARK
--restore-mark
> > > iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j
ACCEPT
> > > iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j
MARK
> --set-mark 2
> > > iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j
CONNMARK
> --save-mark
> > >
> > >
> > > On 6/8/07, Saulo Silva < sauloaugustosilva@gmail.com>
wrote:
> > > > Hi All ,
> > > >
> > > > My first message and I have a little problem with my FC6 box
trying to
> block
> > > > emule traffic using layer7 .
> > > >
> > > > Here my network :
> > > >
> > > > Internet ---------   ADSL  Router ------------------- FC6 
Box
> > > > --------------------   Emule Box
> > > >
> > > > external ADSL : Dynamic
> > > > Internal ADSL  : 192.168.254.1
> > > >
> > > > external FC6  : 192.168.254.3
> > > > internal FC6 : 192.168.253.1
> > > >
> > > > Emule Box : 192.168.253.3
> > > >
> > > > I guess that everything is ok with layer7 . Here my mangle
rules .
> > > >
> > > > # iptables -t mangle -A PREROUTING -mlayer7 --l7proto
edonkey -j MARK
> > > > --set-mark 2
> > > > # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG
> --log-prefix
> > > > "PREROUTING MARK : "
> > > >
> > > >
> > > > iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j
MARK
> --set-mark
> > > > 2
> > > > iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG
--log-prefix
> "FORWARD
> > > > MARK : "
> > > >
> > > > The output from log is :
> > > >
> > > > Jun  8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0
OUT=eth1
> > > > SRC= 203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00
PREC=0x00
> TTL=105
> > > > ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00
ACK PSH
> URGP=0
> > > >
> > > > Jun  8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0
OUT> > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00
> > > > SRC=200.209.170.138 DST= 192.168.254.3 LEN=139 TOS=0x00
PREC=0x00
> TTL=115
> > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535
RES=0x00 ACK PSH
> URGP=0
> > > > Jun  8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0
OUT=eth1 SRC> > > > 200.209.170.138 DST= 192.168.253.3 LEN=139
TOS=0x00 PREC=0x00 TTL=114
> > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535
RES=0x00 ACK PSH
> URGP=0
> > > >
> > > > Jun  8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0
OUT> > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC>
> > > 200.244.104.10 DST= 192.168.254.3 LEN=40 TOS=0x00 PREC=0x00
TTL=117
> ID=7042
> > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN
URGP=0
> > > >
> > > > Jun  8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0
OUT=eth1 SRC> > > > 200.244.104.10 DST= 192.168.253.3 LEN=40
TOS=0x00 PREC=0x00 TTL=116
> ID=7042
> > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN
URGP=0
> > > >
> > > > So it''s look like mark is working .
> > > >
> > > > So now I use the cbq.init script with that configuration :
> > > >
> > > > cat /etc/sysconfig/cbq/cbq- 0002.emule_in
> > > >
> > > > DEVICE=eth0,100Mbit,10Mbit
> > > > RATE=3Kbit
> > > > WEIGHT=1Kbit
> > > > PRIO=5
> > > > BOUNDED=yes
> > > > ISOLATED=yes
> > > > MARK=2
> > > >
> > > > cat /etc/sysconfig/cbq/cbq-0002.emule_out
> > > > DEVICE=eth1,100Mbit,10Mbit
> > > > RATE=3Kbit
> > > > WEIGHT=1Kbit
> > > > PRIO=5
> > > > BOUNDED=yes
> > > > ISOLATED=yes
> > > > MARK=2
> > > >
> > > > that generate this tc codes .
> > > >
> > > > /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth
100Mbit avpkt
> 3000
> > > > cell 8
> > > > /sbin/tc class change dev eth0 root cbq weight 10Mbit allot
1514
> > > >
> > > > /sbin/tc qdisc del dev eth1 root
> > > > /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth
100Mbit avpkt
> 3000
> > > > cell 8
> > > > /sbin/tc class change dev eth1 root cbq weight 10Mbit allot
1514
> > > >
> > > > /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq
bandwidth
> 100Mbit rate
> > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20
avpkt 3000
> bounded
> > > > isolated
> > > > /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate
3Kbit buffer
> 10Kb/8
> > > > limit 15Kb mtu 1500
> > > > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200
handle 2
> fw
> > > > classid 1:2
> > > >
> > > > /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq
bandwidth
> 100Mbit rate
> > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20
avpkt 3000
> bounded
> > > > isolated
> > > > /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate
3Kbit buffer
> 10Kb/8
> > > > limit 15Kb mtu 1500
> > > > /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200
handle 2
> fw
> > > > classid 1:2
> > > >
> > > > Can anyone explain me what is wrong . Why I cannot shape
this traffic
> ????
> > > >
> > > > Any help will be appreciated .
> > > >
> > > > Best Regards ,
> > > >
> > > > Saulo Silva
> > > >
> > > > _______________________________________________
> > > > LARTC mailing list
> > > > LARTC@mailman.ds9a.nl
> > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > > >
> > > >
> > >
> > >
> > > --
> > > Marco Casaroli
> > > SapucaiNet Telecom
> > > +55 35 34712377 ext 5
> > >
> >
> >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >
> I block all P2P traffic with ipp2p , it works great.
> iptables  -t mangle -i eth0 -A FORWARD -m ipp2p --ipp2p -j DROP
>
>
> --
> []''s
> Salatiel
>
> "O maior prazer do inteligente é bancar o  idiota
>    diante de um  idiota que banca o inteligente".

-- 
Marco Casaroli
SapucaiNet Telecom
+55 35 34712377 ext 5

Saulo Silva

2007-Jun-09 16:29 UTC

head link

Re: CBQ + Layer7 x Emule

Hi Marcos ,


Now works with l7 and this iptables lines . I the first email we got only 4
lines and now we have 5 . Its working  nice .

Thanks the help .

Saulo Silva

2007/6/9, Marco Aurelio
<marco.casaroli@gmail.com>:>
> from ipp2p news page
> ""quote""
>
> I suggest the following tcp and udp for connection tracking (see docu
> section)
>
> 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
> 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
> 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK
> --set-mark 1
> 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j
> CONNMARK --save-mark
> 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK
> --set-mark 1
>
>
> detect TCP FIRST, SAVE MARK , and detect udp after you saved the mark !!
> You will have now every p2p packet marked, but a dramtic reduce of udp
> missmatches.
>
> ""quote""
>
> On 6/8/07, Salatiel Filho <salatiel.filho@gmail.com> wrote:
> >
> >
> > On 6/8/07, Saulo Silva <sauloaugustosilva@gmail.com> wrote:
> > > HI Marcos ,
> > >
> > > I tried your rules,  but without success  . Thank for that help .
> > > And , how about ip2pp ? Is this application could do that ? Help
me to
> > shape edonkey traffic ???
> > >
> > > Best Regards,
> > >
> > > Saulo Silva
> > >
> > >
> > > 2007/6/8, Marco Aurelio <marco.casaroli@gmail.com>:
> > >
> > > > l7''s edonkey filter does not match all edonkey
traffic, it does not
> > > > match data packets (that you want to shape). It matches
however the
> > > > signaling packets that can be related to data connections.
> > > >
> > > > I never tried L7 but I think these may help you
> > > >
> > > > iptables -t mangle -A PREROUTING -p tcp -j CONNMARK
--restore-mark
> > > > iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0
-j ACCEPT
> > > > iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey
-j MARK
> > --set-mark 2
> > > > iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j
CONNMARK
> > --save-mark
> > > >
> > > >
> > > > On 6/8/07, Saulo Silva < sauloaugustosilva@gmail.com>
wrote:
> > > > > Hi All ,
> > > > >
> > > > > My first message and I have a little problem with my
FC6 box
> trying to
> > block
> > > > > emule traffic using layer7 .
> > > > >
> > > > > Here my network :
> > > > >
> > > > > Internet ---------   ADSL  Router -------------------
FC6  Box
> > > > > --------------------   Emule Box
> > > > >
> > > > > external ADSL : Dynamic
> > > > > Internal ADSL  : 192.168.254.1
> > > > >
> > > > > external FC6  : 192.168.254.3
> > > > > internal FC6 : 192.168.253.1
> > > > >
> > > > > Emule Box : 192.168.253.3
> > > > >
> > > > > I guess that everything is ok with layer7 . Here my
mangle rules .
> > > > >
> > > > > # iptables -t mangle -A PREROUTING -mlayer7 --l7proto
edonkey -j
> MARK
> > > > > --set-mark 2
> > > > > # iptables -t mangle -A PREROUTING -m mark --mark 2 -j
LOG
> > --log-prefix
> > > > > "PREROUTING MARK : "
> > > > >
> > > > >
> > > > > iptables -t mangle -A FORWARD -mlayer7 --l7proto
edonkey -j MARK
> > --set-mark
> > > > > 2
> > > > > iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG
--log-prefix
> > "FORWARD
> > > > > MARK : "
> > > > >
> > > > > The output from log is :
> > > > >
> > > > > Jun  8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0
OUT=eth1
> > > > > SRC= 203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00
PREC=0x00
> > TTL=105
> > > > > ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944
RES=0x00 ACK
> PSH
> > URGP=0
> > > > >
> > > > > Jun  8 14:18:48 fs-linux kernel: PREROUTING MARK :
IN=eth0 OUT> > > > >
MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00
> > > > > SRC=200.209.170.138 DST= 192.168.254.3 LEN=139 TOS=0x00
PREC=0x00
> > TTL=115
> > > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535
RES=0x00 ACK
> PSH
> > URGP=0
> > > > > Jun  8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0
OUT=eth1
> SRC> > > > > 200.209.170.138 DST= 192.168.253.3 LEN=139
TOS=0x00 PREC=0x00
> TTL=114
> > > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535
RES=0x00 ACK
> PSH
> > URGP=0
> > > > >
> > > > > Jun  8 14:18:51 fs-linux kernel: PREROUTING MARK :
IN=eth0 OUT> > > > >
MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC> > > > >
200.244.104.10 DST= 192.168.254.3 LEN=40 TOS=0x00 PREC=0x00
> TTL=117
> > ID=7042
> > > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK
FIN URGP=0
> > > > >
> > > > > Jun  8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0
OUT=eth1
> SRC> > > > > 200.244.104.10 DST= 192.168.253.3 LEN=40
TOS=0x00 PREC=0x00
> TTL=116
> > ID=7042
> > > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK
FIN URGP=0
> > > > >
> > > > > So it''s look like mark is working .
> > > > >
> > > > > So now I use the cbq.init script with that
configuration :
> > > > >
> > > > > cat /etc/sysconfig/cbq/cbq- 0002.emule_in
> > > > >
> > > > > DEVICE=eth0,100Mbit,10Mbit
> > > > > RATE=3Kbit
> > > > > WEIGHT=1Kbit
> > > > > PRIO=5
> > > > > BOUNDED=yes
> > > > > ISOLATED=yes
> > > > > MARK=2
> > > > >
> > > > > cat /etc/sysconfig/cbq/cbq-0002.emule_out
> > > > > DEVICE=eth1,100Mbit,10Mbit
> > > > > RATE=3Kbit
> > > > > WEIGHT=1Kbit
> > > > > PRIO=5
> > > > > BOUNDED=yes
> > > > > ISOLATED=yes
> > > > > MARK=2
> > > > >
> > > > > that generate this tc codes .
> > > > >
> > > > > /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth
100Mbit
> avpkt
> > 3000
> > > > > cell 8
> > > > > /sbin/tc class change dev eth0 root cbq weight 10Mbit
allot 1514
> > > > >
> > > > > /sbin/tc qdisc del dev eth1 root
> > > > > /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth
100Mbit
> avpkt
> > 3000
> > > > > cell 8
> > > > > /sbin/tc class change dev eth1 root cbq weight 10Mbit
allot 1514
> > > > >
> > > > > /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq
bandwidth
> > 100Mbit rate
> > > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20
avpkt 3000
> > bounded
> > > > > isolated
> > > > > /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf
rate 3Kbit
> buffer
> > 10Kb/8
> > > > > limit 15Kb mtu 1500
> > > > > /sbin/tc filter add dev eth0 parent 1:0 protocol ip
prio 200
> handle 2
> > fw
> > > > > classid 1:2
> > > > >
> > > > > /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq
bandwidth
> > 100Mbit rate
> > > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20
avpkt 3000
> > bounded
> > > > > isolated
> > > > > /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf
rate 3Kbit
> buffer
> > 10Kb/8
> > > > > limit 15Kb mtu 1500
> > > > > /sbin/tc filter add dev eth1 parent 1:0 protocol ip
prio 200
> handle 2
> > fw
> > > > > classid 1:2
> > > > >
> > > > > Can anyone explain me what is wrong . Why I cannot
shape this
> traffic
> > ????
> > > > >
> > > > > Any help will be appreciated .
> > > > >
> > > > > Best Regards ,
> > > > >
> > > > > Saulo Silva
> > > > >
> > > > > _______________________________________________
> > > > > LARTC mailing list
> > > > > LARTC@mailman.ds9a.nl
> > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Marco Casaroli
> > > > SapucaiNet Telecom
> > > > +55 35 34712377 ext 5
> > > >
> > >
> > >
> > > _______________________________________________
> > > LARTC mailing list
> > > LARTC@mailman.ds9a.nl
> > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > >
> > >
> > I block all P2P traffic with ipp2p , it works great.
> > iptables  -t mangle -i eth0 -A FORWARD -m ipp2p --ipp2p -j DROP
> >
> >
> > --
> > []''s
> > Salatiel
> >
> > "O maior prazer do inteligente é bancar o  idiota
> >    diante de um  idiota que banca o inteligente".
>
>
> --
> Marco Casaroli
> SapucaiNet Telecom
> +55 35 34712377 ext 5
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Maybe Matching Threads

Search for more apparently analagous threads

LARTC - Jun 2007 - CBQ + Layer7 x Emule

CBQ + Layer7 x Emule

Re: CBQ + Layer7 x Emule

Re: CBQ + Layer7 x Emule

Re: CBQ + Layer7 x Emule

Re: CBQ + Layer7 x Emule

Re: CBQ + Layer7 x Emule

Maybe Matching Threads