from ipp2p news page ""quote"" I suggest the following tcp and udp for connection tracking (see docu section) 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1 detect TCP FIRST, SAVE MARK , and detect udp after you saved the mark !! You will have now every p2p packet marked, but a dramtic reduce of udp missmatches. ""quote"" On 6/8/07, Salatiel Filho <salatiel.filho@xxxxxxxxx> wrote:
On 6/8/07, Saulo Silva <sauloaugustosilva@xxxxxxxxx> wrote: > HI Marcos , > > I tried your rules, but without success . Thank for that help . > And , how about ip2pp ? Is this application could do that ? Help me to shape edonkey traffic ??? > > Best Regards, > > Saulo Silva > > > 2007/6/8, Marco Aurelio <marco.casaroli@xxxxxxxxx>: > > > l7's edonkey filter does not match all edonkey traffic, it does not > > match data packets (that you want to shape). It matches however the > > signaling packets that can be related to data connections. > > > > I never tried L7 but I think these may help you > > > > iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark > > iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT > > iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2 > > iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark > > > > > > On 6/8/07, Saulo Silva < sauloaugustosilva@xxxxxxxxx> wrote: > > > Hi All , > > > > > > My first message and I have a little problem with my FC6 box trying to block > > > emule traffic using layer7 . > > > > > > Here my network : > > > > > > Internet --------- ADSL Router ------------------- FC6 Box > > > -------------------- Emule Box > > > > > > external ADSL : Dynamic > > > Internal ADSL : 192.168.254.1 > > > > > > external FC6 : 192.168.254.3 > > > internal FC6 : 192.168.253.1 > > > > > > Emule Box : 192.168.253.3 > > > > > > I guess that everything is ok with layer7 . Here my mangle rules . > > > > > > # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK > > > --set-mark 2 > > > # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix > > > "PREROUTING MARK : " > > > > > > > > > iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK --set-mark > > > 2 > > > iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix "FORWARD > > > MARK : " > > > > > > The output from log is : > > > > > > Jun 8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 > > > SRC= 203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00 TTL=105 > > > ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH URGP=0 > > > > > > Jun 8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT= > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 > > > SRC=200.209.170.138 DST= 192.168.254.3 LEN=139 TOS=0x00 PREC=0x00 TTL=115 > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0 > > > Jun 8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC= > > > 200.209.170.138 DST= 192.168.253.3 LEN=139 TOS=0x00 PREC=0x00 TTL=114 > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0 > > > > > > Jun 8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT= > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC= > > > 200.244.104.10 DST= 192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=7042 > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0 > > > > > > Jun 8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC= > > > 200.244.104.10 DST= 192.168.253.3 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=7042 > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0 > > > > > > So it's look like mark is working . > > > > > > So now I use the cbq.init script with that configuration : > > > > > > cat /etc/sysconfig/cbq/cbq- 0002.emule_in > > > > > > DEVICE=eth0,100Mbit,10Mbit > > > RATE=3Kbit > > > WEIGHT=1Kbit > > > PRIO=5 > > > BOUNDED=yes > > > ISOLATED=yes > > > MARK=2 > > > > > > cat /etc/sysconfig/cbq/cbq-0002.emule_out > > > DEVICE=eth1,100Mbit,10Mbit > > > RATE=3Kbit > > > WEIGHT=1Kbit > > > PRIO=5 > > > BOUNDED=yes > > > ISOLATED=yes > > > MARK=2 > > > > > > that generate this tc codes . > > > > > > /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt 3000 > > > cell 8 > > > /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514 > > > > > > /sbin/tc qdisc del dev eth1 root > > > /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt 3000 > > > cell 8 > > > /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514 > > > > > > /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth 100Mbit rate > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded > > > isolated > > > /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8 > > > limit 15Kb mtu 1500 > > > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 2 fw > > > classid 1:2 > > > > > > /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth 100Mbit rate > > > 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded > > > isolated > > > /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8 > > > limit 15Kb mtu 1500 > > > /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw > > > classid 1:2 > > > > > > Can anyone explain me what is wrong . Why I cannot shape this traffic ???? > > > > > > Any help will be appreciated . > > > > > > Best Regards , > > > > > > Saulo Silva > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@xxxxxxxxxxxxxxx > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > -- > > Marco Casaroli > > SapucaiNet Telecom > > +55 35 34712377 ext 5 > > > > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > I block all P2P traffic with ipp2p , it works great. iptables -t mangle -i eth0 -A FORWARD -m ipp2p --ipp2p -j DROP -- []'s Salatiel "O maior prazer do inteligente é bancar o idiota diante de um idiota que banca o inteligente".
-- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
