For dropping purposes you only need to match the first packet and
prevent the connection from starting, but for both forwarding and
accepting you'll need to mark the whole connection, for most p2p that
ipp2p matches it will only match the first packet of the connection,
all further packets would be dropped with a simple rule like this.
You really need to do something like this:
MARKP2P=3
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -p tcp -m mark --mark $MARKP2P -j ACCEPT
# p2p marking
iptables -t mangle -A PREROUTING -m ipp2p --bit --edk --kazaa --gnu --dc
-j MARK --set-mark ${MARKP2P}
iptables -t mangle -A PREROUTING -p tcp -m mark --mark ${MARKP2P} -j
CONNMARK --save-mark
iptables -A FORWARD -m mark --mark ${MARKP2P} -j ACCEPT
I'm using something similar to this for all my shaping, works great for
that. I don't see why the same connection marking shouldn't work for
accepting
- Jody
Andreas Klauer wrote:
On Thursday 22 September 2005 22:32, LinuXKiD wrote:
iptables -A FORWARD -m ipp2p --ipp2p -j ACCEPT
iptables -A FORWARD -m ipp2p --ares -j ACCEPT
Assuming that packets which are not accepted get dropped, IPP2P would have
to match the very first packet of every P2P connection for this to work
properly. I'm not sure that's a given. So far I've only used it for
shaping and dropping purposes, and in both cases it does not matter wether
the matched packet is the first, second, or third one...
Regards,
Andreas
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
