* Re: [LARTC] p2p: ARES
2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
@ 2005-09-22 20:58 ` Peter Surda
2005-09-22 22:02 ` Andreas Klauer
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Peter Surda @ 2005-09-22 20:58 UTC (permalink / raw)
To: lartc
On Thu, 22 Sep 2005 17:32:34 -0300 "LinuXKiD" <gregoriandres@yahoo.com.ar>
wrote:
>Hi,
Hi,
>but, I've put next rules for p2p software
>on FORWARD chain
In order to fully utilise IPP2P, you have to use it in the mangle table and
combine it with connmark. See the documentation on the IPP2P website.
Yours sincerely,
Peter
--
http://www.shurdix.org - Linux distribution for routers and firewalls
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] p2p: ARES
2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
2005-09-22 20:58 ` Peter Surda
@ 2005-09-22 22:02 ` Andreas Klauer
2005-09-23 4:41 ` Jody Shumaker
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Andreas Klauer @ 2005-09-22 22:02 UTC (permalink / raw)
To: lartc
On Thursday 22 September 2005 22:32, LinuXKiD wrote:
> iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
> iptables -A FORWARD -m ipp2p --ares -j ACCEPT
Assuming that packets which are not accepted get dropped, IPP2P would have
to match the very first packet of every P2P connection for this to work
properly. I'm not sure that's a given. So far I've only used it for
shaping and dropping purposes, and in both cases it does not matter wether
the matched packet is the first, second, or third one...
Regards,
Andreas
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] p2p: ARES
2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
2005-09-22 20:58 ` Peter Surda
2005-09-22 22:02 ` Andreas Klauer
@ 2005-09-23 4:41 ` Jody Shumaker
2005-09-23 7:53 ` Klaus
2005-09-23 15:23 ` LinuXKiD
4 siblings, 0 replies; 6+ messages in thread
From: Jody Shumaker @ 2005-09-23 4:41 UTC (permalink / raw)
To: lartc
For dropping purposes you only need to match the first packet and
prevent the connection from starting, but for both forwarding and
accepting you'll need to mark the whole connection, for most p2p that
ipp2p matches it will only match the first packet of the connection,
all further packets would be dropped with a simple rule like this.
You really need to do something like this:
MARKP2P=3
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -p tcp -m mark --mark $MARKP2P -j ACCEPT
# p2p marking
iptables -t mangle -A PREROUTING -m ipp2p --bit --edk --kazaa --gnu --dc
-j MARK --set-mark ${MARKP2P}
iptables -t mangle -A PREROUTING -p tcp -m mark --mark ${MARKP2P} -j
CONNMARK --save-mark
iptables -A FORWARD -m mark --mark ${MARKP2P} -j ACCEPT
I'm using something similar to this for all my shaping, works great for
that. I don't see why the same connection marking shouldn't work for
accepting
- Jody
Andreas Klauer wrote:
>On Thursday 22 September 2005 22:32, LinuXKiD wrote:
>
>
>>iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
>>iptables -A FORWARD -m ipp2p --ares -j ACCEPT
>>
>>
>
>Assuming that packets which are not accepted get dropped, IPP2P would have
>to match the very first packet of every P2P connection for this to work
>properly. I'm not sure that's a given. So far I've only used it for
>shaping and dropping purposes, and in both cases it does not matter wether
>the matched packet is the first, second, or third one...
>
>Regards,
>Andreas
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] p2p: ARES
2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
` (2 preceding siblings ...)
2005-09-23 4:41 ` Jody Shumaker
@ 2005-09-23 7:53 ` Klaus
2005-09-23 15:23 ` LinuXKiD
4 siblings, 0 replies; 6+ messages in thread
From: Klaus @ 2005-09-23 7:53 UTC (permalink / raw)
To: lartc
Hi,
ipp2p detects ares server connects only. At the moment no client
connctions are recognized by ipp2p.
So if you use ipp2p to mark all ares connections, you will only mark the
server connnections (which would be bad in you situation.)
Klaus
maintainer of ipp2p
LinuXKiD wrote:
> Hi,
>
> I've a linux as router nat + firewall
> (POLICY DROP for INPUT OUTPUT and FORWARD)
>
> but, I've put next rules for p2p software
> on FORWARD chain
>
> [... snip ... ]
>
> iptables -F FORWARD
> iptables -P FORWARD DROP
>
>
> iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
> [... snip ... ]
>
> iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
> iptables -A FORWARD -m ipp2p --ares -j ACCEPT
>
> [...]
>
> Then... emule, kaazaa , edonkey and so on works very good
> but ARES can't connect.
>
> I've
> - iptables 1.3.3
> - kernel 2.4.28
> - ipp2p 0.8.0rc3
>
> BUT, if I change policy
>
> iptables -P FORWARD ACCEPT
>
> ARES works, can connect.
>
> I've tried to guess tcp/udp ports with tcpdump
> without suceess.
>
> I guess that ipp2p only can block p2p on a ACCEPT
> policy firewall
>
> I must open some tcp/udp port ?
> Can anybody helpme ?
>
> bests
> andres.
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread* RE: [LARTC] p2p: ARES
2005-09-22 20:32 [LARTC] p2p: ARES LinuXKiD
` (3 preceding siblings ...)
2005-09-23 7:53 ` Klaus
@ 2005-09-23 15:23 ` LinuXKiD
4 siblings, 0 replies; 6+ messages in thread
From: LinuXKiD @ 2005-09-23 15:23 UTC (permalink / raw)
To: lartc
->
-> On Thursday 22 September 2005 22:32, LinuXKiD wrote:
-> > iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
-> > iptables -A FORWARD -m ipp2p --ares -j ACCEPT
->
-> Assuming that packets which are not accepted get dropped, IPP2P
-> would have
-> to match the very first packet of every P2P connection for this to work
-> properly. I'm not sure that's a given. So far I've only used it for
-> shaping and dropping purposes, and in both cases it does not
-> matter wether
-> the matched packet is the first, second, or third one...
Consider this situation....
I want to SHAPE p2p connections on my LAN.
But, ARES can't be shaped, at the momment.
And, my firewall is DROP POLICY, then I've to ACCEPT
ipp2p connections, and related / established.
but (with this), ares packets are droped.
bests
->
-> Regards,
-> Andreas
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread