On 6/8/07, Saulo Silva <sauloaugustosilva@xxxxxxxxx> wrote:
I block all P2P traffic with ipp2p , it works great.HI Marcos ,
I tried your rules, but without success . Thank for that help .
And , how about ip2pp ? Is this application could do that ? Help me to shape edonkey traffic ???
Best Regards,
Saulo Silva2007/6/8, Marco Aurelio <marco.casaroli@xxxxxxxxx>:l7's edonkey filter does not match all edonkey traffic, it does not
match data packets (that you want to shape). It matches however the
signaling packets that can be related to data connections.
I never tried L7 but I think these may help you
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark
On 6/8/07, Saulo Silva < sauloaugustosilva@xxxxxxxxx> wrote:
> Hi All ,
>
> My first message and I have a little problem with my FC6 box trying to block
> emule traffic using layer7 .
>
> Here my network :
>
> Internet --------- ADSL Router ------------------- FC6 Box
> -------------------- Emule Box
>
> external ADSL : Dynamic
> Internal ADSL : 192.168.254.1
>
> external FC6 : 192.168.254.3
> internal FC6 : 192.168.253.1
>
> Emule Box : 192.168.253.3
>
> I guess that everything is ok with layer7 . Here my mangle rules .
>
> # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK
> --set-mark 2
> # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix
> "PREROUTING MARK : "
>
>
> iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK --set-mark
> 2
> iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix "FORWARD
> MARK : "
>
> The output from log is :
>
> Jun 8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1
> SRC="" href="http://203.91.83.127" target="_blank" > 203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00 TTL=105
> ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH URGP=0
>
> Jun 8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT=
> MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00
> SRC="" href="http://200.209.170.138" target="_blank" >200.209.170.138 DST= 192.168.254.3 LEN=139 TOS=0x00 PREC=0x00 TTL=115
> ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0
> Jun 8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC="">> 200.209.170.138 DST= 192.168.253.3 LEN=139 TOS=0x00 PREC=0x00 TTL=114
> ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0
>
> Jun 8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT=
> MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC= "">> 200.244.104.10 DST= 192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=7042
> PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
>
> Jun 8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC="">> 200.244.104.10 DST= 192.168.253.3 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=7042
> PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0
>
> So it's look like mark is working .
>
> So now I use the cbq.init script with that configuration :
>
> cat /etc/sysconfig/cbq/cbq- 0002.emule_in
>
> DEVICE=eth0,100Mbit,10Mbit
> RATE=3Kbit
> WEIGHT=1Kbit
> PRIO=5
> BOUNDED=yes
> ISOLATED=yes
> MARK=2
>
> cat /etc/sysconfig/cbq/cbq-0002.emule_out
> DEVICE=eth1,100Mbit,10Mbit
> RATE=3Kbit
> WEIGHT=1Kbit
> PRIO=5
> BOUNDED=yes
> ISOLATED=yes
> MARK=2
>
> that generate this tc codes .
>
> /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt 3000
> cell 8
> /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514
>
> /sbin/tc qdisc del dev eth1 root
> /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt 3000
> cell 8
> /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514
>
> /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth 100Mbit rate
> 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded
> isolated
> /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8
> limit 15Kb mtu 1500
> /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 2 fw
> classid 1:2
>
> /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth 100Mbit rate
> 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded
> isolated
> /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8
> limit 15Kb mtu 1500
> /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw
> classid 1:2
>
> Can anyone explain me what is wrong . Why I cannot shape this traffic ????
>
> Any help will be appreciated .
>
> Best Regards ,
>
> Saulo Silva
>
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
--
Marco Casaroli
SapucaiNet Telecom
+55 35 34712377 ext 5
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
iptables -t mangle -i eth0 -A FORWARD -m ipp2p --ipp2p -j DROP
--
[]'s
Salatiel
"O maior prazer do inteligente é bancar o idiota
diante de um idiota que banca o inteligente".
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
