From: Andrew Beverley <andy@andybev.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] How to fight with encrypted p2p
Date: Sun, 02 Dec 2007 11:42:36 +0000 [thread overview]
Message-ID: <1196595757.6539.9.camel@andybev> (raw)
In-Reply-To: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl>
> I believe that whole question is in topic.
> Is there any way to recognize ( and then shape ) p2p traffic which is encrypted?
> Modern p2p clients have this ability moreover some of them have this enabled by default.
> Now I'm using ipp2p for iptables but as I know this doesn't recognize encrypted traffic.
One way to do this is to look for the style of traffic. For example, I
look for lots of connections from one PC to port numbers above 1024.
This will also incorrectly recognise some other traffic, but on the
whole it works well for me.
The following are some examples using connlimit (now included in vanilla
kernel) and ipset (see http://ipset.netfilter.org/)
# first look for style of traffic and log that client to an ipset
iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \
-m connlimit --connlimit-above 10 -j SET --add-set p2p src
iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \
-m connlimit --connlimit-above 10 -j SET --add-set p2p src
iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \
-m connlimit --connlimit-above 10 -j SET --add-set p2p dst
iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \
-m connlimit --connlimit-above 10 -j SET --add-set p2p dst
# then shape traffic above port 1024 for those detected clients
iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \
-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \
-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \
-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \
-m set --set p2p dst -j MARK --set-mark 60
Regards,
Andy Beverley
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2007-12-02 11:42 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-12 1:51 [LARTC] How to fight with encrypted p2p sAwAr
2007-11-12 3:55 ` Mohan Sundaram
2007-11-12 7:02 ` David Bierce
2007-11-12 11:17 ` sawar
2007-11-13 11:58 ` Marcin Stanczyk
2007-11-13 15:09 ` Grant Taylor
2007-11-13 15:37 ` Carl-Daniel Hailfinger
2007-11-13 15:53 ` Grant Taylor
2007-11-13 16:32 ` Marco Aurelio
2007-11-14 9:42 ` Klaus
2007-11-14 14:32 ` Sébastien CRAMATTE
2007-11-14 14:44 ` Sébastien CRAMATTE
2007-12-02 11:42 ` Andrew Beverley [this message]
2007-12-03 10:49 ` Gustin Johnson
2007-12-03 19:33 ` Andrew Beverley
2007-12-10 13:37 ` the sew
2007-12-10 14:09 ` Mario Antonio Garcia
2007-12-10 14:28 ` the sew
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1196595757.6539.9.camel@andybev \
--to=andy@andybev.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.