Re: enable p2p to some host (ipp2p)

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

In theory, for all p2p traffic matched by ipp2p you only need "--ipp2p"
parameter, not the rest you put.

You could use this:

#FIRST allow your net p2p traffic:
iptables -A FORWARD -d mynet -m ipp2p --ipp2p -j ACCEPT
iptables -A FORWARD -s mynet -m ipp2p --ipp2p -j ACCEPT

#Next, drop not your net p2p traffic:
iptables -A FORWARD -m ipp2p --ipp2p -j DROP

If these don't works (I remember some months ago I test it and don't works
fine), you'll need many rules, one per p2p type of traffic, as this:

iptables -A FORWARD -d mynet -m ipp2p --bit -j ACCEPT
iptables -A FORWARD -s mynet -m ipp2p --bit -j ACCEPT
iptables -A FORWARD -m ipp2p --bit -j DROP

iptables -A FORWARD -d mynet -m ipp2p --apple -j ACCEPT
iptables -A FORWARD -s mynet -m ipp2p --apple -j ACCEPT
iptables -A FORWARD -m ipp2p --apple -j DROP

...

iptables -A FORWARD -d mynet -m ipp2p --soul -j ACCEPT
iptables -A FORWARD -s mynet -m ipp2p --soul -j ACCEPT
iptables -A FORWARD -m ipp2p --soul -j DROP


Or if you don't want to write much, you can use:

export p2p_list="bit apple ... soul"
for i in ${p2p_list}; do
   iptables -A FORWARD -d mynet -m ipp2p --$i -j ACCEPT
   iptables -A FORWARD -s mynet -m ipp2p --$i -j ACCEPT
   iptables -A FORWARD -m ipp2p --$i -j DROP
done;

> Roberto Pereyra wrote:
>> Hi
>>
>> I using ipp2p to block p2p traffic.
>>
>> How to enable to use p2p to me host in my net ?
>>
>> I using this setup:
>>
>> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares
>> -j DROP
>>
>>
>> This setup:
>>
>> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul
>> --ares -d ! mynet -j DROP
>>
>> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul
>> --ares -s ! mynet -j DROP
>>
>>
>> not works ....
>
> Don't know really as I don't use ipp2p - but you could just match and
> return/accept mynet traffic before the ipp2p rules are hit.
>
> Andy.
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux