On Wed, 2013-03-27 at 11:19 +0200, Dmitry Korzhevin wrote: > 26.03.2013 23:28, Andrew Beverley пишет: > > On Tue, 2013-03-26 at 21:53 +0200, Dmitry Korzhevin wrote: > >> Hi, > >> > >> I'm using Debian 6.0.7 x86_64. I have installed xtables with xt_ipp2p > >> and seems i did something wrong, because my rules doesn't drop > >> bittorrent traffic. > > > > My gut instinct is it's not working because ipp2p is old software and > > may not match the bittorrent stream that you are using. > > > >> 1 33 2970 ACCEPT all -- eth0 * 10.2.0.2 > >> 0.0.0.0/0 policy match dir in pol ipsec reqid 116 proto 50 > >> 2 26 10983 ACCEPT all -- * eth0 0.0.0.0/0 > >> 10.2.0.2 policy match dir out pol ipsec reqid 116 proto 50 > >> 3 0 0 DROP all -- * * 0.0.0.0/0 > >> 0.0.0.0/0 ipp2p --bit > > > > Nonetheless, given that the default policy is ACCEPT, why not just > > delete rules 1 and 2 to check whether that is the problem? > > > > Are you forwarding the bittorrent traffic to another machine or > > downloading it locally? I see that you are using rules in both the INPUT > > and FORWARD chains. > > Thank you for answer! But, i'm testing this netfilter module according > various internet howtos, where people claim that this module can block > bittorrent traffic. Yes, but that doesn't mean that it is guaranteed to match every bittorrent implementation. An alternative way of matching bittorrent traffic is to use the connlimit module to look for lots of connections from a client above ports 1024. This is pretty brutal and prone to false-positives, but it may work for you. There is an example here: http://andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux BTW: Please don't top-post. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
