2008/6/13 sara fink <[EMAIL PROTECTED]>: > HI Amos > > It seems that the iptables rules are cut. Can you post the whole lines > here? Probably when you cut and paste from nano/pico this happened.
They look OK on my 19" wide screen, here they are from the blog: # match all outgoing packets from gid skype, mark their connection # and add their destination to the "recent list" so we can count ICMP packets to/from them iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol tcp -m recent --rdest --set --name Skype -j CONNMARK --set-mark 1 iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol udp -m recent --rdest --set --name Skype -j CONNMARK --set-mark 2 # count ICMP packets going to hosts which appear in our "recent" list iptables -A OUTPUT --out-interface eth0 --protocol icmp -m recent --rdest --name Skype --update -j ACCEPT -m comment --comment skype-out-icmp # all packets which match the connection should go through the skype rule iptables -A OUTPUT -m connmark --mark 1 -m comment --comment skype-out-tcp iptables -A OUTPUT -m connmark --mark 2 -m comment --comment skype-out-udp # match all packets on Skype's public TCP port and mark their connection iptables -A INPUT -p tcp -m tcp --dport 21212 --in-interface eth0 -j CONNMARK --set-mark 1 iptables -A INPUT -p udp -m udp --dport 21212 --in-interface eth0 -j CONNMARK --set-mark 2 # count ICMP packets coming from hosts which appear in our "recent" list iptables -A INPUT -p icmp --in-interface eth0 -m recent --name Skype --update -j ACCEPT -m comment --comment skype-in-icmp # all packets which match the connection iptables -A INPUT -m connmark --mark 1 -m comment --comment skype-in-tcp iptables -A INPUT -m connmark --mark 2 -m comment --comment skype-in-udp > Supernode is on what port? I had 32323 and changed it now to other non > standard port. I used to have some random number assigned to it, can't remember which. I'm pretty sure the "21212" was a cheap attempt to hide which port my Skype was on. I'll try to remember to look up the scripts which process the data when I get home. Be aware that I gave Skype its own group ID and executed it as set-gid so iptables could match by its unique owner gid (uid owner matching was said to crash SMP kernels). --Amos ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
