Thanks. My screen is 15.1". I"ll add skype group.
On Fri, Jun 13, 2008 at 10:10 AM, Amos Shapira <[EMAIL PROTECTED]> wrote: > 2008/6/13 sara fink <[EMAIL PROTECTED]>: >> HI Amos >> >> It seems that the iptables rules are cut. Can you post the whole lines >> here? Probably when you cut and paste from nano/pico this happened. > > They look OK on my 19" wide screen, here they are from the blog: > > # match all outgoing packets from gid skype, mark their connection > # and add their destination to the "recent list" so we can count ICMP > packets to/from them > iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 > --protocol tcp -m recent --rdest --set --name Skype -j CONNMARK > --set-mark 1 > iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 > --protocol udp -m recent --rdest --set --name Skype -j CONNMARK > --set-mark 2 > > # count ICMP packets going to hosts which appear in our "recent" list > iptables -A OUTPUT --out-interface eth0 --protocol icmp -m recent > --rdest --name Skype --update -j ACCEPT -m comment --comment > skype-out-icmp > > # all packets which match the connection should go through the skype rule > iptables -A OUTPUT -m connmark --mark 1 -m comment --comment skype-out-tcp > iptables -A OUTPUT -m connmark --mark 2 -m comment --comment skype-out-udp > > # match all packets on Skype's public TCP port and mark their connection > iptables -A INPUT -p tcp -m tcp --dport 21212 --in-interface eth0 -j > CONNMARK --set-mark 1 > iptables -A INPUT -p udp -m udp --dport 21212 --in-interface eth0 -j > CONNMARK --set-mark 2 > # count ICMP packets coming from hosts which appear in our "recent" list > iptables -A INPUT -p icmp --in-interface eth0 -m recent --name Skype > --update -j ACCEPT -m comment --comment skype-in-icmp > > # all packets which match the connection > iptables -A INPUT -m connmark --mark 1 -m comment --comment skype-in-tcp > iptables -A INPUT -m connmark --mark 2 -m comment --comment skype-in-udp > >> Supernode is on what port? I had 32323 and changed it now to other non >> standard port. > > I used to have some random number assigned to it, can't remember > which. I'm pretty sure the "21212" was a cheap attempt to hide which > port my Skype was on. > > I'll try to remember to look up the scripts which process the data > when I get home. > > Be aware that I gave Skype its own group ID and executed it as set-gid > so iptables could match by its unique owner gid (uid owner matching > was said to crash SMP kernels). > > --Amos > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > > ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
