After varying degrees of success with p2p detection modules, I would like to write the following rules using iptables to reliably identify p2p traffic:
1. If a host on the network has 5 or more simutaneous tcp connections to ports above 1024, mark all connections to ports 1024 and above as 60. 2. If a host has received (or sent) UDP packets from 5 different hosts' ports above 1024 in a minute then classify all UDP traffic to and from that host above port 1024 as 60. Number 1 can almost be acheived using something similar to: iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK --set-mark 60 Unfortunately though it still leaves 5 connections slurping up plenty of bandwidth. I have no ideas for number 2. Anybody any ideas? On my network all p2p traffic falls into these categories, and I don't mind overmatching with other traffic. Thanks, Andy _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
