Bah, I don't know why I didn't notice this before in your previous email. It's obvious now that you gave the states output: iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --restore-mark that line is horribly wrong, it should be: iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark The whole point is that ipp2p can't match on every packet! so you save the mark and then restore it. However, you were conditionally restoring the mark only when ipp2p matched, which completely defeats the purpose. There's also no reason to have the "-m ipp2p --ipp2p" when saving the mark, as this adds more work than is neccasary. Instead of: iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark I'd suggets: iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark As this match would be much faster, and would mean no redundant work on matching ipp2p. I'd also suggest combining your tcp and udp matches for ipp2p into 1. I'd also suggest not using the -m ipp2p -ipp2p instead listing out the protocols to match, even if it's all of them. For some reason, -ipp2p doesn't match all of the safe to identify protocols. I used it at one point but then after updating it stopped including bittorrent. As listed on the ipp2p docs right now: -m ipp2p --ipp2p -m ipp2p --edk --kazaa --gnu --dc are identical, meaning --ipp2p only matches edonkey, kazaa, gnutella, and directconnect. Leaving out the very easy to match and common Bittorrent. I'd suggest using: -m ipp2p --edk --kazaa --gnu --dc --bit In the end this would result in this for your script: #restore mark iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark #skip rest of chain if packet already marked iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT #match p2p traffic. iptables -t mangle -A DSL-IN -m ipp2p --bit --edk --kazaa --gnu --dc -j MARK --set-mark 7 #save mark iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark - Jody On 2/6/06, Vaidas <admin@xxxxxx> wrote: > > > > Hey, one more question for ipp2p > > > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --restore-mark > > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7 > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark > > iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark 7 > > by this set of commands, should all p2p packets mark well ? Because very little of them are marked on my server… > > Chain DSL-IN (1 references) > > pkts bytes target prot opt in out source destination > > 13708 2260152 CONNMARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK restore > > 11456 2016247 ACCEPT tcp -- any any anywhere anywhere MARK match !0x0 > > 2252 243905 MARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 > > 2252 243905 CONNMARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK save > > 183300 33333958 MARK udp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 > > > > Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up on 320kbps all night > > ______________________________________ > > Vaidas > > VDXnet sistemų administratorius > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > >
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
