All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] p2p: ARES
@ 2005-09-22 20:32 LinuXKiD
  2005-09-22 20:58 ` Peter Surda
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: LinuXKiD @ 2005-09-22 20:32 UTC (permalink / raw)
  To: lartc


Hi,

I've a linux as router nat + firewall
(POLICY DROP for INPUT OUTPUT and FORWARD)

but, I've put next rules for p2p software
on FORWARD chain

[... snip ... ]

iptables -F FORWARD
iptables -P FORWARD DROP


iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
[... snip ... ]

iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
iptables -A FORWARD -m ipp2p --ares -j ACCEPT

[...]

Then... emule, kaazaa , edonkey and so on  works very good
but ARES can't connect.

I've 
	- iptables 1.3.3
	- kernel 2.4.28
	- ipp2p 0.8.0rc3

BUT, if I change policy

	iptables -P FORWARD ACCEPT

ARES works,  can connect.

I've tried to guess tcp/udp ports with tcpdump
without suceess.

I guess that ipp2p only can block p2p on a ACCEPT
policy firewall 

I must open some tcp/udp port ?
Can anybody helpme ?

bests
andres.











_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] p2p: ARES
  2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
@ 2005-09-22 20:58 ` Peter Surda
  2005-09-22 22:02 ` Andreas Klauer
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Peter Surda @ 2005-09-22 20:58 UTC (permalink / raw)
  To: lartc

On Thu, 22 Sep 2005 17:32:34 -0300 "LinuXKiD" <gregoriandres@yahoo.com.ar>
wrote:

>Hi,
Hi,

>but, I've put next rules for p2p software
>on FORWARD chain
In order to fully utilise IPP2P, you have to use it in the mangle table and
combine it with connmark. See the documentation on the IPP2P website.

Yours sincerely,
Peter

-- 
http://www.shurdix.org - Linux distribution for routers and firewalls
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] p2p: ARES
  2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
  2005-09-22 20:58 ` Peter Surda
@ 2005-09-22 22:02 ` Andreas Klauer
  2005-09-23  4:41 ` Jody Shumaker
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Andreas Klauer @ 2005-09-22 22:02 UTC (permalink / raw)
  To: lartc

On Thursday 22 September 2005 22:32, LinuXKiD wrote:
> iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
> iptables -A FORWARD -m ipp2p --ares -j ACCEPT

Assuming that packets which are not accepted get dropped, IPP2P would have 
to match the very first packet of every P2P connection for this to work 
properly. I'm not sure that's a given. So far I've only used it for 
shaping and dropping purposes, and in both cases it does not matter wether 
the matched packet is the first, second, or third one...

Regards,
Andreas
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] p2p: ARES
  2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
  2005-09-22 20:58 ` Peter Surda
  2005-09-22 22:02 ` Andreas Klauer
@ 2005-09-23  4:41 ` Jody Shumaker
  2005-09-23  7:53 ` Klaus
  2005-09-23 15:23 ` LinuXKiD
  4 siblings, 0 replies; 6+ messages in thread
From: Jody Shumaker @ 2005-09-23  4:41 UTC (permalink / raw)
  To: lartc

For dropping purposes you only need to match the first packet and 
prevent the connection from starting, but for both forwarding and 
accepting you'll need to mark the whole connection,  for most p2p that 
ipp2p matches it will only match the first packet of the connection,  
all further packets would be dropped with a simple rule like this.

You really need to do something like this:

MARKP2P=3
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -p tcp -m mark --mark $MARKP2P -j ACCEPT
# p2p marking
iptables -t mangle -A PREROUTING -m ipp2p --bit --edk --kazaa --gnu --dc 
-j MARK --set-mark ${MARKP2P}
iptables -t mangle -A PREROUTING -p tcp -m mark --mark ${MARKP2P} -j 
CONNMARK --save-mark


iptables -A FORWARD -m mark --mark ${MARKP2P} -j ACCEPT


I'm using something similar to this for all my shaping, works great for 
that. I don't see why the same connection marking shouldn't work for 
accepting

- Jody

Andreas Klauer wrote:

>On Thursday 22 September 2005 22:32, LinuXKiD wrote:
>  
>
>>iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
>>iptables -A FORWARD -m ipp2p --ares -j ACCEPT
>>    
>>
>
>Assuming that packets which are not accepted get dropped, IPP2P would have 
>to match the very first packet of every P2P connection for this to work 
>properly. I'm not sure that's a given. So far I've only used it for 
>shaping and dropping purposes, and in both cases it does not matter wether 
>the matched packet is the first, second, or third one...
>
>Regards,
>Andreas
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>  
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] p2p: ARES
  2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
                   ` (2 preceding siblings ...)
  2005-09-23  4:41 ` Jody Shumaker
@ 2005-09-23  7:53 ` Klaus
  2005-09-23 15:23 ` LinuXKiD
  4 siblings, 0 replies; 6+ messages in thread
From: Klaus @ 2005-09-23  7:53 UTC (permalink / raw)
  To: lartc

Hi,


ipp2p detects ares server connects only. At the moment no client
connctions are recognized by ipp2p.

So if you use ipp2p to mark all ares connections, you will only mark the
server connnections (which would be bad in you situation.)

Klaus
maintainer of ipp2p


LinuXKiD wrote:
> Hi,
> 
> I've a linux as router nat + firewall
> (POLICY DROP for INPUT OUTPUT and FORWARD)
> 
> but, I've put next rules for p2p software
> on FORWARD chain
> 
> [... snip ... ]
> 
> iptables -F FORWARD
> iptables -P FORWARD DROP
> 
> 
> iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
> [... snip ... ]
> 
> iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
> iptables -A FORWARD -m ipp2p --ares -j ACCEPT
> 
> [...]
> 
> Then... emule, kaazaa , edonkey and so on  works very good
> but ARES can't connect.
> 
> I've 
> 	- iptables 1.3.3
> 	- kernel 2.4.28
> 	- ipp2p 0.8.0rc3
> 
> BUT, if I change policy
> 
> 	iptables -P FORWARD ACCEPT
> 
> ARES works,  can connect.
> 
> I've tried to guess tcp/udp ports with tcpdump
> without suceess.
> 
> I guess that ipp2p only can block p2p on a ACCEPT
> policy firewall 
> 
> I must open some tcp/udp port ?
> Can anybody helpme ?
> 
> bests
> andres.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: [LARTC] p2p: ARES
  2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
                   ` (3 preceding siblings ...)
  2005-09-23  7:53 ` Klaus
@ 2005-09-23 15:23 ` LinuXKiD
  4 siblings, 0 replies; 6+ messages in thread
From: LinuXKiD @ 2005-09-23 15:23 UTC (permalink / raw)
  To: lartc





-> 
-> On Thursday 22 September 2005 22:32, LinuXKiD wrote:
-> > iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
-> > iptables -A FORWARD -m ipp2p --ares -j ACCEPT
-> 
-> Assuming that packets which are not accepted get dropped, IPP2P 
-> would have 
-> to match the very first packet of every P2P connection for this to work 
-> properly. I'm not sure that's a given. So far I've only used it for 
-> shaping and dropping purposes, and in both cases it does not 
-> matter wether 
-> the matched packet is the first, second, or third one...

Consider this situation....

I want to SHAPE p2p connections on my LAN.
But, ARES can't be shaped, at the momment.

And, my firewall is DROP POLICY, then I've to ACCEPT 
ipp2p connections, and related / established.

but (with this), ares packets are droped.

bests

-> 
-> Regards,
-> Andreas
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-09-23 15:23 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
2005-09-22 20:58 ` Peter Surda
2005-09-22 22:02 ` Andreas Klauer
2005-09-23  4:41 ` Jody Shumaker
2005-09-23  7:53 ` Klaus
2005-09-23 15:23 ` LinuXKiD

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.