LARTC - Jun 2005 - block p2p: ARES

Hi....

I''m trying to setup a LAN router with P2P filter
but the problem is that can''t "catch" Ares.

There is a way to DROP "ares" p2p packets ?

I''ve tried with last "ipp2p" snapshot without sucess...

I''ve
	Kernel 2.4.28
	iptables 1.3.0
	Various Patches from patch-o-matic-ng-20040621
	iproute2-ss020116
	IMQ Patch
	Esfq Patch
	Julian (route) Patch
	Debian Woody


This is my MANGLE table...


Chain PREROUTING (policy ACCEPT 8557K packets, 2822M bytes)
 pkts bytes target     prot opt in     out     source
destination
85574   24M p2ptraffic  all  --  *      *       0.0.0.0/0
0.0.0.0/0
.................

Chain p2ptraffic (1 references)
 pkts bytes target     prot opt in     out     source
destination
11860 1620K CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           ipp2p v0.7.4 --ipp2p CONNMARK set 0xa
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           ipp2p v0.7.4 --bit CONNMARK set 0xa
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           ipp2p v0.7.4 --apple CONNMARK set 0xa
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           ipp2p v0.7.4 --winmx CONNMARK set 0xa
    1    57 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           ipp2p v0.7.4 --soul CONNMARK set 0xa
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           ipp2p v0.7.4 --ares
.........
54029   13M CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           CONNMARK match 0xa CONNMARK restore


But... ARES Packet are not bloked at the momment....
 0     0 DROP   ....  ipp2p v0.7.4 --ares

   :-(

Somebody haves sucessfull blocking ARES ?

regards...
Andres.

I did a small test with the new ares version.
It seems they have switched their protocol and it is not detected at the 
moment.

Lets see how difficult the new ares protocol is and how fast we can 
integrate this into ipp2p.

Klaus

:: L i n u XK i D :: wrote:
> Hi....
> 
> I''m trying to setup a LAN router with P2P filter
> but the problem is that can''t "catch" Ares.
> 
> There is a way to DROP "ares" p2p packets ?
> 
> I''ve tried with last "ipp2p" snapshot without sucess...
> 
> I''ve
> 	Kernel 2.4.28
> 	iptables 1.3.0
> 	Various Patches from patch-o-matic-ng-20040621
> 	iproute2-ss020116
> 	IMQ Patch
> 	Esfq Patch
> 	Julian (route) Patch
> 	Debian Woody
> 
> 
> This is my MANGLE table...
> 
> 
> Chain PREROUTING (policy ACCEPT 8557K packets, 2822M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 85574   24M p2ptraffic  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> .................
> 
> Chain p2ptraffic (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
> 11860 1620K CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ipp2p v0.7.4 --ipp2p CONNMARK set 0xa
>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ipp2p v0.7.4 --bit CONNMARK set 0xa
>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ipp2p v0.7.4 --apple CONNMARK set 0xa
>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ipp2p v0.7.4 --winmx CONNMARK set 0xa
>     1    57 CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ipp2p v0.7.4 --soul CONNMARK set 0xa
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ipp2p v0.7.4 --ares
> .........
> 54029   13M CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           CONNMARK match 0xa CONNMARK restore
> 
> 
> But... ARES Packet are not bloked at the momment....
>  0     0 DROP   ....  ipp2p v0.7.4 --ares
> 
>    :-(
> 
> Somebody haves sucessfull blocking ARES ?
> 
> regards...
> Andres.
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Hi,

there is a new version of ipp2p, which can detect ares connections now.

just go to www.ipp2p.org and download this version.

the parameter --ipp2p has changed, this is now ALL protocols

please contact me if you find bugs...

Klaus

Klaus wrote:
> I did a small test with the new ares version.
> It seems they have switched their protocol and it is not detected at the 
> moment.
> 
> Lets see how difficult the new ares protocol is and how fast we can 
> integrate this into ipp2p.
> 
> Klaus
> 
> :: L i n u XK i D :: wrote:
> 
>> Hi....
>>
>> I''m trying to setup a LAN router with P2P filter
>> but the problem is that can''t "catch" Ares.
>>
>> There is a way to DROP "ares" p2p packets ?
>>
>> I''ve tried with last "ipp2p" snapshot without
sucess...
>>
>> I''ve
>>     Kernel 2.4.28
>>     iptables 1.3.0
>>     Various Patches from patch-o-matic-ng-20040621
>>     iproute2-ss020116
>>     IMQ Patch
>>     Esfq Patch
>>     Julian (route) Patch
>>     Debian Woody
>>
>>
>> This is my MANGLE table...
>>
>>
>> Chain PREROUTING (policy ACCEPT 8557K packets, 2822M bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> 85574   24M p2ptraffic  all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0
>> .................
>>
>> Chain p2ptraffic (1 references)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> 11860 1620K CONNMARK   all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           ipp2p v0.7.4 --ipp2p CONNMARK set 0xa
>>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           ipp2p v0.7.4 --bit CONNMARK set 0xa
>>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           ipp2p v0.7.4 --apple CONNMARK set 0xa
>>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           ipp2p v0.7.4 --winmx CONNMARK set 0xa
>>     1    57 CONNMARK   all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           ipp2p v0.7.4 --soul CONNMARK set 0xa
>>     0     0 DROP       all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           ipp2p v0.7.4 --ares
>> .........
>> 54029   13M CONNMARK   all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           CONNMARK match 0xa CONNMARK restore
>>
>>
>> But... ARES Packet are not bloked at the momment....
>>  0     0 DROP   ....  ipp2p v0.7.4 --ares
>>
>>    :-(
>>
>> Somebody haves sucessfull blocking ARES ?
>>
>> regards...
>> Andres.
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Hi !

I''ve tried last the fantastic ipp2p kernel module.
My results are that:

	Ares can be DROPED only
	Emule, Kazaa and EDonkey 2000 can be limited and/or Droped.

And for this I have to use:

.....
FW="/usr/local/sbin/iptables"

# If I don''t put next rule, Ares are not marked:
$FW -t mangle -A p2ptraffic -m ipp2p --ares -j DROP

# next p2p rules
$FW -t mangle -A p2ptraffic -p tcp -j CONNMARK --restore-mark
$FW -t mangle -A p2ptraffic -p tcp -m mark ! --mark 0 -j ACCEPT
$FW -t mangle -A p2ptraffic -p tcp -m ipp2p --ipp2p -j MARK --set-mark 10
$FW -t mangle -A p2ptraffic -p tcp -m mark --mark 10 -j CONNMARK --save-mark
$FW -t mangle -A p2ptraffic -p udp -m ipp2p --ipp2p -j MARK --set-mark 10
.....

iptables-1.3.1
kernel-2.4.28
squid-cache - 2.5-STABLE10
Debian Stable.


I hope this information can help for ipp2p module.

thank you very much.
andres.



-> -----Mensaje original-----

->
-> Hi,
->
-> there is a new version of ipp2p, which can detect ares connections now.
->
-> just go to www.ipp2p.org and download this version.
->
-> the parameter --ipp2p has changed, this is now ALL protocols
->
-> please contact me if you find bugs...
->
-> Klaus
->
-> Klaus wrote:
-> > I did a small test with the new ares version.
-> > It seems they have switched their protocol and it is not
-> detected at the
-> > moment.
-> >
-> > Lets see how difficult the new ares protocol is and how fast we can
-> > integrate this into ipp2p.
-> >
-> > Klaus
-> >
-> > :: L i n u XK i D :: wrote:
-> >
-> >> Hi....
-> >>
-> >> I''m trying to setup a LAN router with P2P filter
-> >> but the problem is that can''t "catch" Ares.
-> >>
-> >> There is a way to DROP "ares" p2p packets ?
-> >>
-> >> I''ve tried with last "ipp2p" snapshot without
sucess...
-> >>
-> >> I''ve
-> >>     Kernel 2.4.28
-> >>     iptables 1.3.0
-> >>     Various Patches from patch-o-matic-ng-20040621
-> >>     iproute2-ss020116
-> >>     IMQ Patch
-> >>     Esfq Patch
-> >>     Julian (route) Patch
-> >>     Debian Woody
-> >>
-> >>
-> >> This is my MANGLE table...
-> >>
-> >>
-> >> Chain PREROUTING (policy ACCEPT 8557K packets, 2822M bytes)
-> >>  pkts bytes target     prot opt in     out     source
-> >> destination
-> >> 85574   24M p2ptraffic  all  --  *      *       0.0.0.0/0
-> >> 0.0.0.0/0
-> >> .................
-> >>
-> >> Chain p2ptraffic (1 references)
-> >>  pkts bytes target     prot opt in     out     source
-> >> destination
-> >> 11860 1620K CONNMARK   all  --  *      *       0.0.0.0/0
-> >> 0.0.0.0/0           ipp2p v0.7.4 --ipp2p CONNMARK set 0xa
-> >>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
-> >> 0.0.0.0/0           ipp2p v0.7.4 --bit CONNMARK set 0xa
-> >>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
-> >> 0.0.0.0/0           ipp2p v0.7.4 --apple CONNMARK set 0xa
-> >>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
-> >> 0.0.0.0/0           ipp2p v0.7.4 --winmx CONNMARK set 0xa
-> >>     1    57 CONNMARK   all  --  *      *       0.0.0.0/0
-> >> 0.0.0.0/0           ipp2p v0.7.4 --soul CONNMARK set 0xa
-> >>     0     0 DROP       all  --  *      *       0.0.0.0/0
-> >> 0.0.0.0/0           ipp2p v0.7.4 --ares
-> >> .........
-> >> 54029   13M CONNMARK   all  --  *      *       0.0.0.0/0
-> >> 0.0.0.0/0           CONNMARK match 0xa CONNMARK restore
-> >>
-> >>
-> >> But... ARES Packet are not bloked at the momment....
-> >>  0     0 DROP   ....  ipp2p v0.7.4 --ares
-> >>
-> >>    :-(
-> >>
-> >> Somebody haves sucessfull blocking ARES ?
-> >>
-> >> regards...
-> >> Andres.
-> >>
-> >> _______________________________________________
-> >> LARTC mailing list
-> >> LARTC@mailman.ds9a.nl
-> >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> >
-> > _______________________________________________
-> > LARTC mailing list
-> > LARTC@mailman.ds9a.nl
-> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> _______________________________________________
-> LARTC mailing list
-> LARTC@mailman.ds9a.nl
-> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc