similar to: layer7-filter with iptables problem

Hello there! I am trying to get traffic shaping working on my Linux router (debian woody 3r02) and for some things I wanted to use the layer 7 packet classifier, but I can''t get it to work. Here is what I did: -downloaded the patches from http://l7-filter.sourceforge.net -downloaded the kernel 2.6.7 source -downloaded the iptables 1.2.11 source -patched kernel (layer7 patch and some

Hi all, I am running Slackware 10.1 with Kernel 2.6.14.3 includes iptables 1.3.4 with layer 7 My network diagram below: - INTERNET --- LINUX_ROUTER_FW --- PCs Below is my simple iptables script: - echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK --set-mark 1 iptables -t

Hello, I''ve been trying to shape the bittorrent traffic (on my external interface, upload), but without luck, for this I''m using layer7 filter right now, but I''ve also tried ipp2p, with the same results, I might say that this is not a problem with this packet classifiers, the problem is with HTB, here''s why. When I open azureus (the bittorrent client I

i search a lot forum how to get bandwidth statistic such number of packet, total byte in each application protocol by using IPTABLES + netfilter-layer7 but i don''t know which script for getting it in log file and use data after get it for plotting graph later my IPTABLES command like this iptables -t mangle -N all iptables -t mangle -A POSTROUTING -j all iptables -t mangle -A

HI All , I am running a FC6 box with two internet links with load balance . Every thing is working fine expect the MSN connection that failed and reconnect every time and SSL connections . I would link to know if with the nona howto I could fix that . I have been tried with no success to redirect that connection only to one link but its look like do not work . Here my configuration :

Hello I''ve setuped a QOS bridge under debian 3.1 using 2.6.18.3 kernel + iptables 1.3.6 I''ve patched the kernel an Iptables with esfq+layer7 without problems. This simple script doesn''t log nothing ... And I''m sure to have eMule traffic (I''ve checked with tcpdump ) If I remove " -m layer7 --l7proto edonkey \" line I can see

hi everybody. im trying to set up an QoS config, using layer7 (http://l7-filter.sourceforge.net/) for protocol detection. im suposing 3 clients with this configuration: 3 clients: 1.2.3.1 , 1.2.3.2 , 1.2.3.3 1.2.3.1 has 256kbit bandwidth "guaranteed" clients 1.2.3.2 and 1.2.3.3 has 256kbit bandwith so im marking every packet using layer7 iptables module, classifying them in three

Hi there, I have a little problem. I had this some months ago but didn''t solve it back then. I have patched my kernel with Layer 7 support and patched my iptables to support it, too. Now I inserted this line in my firewall script on my router for testing purpose: $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp -m layer7 --l7proto http -j DROP It works, BUT only if the

Hi, can anybody comment on the cost of matching with IPP2P vs. Layer7. Also, does a iptables rule with more complicated matching mechanism also slow down processing if all the packets are matched before they reach the rule. I.e. is the mere existence of a potentially costly rule already slowing down processing or only if packets are actually processed by it? Thanks very much in advance.

Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish

Hi, Thanks for the reply. Mohan Sundaram wrote : > mark in iptables and use tc to classify using mark. Mark like this ? iptables -A INPUT -m layer7 --l7proto bittorrent -j MARK --set-mark 3 and then.. tc filter add dev eth0 protocol ip parent 1:0 1 handle 3 fw flowid 1:10 and lets say we have a flowid 1:3 declared to use at 60kbit ceil 60kbit Is that proper ? If so then it

Hi All , My first message and I have a little problem with my FC6 box trying to block emule traffic using layer7 . Here my network : Internet --------- ADSL Router ------------------- FC6 Box -------------------- Emule Box external ADSL : Dynamic Internal ADSL : 192.168.254.1 external FC6 : 192.168.254.3 internal FC6 : 192.168.253.1 Emule Box : 192.168.253.3 I guess that everything

Hello, its me again, I won''t stop sending emails to this list, until I solve this problem, I''ve tried several apps to create the right htb rules (even made them my self), but I always get the same results, traffic gets shaped, but I can''t use my bandwidth, and this is weird, because I should be able to, also I keep seeing download being limited too, and that

On Sat, Oct 5, 2019 at 7:27 PM Oliver Dzombic <info@layer7.net> wrote: > Hi, > > if you run on a shell the command: > > osinfo-query os > > you will see that its: > > rhl8.0 | Red Hat Linux 8.0 > | 8.0 | http://redhat.com/rhl/8.0 > > > so instead of rhel8, i suggest you to try rhl8.0 > > Good luck ! > > Greetings >

Hi, I have simple question about Skype. What are the methods of selecting packets which belongs to Skype?? I know about 7layer but I don''t belive that is only way. Is 7layer realy good and stable solution for routers which must handle more than 1000 users ? Thanks in advance Pozdrawiam Szymon Turkiewicz

Hi all, I have found problems in p2p traffic detection. The ipp2p module works fine but in shorewall the rules written for this protocols never match because the initials p2p connection (login) match in ''-m state --state RELATED,ESTABLISHED -j ACCEPT'' rule before ''-m ipp2p --ipp2p -j DROP'' rule, so netfilter never filter p2p traffic. I have had to run

I had been using L7-Filter[1] successfully for edonkey/eMule traffic until recently. I upgraded to the latest release of mldonkey, 2.5.28a, which implements eMule compatibility, and with support for Kademlia[2] enabled, network latency increases greatly. [1] http://l7-filter.sourceforge.net/ [2] http://www.infoanarchy.org/wiki/wiki.pl?Kademlia Has anyone created a new pattern match for

Hi all, I have just upgraded to a new satellite internet provider. I have two network cards - one with a public IP connected to my satellite router, and the second network card with private IP into my switch for the LAN. Shorewall firewall My old satellite system is not being used. Would it be possible/feasable to install a third network card into my Fedora Core 2 server, and then direct all

Hi, I''m having problems with this configuration: iptables 1.3.7 (vanilla or repackaged for fc5) kernel 2.6.19 (vanilla) ROUTE 1.11 (last pom-ng) layer7-filter 2.6 (last in sf.net) connlimit (last pom-ng) When I try to use -j ROUTE in any chain in mangle table I have this error: [root@myhost ~]# iptables -v -t mangle -A POSTROUTING -p tcp --dport msnp -j ROUTE --gw

re I would like to do some firewalling and p2p shaping/limiting on one of the vlans in my network and I was thinking of using linux box as transparent bridged firewall/limiter. For this I''m planning to use AMD64 2.2Ghz box with 2 1gbit NIC (Broadcom 5721), that will be bridged. The box must be totally transparent and unseen in the network, as well as it should have much influence on