Am Mittwoch, 11. Juni 2003 20:43 schrieb mikee: > > anorther thing..this rule just filter the initial download request..that > > would be okay if oyu want filter completely, but if you want to slwo > > down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole > > download, only the request... > > > >iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > > > any comment, any idea? > > you can use iptables connmark extension (from patch -o-matic) to mark all > packets from connection, ie: > > iptables -t mangle -N detect-abusers > #if string kazaa detected then connection will be marked > iptables -t mangle -A detect-abusers -m string --string 'KaZaA' -j CONNMARK > --set-mark 0x1 > > #check if connection is marked, if not inspect packet > iptables -t mangle -A PREROUTING -m connmark --mark 0x0 -j detect-abusers > #set packet mark with those from connmark > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > Hello, I'm filtering Kazaa with this strings and it works fine with: $IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-Username: -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-Network: -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-IP: -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-SupernodeIP: -j REJECT --reject-with tcp-reset With friendly Regards Andre
