Hi, I''ve a linux as router nat + firewall (POLICY DROP for INPUT OUTPUT and FORWARD) but, I''ve put next rules for p2p software on FORWARD chain [... snip ... ] iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -p tcp --dport 25 -j ACCEPT [... snip ... ] iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT iptables -A FORWARD -m ipp2p --ares -j ACCEPT [...] Then... emule, kaazaa , edonkey and so on works very good but ARES can''t connect. I''ve - iptables 1.3.3 - kernel 2.4.28 - ipp2p 0.8.0rc3 BUT, if I change policy iptables -P FORWARD ACCEPT ARES works, can connect. I''ve tried to guess tcp/udp ports with tcpdump without suceess. I guess that ipp2p only can block p2p on a ACCEPT policy firewall I must open some tcp/udp port ? Can anybody helpme ? bests andres.
On Thu, 22 Sep 2005 17:32:34 -0300 "LinuXKiD" <gregoriandres@yahoo.com.ar> wrote:>Hi,Hi,>but, I''ve put next rules for p2p software >on FORWARD chainIn order to fully utilise IPP2P, you have to use it in the mangle table and combine it with connmark. See the documentation on the IPP2P website. Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls
On Thursday 22 September 2005 22:32, LinuXKiD wrote:> iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT > iptables -A FORWARD -m ipp2p --ares -j ACCEPTAssuming that packets which are not accepted get dropped, IPP2P would have to match the very first packet of every P2P connection for this to work properly. I''m not sure that''s a given. So far I''ve only used it for shaping and dropping purposes, and in both cases it does not matter wether the matched packet is the first, second, or third one... Regards, Andreas
For dropping purposes you only need to match the first packet and
prevent the connection from starting, but for both forwarding and
accepting you''ll need to mark the whole connection, for most p2p that
ipp2p matches it will only match the first packet of the connection,
all further packets would be dropped with a simple rule like this.
You really need to do something like this:
MARKP2P=3
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -p tcp -m mark --mark $MARKP2P -j ACCEPT
# p2p marking
iptables -t mangle -A PREROUTING -m ipp2p --bit --edk --kazaa --gnu --dc
-j MARK --set-mark ${MARKP2P}
iptables -t mangle -A PREROUTING -p tcp -m mark --mark ${MARKP2P} -j
CONNMARK --save-mark
iptables -A FORWARD -m mark --mark ${MARKP2P} -j ACCEPT
I''m using something similar to this for all my shaping, works great for
that. I don''t see why the same connection marking shouldn''t
work for
accepting
- Jody
Andreas Klauer wrote:
>On Thursday 22 September 2005 22:32, LinuXKiD wrote:
>
>
>>iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
>>iptables -A FORWARD -m ipp2p --ares -j ACCEPT
>>
>>
>
>Assuming that packets which are not accepted get dropped, IPP2P would have
>to match the very first packet of every P2P connection for this to work
>properly. I''m not sure that''s a given. So far
I''ve only used it for
>shaping and dropping purposes, and in both cases it does not matter wether
>the matched packet is the first, second, or third one...
>
>Regards,
>Andreas
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>
Hi, ipp2p detects ares server connects only. At the moment no client connctions are recognized by ipp2p. So if you use ipp2p to mark all ares connections, you will only mark the server connnections (which would be bad in you situation.) Klaus maintainer of ipp2p LinuXKiD wrote:> Hi, > > I''ve a linux as router nat + firewall > (POLICY DROP for INPUT OUTPUT and FORWARD) > > but, I''ve put next rules for p2p software > on FORWARD chain > > [... snip ... ] > > iptables -F FORWARD > iptables -P FORWARD DROP > > > iptables -A FORWARD -p tcp --dport 80 -j ACCEPT > iptables -A FORWARD -p tcp --dport 25 -j ACCEPT > [... snip ... ] > > iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT > iptables -A FORWARD -m ipp2p --ares -j ACCEPT > > [...] > > Then... emule, kaazaa , edonkey and so on works very good > but ARES can''t connect. > > I''ve > - iptables 1.3.3 > - kernel 2.4.28 > - ipp2p 0.8.0rc3 > > BUT, if I change policy > > iptables -P FORWARD ACCEPT > > ARES works, can connect. > > I''ve tried to guess tcp/udp ports with tcpdump > without suceess. > > I guess that ipp2p only can block p2p on a ACCEPT > policy firewall > > I must open some tcp/udp port ? > Can anybody helpme ? > > bests > andres. > > > > > > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> -> On Thursday 22 September 2005 22:32, LinuXKiD wrote: -> > iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT -> > iptables -A FORWARD -m ipp2p --ares -j ACCEPT -> -> Assuming that packets which are not accepted get dropped, IPP2P -> would have -> to match the very first packet of every P2P connection for this to work -> properly. I''m not sure that''s a given. So far I''ve only used it for -> shaping and dropping purposes, and in both cases it does not -> matter wether -> the matched packet is the first, second, or third one... Consider this situation.... I want to SHAPE p2p connections on my LAN. But, ARES can''t be shaped, at the momment. And, my firewall is DROP POLICY, then I''ve to ACCEPT ipp2p connections, and related / established. but (with this), ares packets are droped. bests -> -> Regards, -> Andreas