Hi List ! I''m trying excelent module ipt_p2p from Filipe Almeida in a Linux Box with several connections, in order to block p2p traffic with next rule: iptables -L -t filter -m ipt_p2p -j DROP And results was that the traffic have been reduced from 1,3 mb to 0,85 mb !!! Excelent !! how ever, I''ve noted that after two days running, that Linux Box (RH 7,2 updated - Kernel 2.4.22 - iptables 1.2.8 with String and ConnMark modules, Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, eth1 and eth2), begins to drop others packets and a simple ping look like this: # ping 192.168.210.3 (by example) PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of data. 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted Next, the only way to fix this was making a REBOOT. I''ve heared similar problems (not with ipt_p2p), and some one say that next could be works: (in a cron job) echo -n "Unloading modules.." rmmod -a lsmod |grep "ipt_\|ip_\|iptable" |cut -f1 -d\ |xargs rmmod 2>/dev/null &&\ echo "Done!" || echo "failed!" and some other suggest that I could try a: "iptables clear" and regenerate IP Tables From Man:> ping sendto: operation not permittedsendto(2) system call failed with errno EPERM, operation not permitted => reason is in the local firewall rules, chain OUTPUT. Otherwise the sendto(2) would have succeeded, and the error would come in an ICMP error packet. Have you a clue of this ? Thank you. Best Regards. Andres. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote:> Hi List ! > > I''m trying excelent module ipt_p2p from Filipe > Almeida in a Linux Box with several connections, > in order to block p2p traffic with next rule: >[...]> how ever, I''ve noted that after two days running, > that Linux Box (RH 7,2 updated - Kernel 2.4.22 > - iptables 1.2.8 with String and ConnMark modules, > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, > eth1 and eth2), > begins to drop others packets and a simple ping > look like this: > > > # ping 192.168.210.3 (by example) > > PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of > data. > 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted >Hi! I have the same problem... Have you solved it? I can''t see any answer for your email :( best -- michal _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ok What I did was blocking all forwarding,in and out, traffic on my gateway with iptables.Only allowing establish related traffic in and out ports thy use,80,25,110 ens.This will stop it connecting to a weard port Now the thing about kazaa is the after it tryed all 65XXXXXXX ports it will try in port 80,this can take a while and the stoopid user will have close it Now what you do is setup a transparent proxy with iptables and squid.On squid you create acl''s to stop .mp3 and .wav ens. files And .dat files,wat kazaa uses. Now this worked for me. On Mon, 2004-02-02 at 11:39, Michal Kustosik wrote:> *This message was transferred with a trial version of CommuniGate(tm) Pro* > On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote: > > Hi List ! > > > > I''m trying excelent module ipt_p2p from Filipe > > Almeida in a Linux Box with several connections, > > in order to block p2p traffic with next rule: > > > [...] > > > how ever, I''ve noted that after two days running, > > that Linux Box (RH 7,2 updated - Kernel 2.4.22 > > - iptables 1.2.8 with String and ConnMark modules, > > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, > > eth1 and eth2), > > begins to drop others packets and a simple ping > > look like this: > > > > > > # ping 192.168.210.3 (by example) > > > > PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of > > data. > > 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > > > Hi! > > I have the same problem... Have you solved it? > I can''t see any answer for your email :( > > best_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, Feb 02, 2004 at 12:14:25PM +0200, Eddie wrote:> Ok > What I did was blocking all forwarding,in and out, traffic on my gateway > with iptables.Only allowing establish related traffic in and out ports > thy use,80,25,110 ens.This will stop it connecting to a weard port > Now the thing about kazaa is the after it tryed all 65XXXXXXX ports it > will try in port 80,this can take a while and the stoopid user will have > close it > Now what you do is setup a transparent proxy with iptables and squid.On > squid you create acl''s to stop .mp3 and .wav ens. files > And .dat files,wat kazaa uses. > Now this worked for me. >ok ;) I have done the same some times ago ;) But I''m interesting what is wrong with ipt_p2p or someting, that icmp works bad when using ipt_p2p... Anybody known ?!? Have anybody run ipt_p2p with no problems ? best... -- michal> > On Mon, 2004-02-02 at 11:39, Michal Kustosik wrote: > > *This message was transferred with a trial version of CommuniGate(tm) Pro* > > On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote: > > > Hi List ! > > > > > > I''m trying excelent module ipt_p2p from Filipe > > > Almeida in a Linux Box with several connections, > > > in order to block p2p traffic with next rule: > > > > > [...] > > > > > how ever, I''ve noted that after two days running, > > > that Linux Box (RH 7,2 updated - Kernel 2.4.22 > > > - iptables 1.2.8 with String and ConnMark modules, > > > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, > > > eth1 and eth2), > > > begins to drop others packets and a simple ping > > > look like this: > > > > > > > > > # ping 192.168.210.3 (by example) > > > > > > PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of > > > data. > > > 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > > > > > Hi! > > > > I have the same problem... Have you solved it? > > I can''t see any answer for your email :( > > > > best >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Michal. Now I''m testing ipt_ipp2p netfilter 3rd module You can reach it at: http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html At the momment I''ve not problems with it. (It''s works well) But I haven''t tested ipt_ipp2p module strongly with a large LAN regards Andres. -> ok ;) I have done the same some times ago ;) -> -> But I''m interesting what is wrong with ipt_p2p or someting, that -> icmp works bad when using ipt_p2p... Anybody known ?!? -> Have anybody run ipt_p2p with no problems ? -> -> best... -> -- -> michal _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> Now I''m testing ipt_ipp2p netfilter 3rd module > You can reach it at: > http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.htmlThanks for making this public I just forgot about posting the link to the list :-)> But I haven''t tested ipt_ipp2p module strongly > with a large LANWell we ran it at a campus network for about 6 weeks without any issue. Some results of our delay investigations are coming soon - the first graphs look not to bad (0.1-1ms average delay introduced by the bridging firewall). Cheers, Mike. -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, i am having really big troubles setting up ipp2p. I have a woody with kernel upgraded to 2.4.20 and iptables 1.2.8. I changed the makefile to include these modifications, but still it captures no traffic at all.. Do i need to run it under 2.4.18? - -----Mensaje original----- De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En nombre de miller69@gmx.net Enviado el: miércoles, 04 de febrero de 2004 0:53 Para: lartc@mailman.ds9a.nl Asunto: RE: [LARTC] limiting p2p> Now I''m testing ipt_ipp2p netfilter 3rd module > You can reach it at: > http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.htmlThanks for making this public I just forgot about posting the link to the list :-)> But I haven''t tested ipt_ipp2p module strongly > with a large LANWell we ran it at a campus network for about 6 weeks without any issue. Some results of our delay investigations are coming soon - the first graphs look not to bad (0.1-1ms average delay introduced by the bridging firewall). Cheers, Mike. - -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQCDrxH7diNnrrZKsEQIDHwCfX6GsnRvFUS7zhWzxlUz7Tb9L9GAAn0Vj qXwsBA1B/dXI8TdWqPMuLYdn =k0xx -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> Hi there, i am having really big troubles setting up ipp2p. I have a > woody with kernel upgraded to 2.4.20 and iptables 1.2.8. I changed the > makefile to include these modifications, but still it captures no > traffic at all.. Do i need to run it under 2.4.18?Well, for us it was working with all kernels from 2.4.18 on. We are currently struggeling problems with 2.4.24 but not sure if this is a kernel issue since we got a whole new box - investigation will take place soon. First of all: are you sure there is any P2P traffic occuring at your link? Is the IPP2P rule put at the correct place (PREROUTING of mangle for example)? Go to http://rnvs.informatik.uni-leipzig.de/ipp2p/ documentation page - there are a couple of examples how to use IPP2P. If this doesn''t help come back to me with your setup and ruleset - maybe traffic is accepted somewhere else before IPP2P comes into play. Regards, Mike. -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is my config
iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -i eth2 -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -i eth2 -A PREROUTING -p icmp -j MARK --set-mark 4
iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 2
iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p-data -j
MARK --set-mark 2
iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 1214 -j MARK
--set-mark 2
iptables -t mangle -i eth2 -A PREROUTING -p tcp -m string --string X-Kazaa
-j MARK --set-mark 2
iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 2234 -j MARK
--set-mark 2
iptables -t mangle -i eth2 -A PREROUTING -p udp --dport 53 -j MARK
--set-mark 1
iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 80 -m string !
--string X-Kazaa -j MARK --set-mark 1
iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 25 -j MARK
--set-mark 1
iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 0:1024 -j MARK
--set-mark 1
iptables -t mangle -i eth2 -A PREROUTING -p udp --dport ! 53 -j MARK
--set-mark 2
iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 1863 -j MARK
--set-mark 1
iptables -t mangle -i eth2 -A PREROUTING -p tcp -d 0/0 --sport 80 -j MARK
--set-mark 5
iptables -t mangle -i eth2 -A PREROUTING -m mark --mark 0 -j MARK
--set-mark 2
iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --save-mark
ipt_ipp2p 2656 0 (unused)
Thats my module working...
0 0 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 ipp2p v0.5a --ipp2p MARK set 0x2
0 0 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 ipp2p v0.5a --ipp2p-data MARK set 0x2
And my rules.
There are 100 users, all using p2p, but i have it restricted under my fw, but
some get access though port 80... I am currently downloading, and for a day or
so, no traffic recognized at all...
I have no messages at my syslog or messages files at all ...
- -----Mensaje original-----
De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En nombre
de Mike Miller
Enviado el: miércoles, 04 de febrero de 2004 14:32
Para: lartc@mailman.ds9a.nl
Asunto: RE: [LARTC] limiting p2p
> Hi there, i am having really big troubles setting up ipp2p. I have a
> woody with kernel upgraded to 2.4.20 and iptables 1.2.8. I changed the
> makefile to include these modifications, but still it captures no
> traffic at all.. Do i need to run it under 2.4.18?
Well, for us it was working with all kernels from 2.4.18 on. We are currently
struggeling problems with 2.4.24 but not sure if this is a kernel issue since we
got a whole new box - investigation will take place soon.
First of all: are you sure there is any P2P traffic occuring at your link? Is
the IPP2P rule put at the correct place (PREROUTING of mangle for example)? Go
to http://rnvs.informatik.uni-leipzig.de/ipp2p/ documentation page - there are a
couple of examples how to use IPP2P.
If this doesn''t help come back to me with your setup and ruleset -
maybe traffic is accepted somewhere else before IPP2P comes into play.
Regards,
Mike.
- --
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3
Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQCESMH7diNnrrZKsEQJq4QCbByR7N5bRYmOis4+UHDYkHYlQWbAAn2oD
Ylle5BNIpEkJJiAAFoIwPKsf
=DROl
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p -j > MARK --set-mark 2 > iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p > --ipp2p-data -j MARK --set-mark 2There is no need to use --ipp2p and --ipp2p-data on one box. Use --ipp2p only this should be sufficient for most systems. But IPP2P should work with this ruleset anyway. Please do me a favour and remove both rules containing string matches from your ruleset let it run for a while and give me the full output of "iptables -t mangle -L -n -v -x". I guess you''re using Kazaa? Is it a (nat-)router or a bridge? Regards, Mike -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
There it goes, btw..thank you very much ;)
Chain PREROUTING (policy ACCEPT 26236333 packets, 12882098667 bytes)
pkts bytes target prot opt in out source
destination
249121 26462887 CONNMARK all -- eth2 * 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
142502 21317691 ACCEPT all -- eth2 * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0
24 14682 MARK icmp -- eth2 * 0.0.0.0/0
0.0.0.0/0 MARK set 0x4
0 0 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 ipp2p v0.5a --ipp2p MARK set 0x2
27 1296 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1214 MARK set 0x2
3 144 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2234 MARK set 0x2
438 33099 MARK udp -- eth2 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 MARK set 0x1
6712 321889 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 STRING match !X-Kazaa MARK set 0x1
0 0 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 MARK set 0x1
98629 4733897 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp dpts:0:1024 MARK set 0x1
2746 133990 MARK udp -- eth2 * 0.0.0.0/0
0.0.0.0/0 udp dpt:!53 MARK set 0x2
95 4560 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1863 MARK set 0x1
0 0 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp spt:80 MARK set 0x5
4622 221848 MARK all -- eth2 * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0 MARK set 0x2
106580 5143324 CONNMARK all -- eth2 * 0.0.0.0/0
0.0.0.0/0 CONNMARK save
103317 4959216 MARK tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02 MARK set 0x3
15 601 chkack tcp -- eth2 * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x10
106556 5142172 chgtos all -- eth2 * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 116314 packets, 17066648 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 39662528 packets, 15020457598 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 127443 packets, 41248573 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 32254661 packets, 14698686461 bytes)
pkts bytes target prot opt in out source
destination
Chain chgtos (1 references)
pkts bytes target prot opt in out source
destination
99134 4770212 TOS all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK match 0x1 TOS set 0x10
7398 357278 TOS all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK match 0x2 TOS set 0x08
0 0 TOS all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK match 0x3 TOS set 0x10
0 0 TOS all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK match 0x5 TOS set 0x02
106556 5142172 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain chkack (1 references)
pkts bytes target prot opt in out source
destination
15 601 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 length 0:128 MARK set 0x3
0 0 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 length 128:65535 MARK set 0x2
15 601 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
- -----Mensaje original-----
De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En nombre
de Mike Miller
Enviado el: miércoles, 04 de febrero de 2004 17:58
Para: GoMi
CC: lartc@mailman.ds9a.nl
Asunto: RE: [LARTC] limiting p2p
> iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p
> -j
> MARK --set-mark 2
> iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p
> --ipp2p-data -j MARK --set-mark 2
There is no need to use --ipp2p and --ipp2p-data on one box. Use --ipp2p only
this should be sufficient for most systems. But IPP2P should work with this
ruleset anyway.
Please do me a favour and remove both rules containing string matches from your
ruleset let it run for a while and give me the full output of "iptables -t
mangle -L -n -v -x". I guess you''re using Kazaa? Is it a
(nat-)router or a bridge?
Regards,
Mike
- --
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3
Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQCEwcX7diNnrrZKsEQJP/wCg+tPDcIcUPa8EN/DlaHvn64quoCQAoNd9
9x0EfDRmwAAAS6iR27eaFhE5
=Ltdq
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I forgot to tell you, i am with load balancing with 2 DSL connectios also doing natting on my machine.. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQCEwnH7diNnrrZKsEQIGxgCfWuKXVFV/7hu6YqIEjMvBqH59hxkAn3b0 UpjrpQWYDFt8vnaiERK3er2w =uBcX -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi again, having a closer look at your rules I found the following things:> iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --restore-mark > iptables -t mangle -i eth2 -A PREROUTING -m mark ! --mark 0 -j > ACCEPT > < rules rules rules > > iptables -t mangle -i eth2 -A PREROUTING -m mark --mark 0 -j MARK > --set-mark 2 > iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --save-markThere is nothing wrong with the rules but IPP2P will never match a packet because the following thing happens: Very first packet of a connection enters the box -> restore mark -> mark 0 -> traversing the chain -> no match -> set-mark 2 -> save mark Every following packet of these connection enters the box -> restore mark -> mark 2 -> ACCEPT (not traversing the chain again) So what does this mean? The very first packet of every TCP connection (and thats what IPP2P is all about) starts with a SYN and is answered by an ACK,SYN. These packets don''t contain data payload and hence can NOT contain any P2P-patterns IPP2P is looking for. You have to change the ruleset to let IPP2P work! If you want to verify that IPP2P is working just add the following rule to your ruleset: iptables -t mangle -I POSTROUTING 1 -p tcp -m ipp2p --ipp2p -j ACCEPT iptables -t mangle -L -n -v -x should show you some hits in the POSTROUTING chain now :-) Hope that helps, Mike. -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you mike, its doing great right now. I didnt notice on my script. Thank you ;) - -----Mensaje original----- De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En nombre de Mike Miller Enviado el: miércoles, 04 de febrero de 2004 17:58 Para: GoMi CC: lartc@mailman.ds9a.nl Asunto: RE: [LARTC] limiting p2p> iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p > -j > MARK --set-mark 2 > iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p > --ipp2p-data -j MARK --set-mark 2There is no need to use --ipp2p and --ipp2p-data on one box. Use --ipp2p only this should be sufficient for most systems. But IPP2P should work with this ruleset anyway. Please do me a favour and remove both rules containing string matches from your ruleset let it run for a while and give me the full output of "iptables -t mangle -L -n -v -x". I guess you''re using Kazaa? Is it a (nat-)router or a bridge? Regards, Mike - -- GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQCT3+n7diNnrrZKsEQL2LgCfWWVyGTE2/fQ/oXNR4kGkjNqrsFUAn157 evWFiLjKNb3bPmMOBFzbfwK3 =EjNs -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, i have a question reguarding WRR. I have a box with 2 ethernets, i am doing nat, and i have a question. Since i am doing egress traffic, and its done after natting, if i use wrr with src and masq options, will it get the real source address, or since the egress QoS its done after natting it will get the sourde address from ethernet 1?? Anyone? -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQCUpVn7diNnrrZKsEQIViACcC1LAKlotZr/rHHDTD/HrY9GQ1Q4AoOAP G1d8yQW7LxCuqVK+StVZ77OF =qWAS -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/