thr3ads.net - Shorewall users - How to make Shorewall and IPP2P work together [Mar 2004]

If this information is useful, please help other people find it:
Share via:

Przemysław Lamorski

2004-Mar-12 19:35 UTC

How to make Shorewall and IPP2P work together

Hi.

I recently found new method about filtering p2p programs.
It is called IPP2P
http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html.

I want to ask about integration with shorewall.
How to do it.

Thanks in advance,

Przemek Lamorski

Tom Eastep

2004-Mar-12 20:09 UTC

head link

Re: How to make Shorewall and IPP2P work together

On Fri, 12 Mar 2004, [iso-8859-2] Przemys?aw Lamorski wrote:
> Hi.
>
> I recently found new method about filtering p2p programs.
> It is called IPP2P
> http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html.
>
> I want to ask about integration with shorewall.
> How to do it.
>
You will have to use an extension script --
http://shorewall.net/shorewall_extension_scripts.htm

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Horst Graffy

2004-Mar-12 20:28 UTC

head link

How to make Shorewall and IPP2P work together

Hi Przemek,

I''ve integrated ipp2p in my shorewall setup:

in /etc/shorewall/start (create the file if not there)

#######
# ipp2p
#######
echo -n "    starting ipp2p   "

# ip2pp for appleJuice
echo -n "(appleJuice) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --apple  -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --apple  -j LOG --log-level 6 
--log-prefix "ipp2p: appleJuice-traffic "

# ip2pp for dc
echo -n "(DC) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --dc    -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --dc    -j LOG --log-level 6 
--log-prefix "ipp2p: dc-traffic "

# ip2pp for gnutella
echo -n "(gnutella) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --gnu   -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --gnu   -j LOG --log-level 6 
--log-prefix "ipp2p: gnutella-traffic "

# ip2pp for eDonkey
echo -n "(eDonkey) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --edk   -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --edk   -j LOG --log-level 6 
--log-prefix "ipp2p: eDonkey-traffic "

# ip2pp for kazaa
echo -n "(kazaa) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --kazaa -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --kazaa -j LOG --log-level 6 
--log-prefix "ipp2p: kazaa-traffic "

# ip2pp for BitTorrent (allowed ;)
echo -n "(BitTorrent) "
#/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j DROP
#/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j LOG --log-level 6 
--log-prefix "ipp2p: BitTorrent-traffic "

echo ""
echo "    ipp2p started"

and in /etc/shorewall/modules

# ipp2p (p2p Traffic)
    loadmodule ipp2p

work''s like a charm ;))

I don''t use the connmark stuff at the moment, because I have not found
the
time to recompile my kernel

hope this helps
Toni

Tom Eastep

2004-Mar-12 20:40 UTC

head link

Re: How to make Shorewall and IPP2P work together

On Friday 12 March 2004 12:28 pm, Horst Graffy wrote:> Hi Przemek,
>
> I''ve integrated ipp2p in my shorewall setup:
>
> in /etc/shorewall/start (create the file if not there)
>
> #######
> # ipp2p
> #######
> echo -n "    starting ipp2p   "
>
> # ip2pp for appleJuice
> echo -n "(appleJuice) "
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --apple  -j DROP
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --apple  -j LOG --log-level 6
> --log-prefix "ipp2p: appleJuice-traffic "
>
> # ip2pp for dc
> echo -n "(DC) "
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --dc    -j DROP
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --dc    -j LOG --log-level 6
> --log-prefix "ipp2p: dc-traffic "
>
> # ip2pp for gnutella
> echo -n "(gnutella) "
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --gnu   -j DROP
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --gnu   -j LOG --log-level 6
> --log-prefix "ipp2p: gnutella-traffic "
>
> # ip2pp for eDonkey
> echo -n "(eDonkey) "
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --edk   -j DROP
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --edk   -j LOG --log-level 6
> --log-prefix "ipp2p: eDonkey-traffic "
>
> # ip2pp for kazaa
> echo -n "(kazaa) "
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --kazaa -j DROP
> /usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --kazaa -j LOG --log-level 6
> --log-prefix "ipp2p: kazaa-traffic "
>
> # ip2pp for BitTorrent (allowed ;)
> echo -n "(BitTorrent) "
> #/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j DROP
> #/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j LOG --log-level
> 6 --log-prefix "ipp2p: BitTorrent-traffic "
>
> echo ""
> echo "    ipp2p started"
>
> and in /etc/shorewall/modules
>
> # ipp2p (p2p Traffic)
>     loadmodule ipp2p
>
> work''s like a charm ;))
>
If you are using Shorewall 2.0.0-RC* (or 2.0.0 final when I release it this 
weekend), you can make user-defined actions out of each of these.
-----------------------------------------------
For example:

/etc/shorewall/actions:

DropBit
------
/etc/shorewall/action.DropBit

<empty file>
------
/etc/shorewall/DropBit

run_iptables -A DropBit -p tcp -m ipp2p --bit -j DROP
------
Once you have done that, you can then do the following sort of thing in 
/etc/shorewall/rules:

DropBit	loc	net

End of example
-----------------------------------------------

This technique allows you to only apply the PP2P rules to that traffic where 
it is likely to occur.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2004-Mar-12 21:10 UTC

head link

Re: How to make Shorewall and IPP2P work together

On Friday 12 March 2004 12:40 pm, Tom Eastep wrote:>
> >
> > # ip2pp for BitTorrent (allowed ;)
> > echo -n "(BitTorrent) "
> > #/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j DROP
> > #/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j LOG
> > --log-level 6 --log-prefix "ipp2p: BitTorrent-traffic "
BTW -- the order in which the DROP and LOG rules are coded means that logging 
will never occur.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Horst Graffy

2004-Mar-12 21:44 UTC

head link

Re: How to make Shorewall and IPP2P work together

Am Freitag, 12. März 2004 22:10 schrieb Tom Eastep:
 Hi Tom,

no, the rules are in the correct order, they are Inserted not Appended ;) to 
the FORWARD-chain, so they appear in the correct order LOG-DROP.
> On Friday 12 March 2004 12:40 pm, Tom Eastep wrote:
> > > # ip2pp for BitTorrent (allowed ;)
> > > echo -n "(BitTorrent) "
> > > #/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j DROP
> > > #/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j LOG
> > > --log-level 6 --log-prefix "ipp2p: BitTorrent-traffic "
>
> BTW -- the order in which the DROP and LOG rules are coded means that
> logging will never occur.
>
> -TomToni

Tom Eastep

2004-Mar-12 21:46 UTC

head link

Re: How to make Shorewall and IPP2P work together

On Friday 12 March 2004 01:44 pm, Horst Graffy wrote:> Am Freitag, 12. März 2004 22:10 schrieb Tom Eastep:
>  Hi Tom,
>
> no, the rules are in the correct order, they are Inserted not Appended ;)
> to the FORWARD-chain, so they appear in the correct order LOG-DROP.
>
Doh -- you''re right.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Mar 2004 - How to make Shorewall and IPP2P work together

How to make Shorewall and IPP2P work together

Re: How to make Shorewall and IPP2P work together

How to make Shorewall and IPP2P work together

Re: How to make Shorewall and IPP2P work together

Re: How to make Shorewall and IPP2P work together

Re: How to make Shorewall and IPP2P work together

Re: How to make Shorewall and IPP2P work together