[LARTC] limiting p2p

[LARTC] limiting p2p

[ThE PhP_KiD]

Hi List !

I'm trying excelent module ipt_p2p from Filipe
Almeida in a Linux Box with several connections,
in order to block p2p traffic with next rule:

iptables -L -t filter -m ipt_p2p -j DROP

And results was that the traffic have been reduced
from 1,3 mb to 0,85 mb !!! Excelent !!

how ever, I've noted that after two days running,
that Linux Box  (RH 7,2 updated - Kernel 2.4.22
- iptables 1.2.8 with String and ConnMark modules,
Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0,
eth1 and eth2),
begins to drop others packets and a simple ping
look like this:


# ping 192.168.210.3    (by example)

PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of
data.
64 bytes from 192.168.210.3: icmp_seq=0 ttld timeI9 usec
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
64 bytes from 192.168.210.3: icmp_seq=1 ttld timeG8 usec
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
64 bytes from 192.168.210.3: icmp_seq=2 ttld timeH9 usec
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted

Next, the only way to fix this was making a REBOOT.

I've heared similar problems (not with ipt_p2p), and some
one say that next could be works: (in a cron job)

echo -n "Unloading modules.."
rmmod -a
lsmod |grep "ipt_\|ip_\|iptable" |cut -f1 -d\ |xargs rmmod 2>/dev/null &&\
echo "Done!" || echo "failed!"

and some other suggest that I could try a: "iptables clear"
and regenerate IP Tables


From Man:

>   ping sendto: operation not permitted

 sendto(2) system call failed with errno EPERM,
 operation not permitted => reason is in the
 local firewall rules, chain OUTPUT.

 Otherwise the sendto(2) would have succeeded,
 and the error would come in an ICMP error packet.


Have you a clue of this ?

Thank you.
Best Regards.

Andres.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] limiting p2p

[Michal Kustosik]

On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote:
> Hi List !
> 
> I'm trying excelent module ipt_p2p from Filipe
> Almeida in a Linux Box with several connections,
> in order to block p2p traffic with next rule:
> 
[...]

> how ever, I've noted that after two days running,
> that Linux Box  (RH 7,2 updated - Kernel 2.4.22
> - iptables 1.2.8 with String and ConnMark modules,
> Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0,
> eth1 and eth2),
> begins to drop others packets and a simple ping
> look like this:
> 
> 
> # ping 192.168.210.3    (by example)
> 
> PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of
> data.
> 64 bytes from 192.168.210.3: icmp_seq=0 ttld timeI9 usec
> ping: sendto: Operation not permitted
> ping: sendto: Operation not permitted
> ping: sendto: Operation not permitted
> 64 bytes from 192.168.210.3: icmp_seq=1 ttld timeG8 usec
> ping: sendto: Operation not permitted
> ping: sendto: Operation not permitted
> 64 bytes from 192.168.210.3: icmp_seq=2 ttld timeH9 usec
> ping: sendto: Operation not permitted
> ping: sendto: Operation not permitted
> ping: sendto: Operation not permitted
> 

Hi!

I have the same problem... Have you solved it? 
I can't see any answer for your email :(

best
-- 
michal
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] limiting p2p

[Eddie]

Ok
What I did was blocking all forwarding,in and out, traffic on my gateway
with iptables.Only allowing establish related traffic in and out ports
thy use,80,25,110 ens.This will stop it connecting to a weard port
Now the thing about kazaa is the after it tryed all 65XXXXXXX ports it
will try in port 80,this can take a while and the stoopid user will have
close it
Now what you do is setup a transparent proxy with iptables and squid.On
squid you create acl's to stop .mp3 and .wav  ens. files
And .dat files,wat kazaa uses.
Now this worked for me.


On Mon, 2004-02-02 at 11:39, Michal Kustosik wrote:
> *This message was transferred with a trial version of CommuniGate(tm) Pro*
> On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote:
> > Hi List !
> > 
> > I'm trying excelent module ipt_p2p from Filipe
> > Almeida in a Linux Box with several connections,
> > in order to block p2p traffic with next rule:
> > 
> [...]
> 
> > how ever, I've noted that after two days running,
> > that Linux Box  (RH 7,2 updated - Kernel 2.4.22
> > - iptables 1.2.8 with String and ConnMark modules,
> > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0,
> > eth1 and eth2),
> > begins to drop others packets and a simple ping
> > look like this:
> > 
> > 
> > # ping 192.168.210.3    (by example)
> > 
> > PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of
> > data.
> > 64 bytes from 192.168.210.3: icmp_seq=0 ttld timeI9 usec
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > 64 bytes from 192.168.210.3: icmp_seq=1 ttld timeG8 usec
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > 64 bytes from 192.168.210.3: icmp_seq=2 ttld timeH9 usec
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > 
> 
> Hi!
> 
> I have the same problem... Have you solved it? 
> I can't see any answer for your email :(
> 
> best

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] limiting p2p

[Michal Kustosik]

On Mon, Feb 02, 2004 at 12:14:25PM +0200, Eddie wrote:
> Ok
> What I did was blocking all forwarding,in and out, traffic on my gateway
> with iptables.Only allowing establish related traffic in and out ports
> thy use,80,25,110 ens.This will stop it connecting to a weard port
> Now the thing about kazaa is the after it tryed all 65XXXXXXX ports it
> will try in port 80,this can take a while and the stoopid user will have
> close it
> Now what you do is setup a transparent proxy with iptables and squid.On
> squid you create acl's to stop .mp3 and .wav  ens. files
> And .dat files,wat kazaa uses.
> Now this worked for me.
> 

ok ;) I have done the same some times ago ;)  

But I'm interesting what is wrong with ipt_p2p or someting, that
icmp works bad when using ipt_p2p... Anybody known ?!?
Have anybody run ipt_p2p with no problems ?

best...
-- 
michal


> 
> On Mon, 2004-02-02 at 11:39, Michal Kustosik wrote:
> > *This message was transferred with a trial version of CommuniGate(tm) Pro*
> > On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote:
> > > Hi List !
> > > 
> > > I'm trying excelent module ipt_p2p from Filipe
> > > Almeida in a Linux Box with several connections,
> > > in order to block p2p traffic with next rule:
> > > 
> > [...]
> > 
> > > how ever, I've noted that after two days running,
> > > that Linux Box  (RH 7,2 updated - Kernel 2.4.22
> > > - iptables 1.2.8 with String and ConnMark modules,
> > > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0,
> > > eth1 and eth2),
> > > begins to drop others packets and a simple ping
> > > look like this:
> > > 
> > > 
> > > # ping 192.168.210.3    (by example)
> > > 
> > > PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of
> > > data.
> > > 64 bytes from 192.168.210.3: icmp_seq=0 ttld timeI9 usec
> > > ping: sendto: Operation not permitted
> > > ping: sendto: Operation not permitted
> > > ping: sendto: Operation not permitted
> > > 64 bytes from 192.168.210.3: icmp_seq=1 ttld timeG8 usec
> > > ping: sendto: Operation not permitted
> > > ping: sendto: Operation not permitted
> > > 64 bytes from 192.168.210.3: icmp_seq=2 ttld timeH9 usec
> > > ping: sendto: Operation not permitted
> > > ping: sendto: Operation not permitted
> > > ping: sendto: Operation not permitted
> > > 
> > 
> > Hi!
> > 
> > I have the same problem... Have you solved it? 
> > I can't see any answer for your email :(
> > 
> > best
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[ThE PhP_KiD]

Hi Michal.

Now I'm testing ipt_ipp2p netfilter 3rd module
You can reach it at:
http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html

At the momment I've not problems with it.
(It's works well)

But I haven't tested ipt_ipp2p module strongly
with a large LAN

regards

Andres.


-> ok ;) I have done the same some times ago ;)
->
-> But I'm interesting what is wrong with ipt_p2p or someting, that
-> icmp works bad when using ipt_p2p... Anybody known ?!?
-> Have anybody run ipt_p2p with no problems ?
->
-> best...
-> --
-> michal

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[ThE LinuX_KiD]

Interesante !!

lo probaste con 2.4 ? o 2.6 ?

-> -----Mensaje original-----
-> De: Esteban Ribicic [mailto:esteban@dejawu.com.ar]
-> Enviado el: Lunes, 02 de Febrero de 2004 08:11 p.m.
-> Para: 'ThE PhP_KiD'
-> Asunto: RE: [LARTC] limiting p2p
-> 
-> 
-> Probaste layering 7 matching?
-> 
-> 
-> -----Mensaje original-----
-> De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En
-> nombre de ThE PhP_KiD
-> Enviado el: Monday, February 02, 2004 3:28 PM
-> Para: lartc; Michal Kustosik
-> Asunto: RE: [LARTC] limiting p2p
-> 
-> 
-> Hi Michal.
-> 
-> Now I'm testing ipt_ipp2p netfilter 3rd module
-> You can reach it at:
-> http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html
-> 
-> At the momment I've not problems with it.
-> (It's works well)
-> 
-> But I haven't tested ipt_ipp2p module strongly
-> with a large LAN
-> 
-> regards
-> 
-> Andres.
-> 
-> 
-> -> ok ;) I have done the same some times ago ;)
-> ->
-> -> But I'm interesting what is wrong with ipt_p2p or someting, that icmp
-> 
-> -> works bad when using ipt_p2p... Anybody known ?!? Have anybody run 
-> -> ipt_p2p with no problems ?
-> ->
-> -> best...
-> -> --
-> -> michal
-> 
-> _______________________________________________
-> LARTC mailing list / LARTC@mailman.ds9a.nl
-> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-> 
-> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] limiting p2p

[andybr]

Hi all,

Do you have a firewall enabled? If yes, did you try to 
flush the rules to see if it still happening?

[]'s
Anderson


> On Fri, Nov 07, 2003 at 12:27:25PM -
0300, ThE PhP_KiD wrote:
> > Hi List !
> > 
> > I'm trying excelent module ipt_p2p from Filipe
> > Almeida in a Linux Box with several connections,
> > in order to block p2p traffic with next rule:
> > 
> [...]
> 
> > how ever, I've noted that after two days running,
> > that Linux Box  (RH 7,2 updated - Kernel 2.4.22
> > - iptables 1.2.8 with String and ConnMark modules,
> > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0,
> > eth1 and eth2),
> > begins to drop others packets and a simple ping
> > look like this:
> > 
> > 
> > # ping 192.168.210.3    (by example)
> > 
> > PING 192.168.210.3 (192.168.210.3) from 192.168.210.2
54 : 56(84) bytes of
> > data.
> > 64 bytes from 192.168.210.3: icmp_seq=0 ttld time=4
99 usec
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > 64 bytes from 192.168.210.3: icmp_seq=1 ttld time=4
78 usec
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > 64 bytes from 192.168.210.3: icmp_seq=2 ttld time=4
89 usec
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > 
> 
> Hi!
> 
> I have the same problem... Have you solved it? 
> I can't see any answer for your email :(
> 
> best
> -- 
> michal
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: ht
tp://lartc.org/
> 

 
__________________________________________________________________________
Acabe com aquelas janelinhas que pulam na sua tela.
AntiPop-up UOL - É grátis!
http://antipopup.uol.com.br/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[miller69]

> Now I'm testing ipt_ipp2p netfilter 3rd module
> You can reach it at:
> http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html
Thanks for making this public I just forgot about posting the link to the
list :-)

> But I haven't tested ipt_ipp2p module strongly
> with a large LAN
Well we ran it at a campus network for about 6 weeks without any issue. Some
results of our delay investigations are coming soon - the first graphs look
not to bad (0.1-1ms average delay introduced by the bridging firewall). 

Cheers,
Mike.

-- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[GoMi]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there, i am having really big troubles setting up ipp2p. I have a woody with kernel upgraded to 2.4.20 and iptables 1.2.8. I changed the makefile to include these modifications, but still it captures no traffic at all.. Do i need to run it under 2.4.18? 

- -----Mensaje original-----
De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En nombre de miller69@gmx.net
Enviado el: miércoles, 04 de febrero de 2004 0:53
Para: lartc@mailman.ds9a.nl
Asunto: RE: [LARTC] limiting p2p


> Now I'm testing ipt_ipp2p netfilter 3rd module
> You can reach it at: 
> http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html
Thanks for making this public I just forgot about posting the link to the list :-)

> But I haven't tested ipt_ipp2p module strongly
> with a large LAN
Well we ran it at a campus network for about 6 weeks without any issue. Some results of our delay investigations are coming soon - the first graphs look not to bad (0.1-1ms average delay introduced by the bridging firewall). 

Cheers,
Mike.

- -- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQCDrxH7diNnrrZKsEQIDHwCfX6GsnRvFUS7zhWzxlUz7Tb9L9GAAn0Vj
qXwsBA1B/dXI8TdWqPMuLYdn
=k0xx
-----END PGP SIGNATURE-----


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[Mike Miller]

> Hi there, i am having really big troubles setting up ipp2p. I have a 
> woody with kernel upgraded to 2.4.20 and iptables 1.2.8. I changed the 
> makefile to include these modifications, but still it captures no 
> traffic at all.. Do i need to run it under 2.4.18? 

Well, for us it was working with all kernels from 2.4.18 on. We are
currently struggeling problems with 2.4.24 but not sure if this is a kernel issue
since we got a whole new box - investigation will take place soon. 

First of all: are you sure there is any P2P traffic occuring at your link?
Is the IPP2P rule put at the correct place (PREROUTING of mangle for example)?
Go to http://rnvs.informatik.uni-leipzig.de/ipp2p/ documentation page -
there are a couple of examples how to use IPP2P. 

If this doesn't help come back to me with your setup and ruleset - maybe
traffic is accepted somewhere else before IPP2P comes into play.

Regards,
Mike.

-- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[GoMi]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is my config

  iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --restore-mark
     iptables -t mangle -i eth2 -A PREROUTING -m mark ! --mark 0 -j ACCEPT
     iptables -t mangle -i eth2 -A PREROUTING -p icmp -j MARK --set-mark 4
     iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 2
     iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p-data -j MARK --set-mark 2
     iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 1214 -j MARK --set-mark 2
     iptables -t mangle -i eth2 -A PREROUTING -p tcp -m string --string X-Kazaa  -j MARK --set-mark 2
     iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 2234 -j MARK --set-mark 2
     iptables -t mangle -i eth2 -A PREROUTING -p udp --dport 53 -j MARK --set-mark 1
     iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 80 -m string ! --string X-Kazaa -j MARK --set-mark 1
     iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1
     iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 0:1024 -j MARK --set-mark 1
     iptables -t mangle -i eth2 -A PREROUTING -p udp --dport ! 53 -j MARK --set-mark 2
     iptables -t mangle -i eth2 -A PREROUTING -p tcp --dport 1863 -j MARK --set-mark 1
     iptables -t mangle -i eth2 -A PREROUTING -p tcp -d 0/0 --sport 80 -j MARK --set-mark 5
     iptables -t mangle -i eth2 -A PREROUTING -m mark --mark 0 -j MARK --set-mark 2
  iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --save-mark


ipt_ipp2p               2656   0  (unused)

Thats my module working...

       0        0 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          ipp2p v0.5a --ipp2p MARK set 0x2
       0        0 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          ipp2p v0.5a --ipp2p-data MARK set 0x2

And my rules.

There are 100 users, all using p2p, but i have it restricted under my fw, but some get access though port 80... I am currently downloading, and for a day or so, no traffic recognized at all...

I have no messages at my syslog or messages files at all ...


- -----Mensaje original-----
De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En nombre de Mike Miller
Enviado el: miércoles, 04 de febrero de 2004 14:32
Para: lartc@mailman.ds9a.nl
Asunto: RE: [LARTC] limiting p2p


> Hi there, i am having really big troubles setting up ipp2p. I have a
> woody with kernel upgraded to 2.4.20 and iptables 1.2.8. I changed the 
> makefile to include these modifications, but still it captures no 
> traffic at all.. Do i need to run it under 2.4.18? 

Well, for us it was working with all kernels from 2.4.18 on. We are currently struggeling problems with 2.4.24 but not sure if this is a kernel issue since we got a whole new box - investigation will take place soon. 

First of all: are you sure there is any P2P traffic occuring at your link? Is the IPP2P rule put at the correct place (PREROUTING of mangle for example)? Go to http://rnvs.informatik.uni-leipzig.de/ipp2p/ documentation page - there are a couple of examples how to use IPP2P. 

If this doesn't help come back to me with your setup and ruleset - maybe traffic is accepted somewhere else before IPP2P comes into play.

Regards,
Mike.

- -- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQCESMH7diNnrrZKsEQJq4QCbByR7N5bRYmOis4+UHDYkHYlQWbAAn2oD
Ylle5BNIpEkJJiAAFoIwPKsf
=DROl
-----END PGP SIGNATURE-----


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[Mike Miller]

>      iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p -j 
> MARK --set-mark 2
>      iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p 
> --ipp2p-data -j MARK --set-mark 2
There is no need to use --ipp2p and --ipp2p-data on one box. Use --ipp2p
only this should be sufficient for most systems. But IPP2P should work with this
ruleset anyway.

Please do me a favour and remove both rules containing string matches from
your ruleset let it run for a while and give me the full output of "iptables
-t mangle -L -n -v -x". I guess you're using Kazaa? Is it a (nat-)router or a
bridge?

Regards,
Mike


-- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[GoMi]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There it goes, btw..thank you very much ;)

Chain PREROUTING (policy ACCEPT 26236333 packets, 12882098667 bytes)
    pkts      bytes target     prot opt in     out     source               destination
  249121 26462887 CONNMARK   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0          CONNMARK restore
  142502 21317691 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0          MARK match !0x0
      24    14682 MARK       icmp --  eth2   *       0.0.0.0/0            0.0.0.0/0          MARK set 0x4
       0        0 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          ipp2p v0.5a --ipp2p MARK set 0x2
      27     1296 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:1214 MARK set 0x2
       3      144 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:2234 MARK set 0x2
     438    33099 MARK       udp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          udp dpt:53 MARK set 0x1
    6712   321889 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:80 STRING match !X-Kazaa MARK set 0x1
       0        0 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:25 MARK set 0x1
   98629  4733897 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp dpts:0:1024 MARK set 0x1
    2746   133990 MARK       udp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          udp dpt:!53 MARK set 0x2
      95     4560 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:1863 MARK set 0x1
       0        0 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp spt:80 MARK set 0x5
    4622   221848 MARK       all  --  eth2   *       0.0.0.0/0            0.0.0.0/0          MARK match 0x0 MARK set 0x2
  106580  5143324 CONNMARK   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0          CONNMARK save
  103317  4959216 MARK       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x02 MARK set 0x3
      15      601 chkack     tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x10
  106556  5142172 chgtos     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 116314 packets, 17066648 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 39662528 packets, 15020457598 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 127443 packets, 41248573 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 32254661 packets, 14698686461 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain chgtos (1 references)
    pkts      bytes target     prot opt in     out     source               destination
   99134  4770212 TOS        all  --  *      *       0.0.0.0/0            0.0.0.0/0          CONNMARK match 0x1 TOS set 0x10
    7398   357278 TOS        all  --  *      *       0.0.0.0/0            0.0.0.0/0          CONNMARK match 0x2 TOS set 0x08
       0        0 TOS        all  --  *      *       0.0.0.0/0            0.0.0.0/0          CONNMARK match 0x3 TOS set 0x10
       0        0 TOS        all  --  *      *       0.0.0.0/0            0.0.0.0/0          CONNMARK match 0x5 TOS set 0x02
  106556  5142172 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain chkack (1 references)
    pkts      bytes target     prot opt in     out     source               destination
      15      601 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0          length 0:128 MARK set 0x3
       0        0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0          length 128:65535 MARK set 0x2
      15      601 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

- -----Mensaje original-----
De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En nombre de Mike Miller
Enviado el: miércoles, 04 de febrero de 2004 17:58
Para: GoMi
CC: lartc@mailman.ds9a.nl
Asunto: RE: [LARTC] limiting p2p


>      iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p 
> -j
> MARK --set-mark 2
>      iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p 
> --ipp2p-data -j MARK --set-mark 2
There is no need to use --ipp2p and --ipp2p-data on one box. Use --ipp2p only this should be sufficient for most systems. But IPP2P should work with this ruleset anyway.

Please do me a favour and remove both rules containing string matches from your ruleset let it run for a while and give me the full output of "iptables -t mangle -L -n -v -x". I guess you're using Kazaa? Is it a (nat-)router or a bridge?

Regards,
Mike


- -- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQCEwcX7diNnrrZKsEQJP/wCg+tPDcIcUPa8EN/DlaHvn64quoCQAoNd9
9x0EfDRmwAAAS6iR27eaFhE5
=Ltdq
-----END PGP SIGNATURE-----


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[GoMi]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I forgot to tell you, i am with load balancing with 2 DSL connectios also doing natting on my machine..

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQCEwnH7diNnrrZKsEQIGxgCfWuKXVFV/7hu6YqIEjMvBqH59hxkAn3b0
UpjrpQWYDFt8vnaiERK3er2w
=uBcX
-----END PGP SIGNATURE-----


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[Mike Miller]

Hi again,

having a closer look at your rules I found the following things:

>   iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --restore-mark
>      iptables -t mangle -i eth2 -A PREROUTING -m mark ! --mark 0 -j 
> ACCEPT
> < rules rules rules >
>      iptables -t mangle -i eth2 -A PREROUTING -m mark --mark 0 -j MARK 
> --set-mark 2
>   iptables -t mangle -i eth2 -A PREROUTING -j CONNMARK --save-mark

There is nothing wrong with the rules but IPP2P will never match a packet
because the following thing happens:

Very first packet of a connection enters the box -> restore mark -> mark 0
-> traversing the chain -> no match -> set-mark 2 -> save mark

Every following packet of these connection enters the box -> restore mark ->
mark 2 -> ACCEPT (not traversing the chain again)

So what does this mean? The very first packet of every TCP connection (and
thats what IPP2P is all about) starts with a SYN and is answered by an
ACK,SYN. These packets don't contain data payload and hence can NOT contain any
P2P-patterns IPP2P is looking for.  You have to change the ruleset to let IPP2P
work! 

If you want to verify that IPP2P is working just add the following rule to
your ruleset:

iptables -t mangle -I POSTROUTING 1 -p tcp -m ipp2p --ipp2p -j ACCEPT

iptables -t mangle -L -n -v -x should show you some hits in the POSTROUTING
chain now :-)

Hope that helps,
Mike.

-- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] limiting p2p

[GoMi]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you mike, its doing great right now. I didnt notice on my script. Thank you ;)

- -----Mensaje original-----
De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] En nombre de Mike Miller
Enviado el: miércoles, 04 de febrero de 2004 17:58
Para: GoMi
CC: lartc@mailman.ds9a.nl
Asunto: RE: [LARTC] limiting p2p


>      iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p --ipp2p 
> -j
> MARK --set-mark 2
>      iptables -t mangle -i eth2 -A PREROUTING -p tcp -m ipp2p 
> --ipp2p-data -j MARK --set-mark 2
There is no need to use --ipp2p and --ipp2p-data on one box. Use --ipp2p only this should be sufficient for most systems. But IPP2P should work with this ruleset anyway.

Please do me a favour and remove both rules containing string matches from your ruleset let it run for a while and give me the full output of "iptables -t mangle -L -n -v -x". I guess you're using Kazaa? Is it a (nat-)router or a bridge?

Regards,
Mike


- -- 
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQCT3+n7diNnrrZKsEQL2LgCfWWVyGTE2/fQ/oXNR4kGkjNqrsFUAn157
evWFiLjKNb3bPmMOBFzbfwK3
=EjNs
-----END PGP SIGNATURE-----


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/