Hi
After several days testing and studing howtos and docu again ...
I want to limit all tcp trafic with the limit module to say
one connection per second except some known trafic.
(This is because of using p2p progs gets mi crazy which gets my adsl
modem down
and I share my net with some users and because of encryption of stream
l7 does not work ...)
As I understand the limit module does work only on queues i.e.
INPUT,FORWARD, OUTPUT or user defiend.
My idea now: create a user defined queue and limit this queue to
2 connections per minute (only to test).
Now my question
How can I select that trafic with a mark set do not go to this queue?
What I do now is the following:
( I have some queues to priorize traffic with the marks ...)
So I mark some trafic.
...
tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 1 fw
classid 1:10
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK
--set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK
--set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN
I create a new queue test which all trafic should go EXPECT the marked
ones:
iptables -N test
### WHAT DO I HAVE TO PUT THAT ALL MARKED or say MARK 0x1 go on not to
test ...
iptables -A FORWARD -p TCP -j test
iptables -A test -p tcp -m state --state NEW -m recent --set
iptables -A test -p tcp -m state --state NEW -m recent --update
--seconds 60 --hitcount 2 -j LOG
iptables -A test -p tcp -m state --state NEW -m recent --update
--seconds 60 --hitcount 2 -j DROP
Or is there a much better way to do this???
Thanks a lot for any hints!!!
Beat
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
