From: "Mike Miller" <miller69@gmx.net>
To: lartc@vger.kernel.org
Subject: RE: [LARTC] limiting p2p
Date: Thu, 05 Feb 2004 19:05:39 +0000 [thread overview]
Message-ID: <25166.1076007939@www14.gmx.net> (raw)
In-Reply-To: <marc-lartc-106821892518555@msgid-missing>
Hi again,
having a closer look at your rules I found the following things:
> iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --restore-mark
> iptables -t mangle -i eth2 -A PREROUTING -m mark ! --mark 0 -j
> ACCEPT
> < rules rules rules >
> iptables -t mangle -i eth2 -A PREROUTING -m mark --mark 0 -j MARK
> --set-mark 2
> iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --save-mark
There is nothing wrong with the rules but IPP2P will never match a packet
because the following thing happens:
Very first packet of a connection enters the box -> restore mark -> mark 0
-> traversing the chain -> no match -> set-mark 2 -> save mark
Every following packet of these connection enters the box -> restore mark ->
mark 2 -> ACCEPT (not traversing the chain again)
So what does this mean? The very first packet of every TCP connection (and
thats what IPP2P is all about) starts with a SYN and is answered by an
ACK,SYN. These packets don't contain data payload and hence can NOT contain any
P2P-patterns IPP2P is looking for. You have to change the ruleset to let IPP2P
work!
If you want to verify that IPP2P is working just add the following rule to
your ruleset:
iptables -t mangle -I POSTROUTING 1 -p tcp -m ipp2p --ipp2p -j ACCEPT
iptables -t mangle -L -n -v -x should show you some hits in the POSTROUTING
chain now :-)
Hope that helps,
Mike.
--
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2004-02-05 19:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-07 15:27 [LARTC] limiting p2p ThE PhP_KiD
2004-02-02 9:39 ` Michal Kustosik
2004-02-02 10:14 ` Eddie
2004-02-02 11:30 ` Michal Kustosik
2004-02-02 18:27 ` ThE PhP_KiD
2004-02-03 0:01 ` ThE LinuX_KiD
2004-02-03 17:44 ` andybr
2004-02-03 23:52 ` miller69
2004-02-04 12:55 ` GoMi
2004-02-04 13:31 ` Mike Miller
2004-02-04 15:39 ` GoMi
2004-02-04 16:57 ` Mike Miller
2004-02-04 17:48 ` GoMi
2004-02-04 17:49 ` GoMi
2004-02-05 19:05 ` Mike Miller [this message]
2004-02-07 14:36 ` GoMi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=25166.1076007939@www14.gmx.net \
--to=miller69@gmx.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.