> I believe that whole question is in topic. > Is there any way to recognize ( and then shape ) p2p traffic which is encrypted? > Modern p2p clients have this ability moreover some of them have this enabled by default. > Now I'm using ipp2p for iptables but as I know this doesn't recognize encrypted traffic. One way to do this is to look for the style of traffic. For example, I look for lots of connections from one PC to port numbers above 1024. This will also incorrectly recognise some other traffic, but on the whole it works well for me. The following are some examples using connlimit (now included in vanilla kernel) and ipset (see http://ipset.netfilter.org/) # first look for style of traffic and log that client to an ipset iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \ -m connlimit --connlimit-above 10 -j SET --add-set p2p src iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \ -m connlimit --connlimit-above 10 -j SET --add-set p2p src iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \ -m connlimit --connlimit-above 10 -j SET --add-set p2p dst iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \ -m connlimit --connlimit-above 10 -j SET --add-set p2p dst # then shape traffic above port 1024 for those detected clients iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \ -m set --set p2p dst -j MARK --set-mark 60 iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \ -m set --set p2p dst -j MARK --set-mark 60 iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \ -m set --set p2p dst -j MARK --set-mark 60 iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \ -m set --set p2p dst -j MARK --set-mark 60 Regards, Andy Beverley _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
