[LARTC] Any danger in thrashing 'tc'?
Hi, Is there any danger in a prog which repeatedly clears the ingress and root egress qdiscs, and sets up new ones, even as frequently as every 5-15 seconds? I'm writing a shaper app which dynamically shapes traffic on some weird attributes such as: * country of remote peer * program on local machine (and/or each program's arguments) The objective is to apply limits to any overseas traffic to/from long-running p2p apps, such as I2P and Freenet, to help ADSL users in NZ prevent blowing their 'overseas traffic caps' and getting hit with nasty bills. It's based on a loop which: * does a netstat * reads /proc/[pid] to get the dirt on each program with an active TCP connection * runs a set of tests (matching for programs to traffic-shape, and how they should be traffic-shaped) * derives from all this a set of ingress and root egress shaping rules * clears the ingress and root egress qdisc, and fires off n tc commands to implement the shaping which is needed in the moment. As you can see, the prog will be frequently spitting heaps of tc commands, constantly taking down the ingress and root egress qdiscs, and creating new ones. So, am I likely to hit on any unintended consequences (apart from the minor cpu spikes)? Thx in advance for your insights. -- Kind regards David -- leave this line intact so your email gets through my junk mail filter ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] multipath route inbound port forward
> The inbound port forwarding rules are fine as far as receiving the
> connection, but when it replies will still take the whatever routing
> path defined by the system. If the system is doing loading balancing,
> chances is that it will be going via some other interfaces, thereby
> causing connection problem. So my question is if there is a way to ask
> the firewall to reply via the interface where it is coming in
> from ?
YES! I figured this out a couple weeks ago. You need netfilter
patch-o-matic extentions and a recent iptables added to your kernel
though.
# This says if the connection registered in IP_CONNTRACK has a mark on
it, pass that mark to the regular linux MARK ${IPTABLES} -t mangle -A
PREROUTING -j CONNMARK --restore-mark
# This is what I use to set the inbound marks.
# Default policies for incoming traffic
${IPTABLES} -t mangle -A PREROUTING -m state --state NEW -i ${IF_INET3}
-j MARK --set-mark ${RTABLE_INET3}
${IPTABLES} -t mangle -A PREROUTING -m state --state NEW -i ${IF_INET4}
-j MARK --set-mark ${RTABLE_INET4}
# This places the linux MARK fields that I've just set into that
connection's IP_CONNTRACK so that the next time I see a packet from this
session, it will also be MARKed to whatever value the SYN was( because
of --restore-mark).
${IPTABLES} -t mangle -A PREROUTING -j CONNMARK --save-mark
This is just for inbound connections. The same can be performed for
outgoing connections. This makes is quite easy to implement layer 4
policy routing (done), and WAN failover (soon). Plus, this even handles
sessions where ESTABLISHED connections are made. Both original and
establiched connections both get MARKed back to the same interface. This
may not work with TC since I have never tried it. Good luck!
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] multipath route inbound port forward
> > Hi,
> >
> > I had the same problem some time ago, I couldn't have DNAT working onmy
> > second interface. Could you please post all your routing tables?
> > And also, what are your connections? Both PPP? PPPoE? ...
> >
>
> OK, I am using Static IP for both links. Here is my routing table :-
> ( I use symbolic name here for easier reading )
[ snip ]
I am beginning to think multipath inbound port forwarding
is not as simple as constructiong these iptables rules :-
> iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j
> DNAT --to ${SERVER}:80
> iptables -A FORWARD -p tcp -d ${SERVER} --dport 801 -o ${INSIDE_DEVICE}
> -j ACCEPT
> iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP2} --dport 80 -j
> DNAT --to ${SERVER}:80
> iptables -A FORWARD -p tcp -d ${SERVER} --dport 801 -o
${INSIDE_DEVICE} -j
> ACCEPT
>
Maybe I should ask has anybody gotten this to work before ?
The reason I am suspecting this not working is this :-
The inbound port forwarding rules are fine as far as receiving the
connection, but when it replies will still take the whatever routing path
defined by the system. If the system is doing loading balancing, chances
is that it will be going via some other interfaces, thereby causing
connection problem. So my question is if there is a way to ask the
firewall to reply via the interface where it is coming in from ?
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] handles on qdiscs
Hello Guru's, Is it correct, if number of handle will be the same as leaf class, to which it is attached? For example tc class add dev eth0 parent 1:2 classid 1:10 htb rate 64Kbit ceil 64Kbit tc qdisc add dev eth0 parent 1:10 handle 10 sfq perturb 10 Also, is there any limitation in number of classes/handles? Maybe someone know :) Thanks :) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper breaks IPSec tunnels
Hi Jason, Am I silently being told that this is the wrong question to ask of this list? :) Probably. I'll reply but I think it'll only be of statistic interest. | I now have a situation where I get to use traffic shaping for a client. | ~ We implemented the WonderShaper script on our own firewall and | experienced no problems. I made some modifications to it to add IPSec | protocol packets into the 1:10 high priority class using the u32 filter. | ~ So far on our network, it's worked flawlessly, and we've received much | benefit from it. Interactive SSH and VNC sessions are now much, much | smoother when, for example, we do an apt-get update/upgrade/install at | the same time or any downloading, e-mailing, etc. Yeah, I've done the same thing. | However, yesterday, I installed it for a client using the same | modifications we have been using, and at first, I only added the | modifications to the client's external interface (eth1). Within an | hour, the FreeS/WAN VPN connections could no longer negotiate new | tunnels when rekeying. In his scenario, he has two DSL connections | (eth1, eth2) coming into the firewall with a single internal interface | (eth0). It appears that something broke the VPN negotiation when I | installed the WonderShaper. As long as the tunnels are up when I start | WonderShaper, they work fine, until they need to rekey. Then they throw | errors saying things like "max number of retransmissions reached", and | "Possible authentication failure: no acceptable response to our first | encrypted message", etc. The moment I 'stop' the WonderShaper, the VPN | tunnels can be reestablished successfully. | | I was wondering if anyone else has experienced these kinds of problems | with the WonderShaper and IPSec tunnels? Nope, never seen traffic shaping cause problems like that. | Also, I'm attempting to prioritize RDP packets on the ipsec0 interface. | ~ Is this as simple as copying every line in the script except changing | $DEV to $DEV2 which is assigned to ipsec0 and adding a u32 match for | sport 3389? That's currently what I've done. I believe so. | I just can't get over the fact that it works (in almost the exact same | scenario, except for the 2 DSL circuits) on our firewall, but not our | client's. | These are the changes that I made to match IPSec traffic and place it | into the high priority class (where DEV = eth1 -- the Internet): I've put my IPSec traffic in the middle class. The only thing I can think of, is that the particular client has saturated one of the lower priority leaf classes, and delayed the traffic in the high-priority class for too long for a valid key exchange. Unless you've changed it, the wondershaper doesn't specify ceil values, which means they get set to the rate value, and unless you've changed the way it calculates it's percentage rate values, the sum of the leaf rates can exceed the parent. which i believe can lead to weird and/or bad behaviour. -- ~~~ Damion de Soto - Software Engineer email: [EMAIL PROTECTED] SnapGear - A CyberGuard Company ---ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliancesweb: http://www.snapgear.com ~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] death interface problem.
Hi all, I want to tell a problem and see if someone has already dealed with it: I was configuring a traffic control computer using iproute2+tc+htb.init the default software (except for htb.init that I downloaded from sourceforge) that comes with RedHat Linux version 9. I used the htb.init script to set up the sample configuration (I also downloaded the sample files) and set it up. Then I started transfering a file using http. Then (still during the file transfer) I erased the tc rules by executing 'service htb.init stop' and set up another rule (just changin the transmission rate ) snd start the service again. It started quite fine, but after a few (very few really) seconds, the computer stopped downloading the file. since then, I am not able to start this interface, but I had another, so I configured it again and waited to finish the download before changing stopping the htb.init service, and when I made the change it downloaded completely the file, but I tried again and the network card stopped working too. Both network cards stopped working, and I changed them, but I am not able to start any interface beyond eth0. That happened with 3 computers using different network cards. I tryied the network cards in windows (on the same computers) and they work fine. If I make a 'service network start' the network cards seems to work, but when I try to make a ping (sure that iptables has no rules and accepts anything) they just don't work. I tryed doing it manually with ifconfig and nothing. Just eth0 is working. I'm in a hurry trying to solve this, so any help will be appreciated. thanks in advance, Carlos. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linux routing newbie Help!!
What you're trying to do is pretty simple. Firstly check that you don't have any iptables rules loaded stopping your forwarding: iptables -t mangle -F iptables -t mangle -X iptables -t filter -F iptables -t filter -X then make sure the iptables policy is set to accept: iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT then lastly make sure ip forwarding is switched on: echo 1 > /proc/sys/net/ipv4/conf/all/forwarding you can also do this per interface by echoing 1 to /proc/sys/net/ipv4/conf/eth0/forwarding etc. Once you've done this you should be able to get anywhere. From here follow your HOWTO's to set up a script to use iptables for filtering and NAT, and use HTB/SFQ for bandwidth control. It's all fairly straight forward just use the MASQUERADE target for source NATting your private LAN out to the Internet. Regards, Andrew. - Original Message - From: "Gerry Weaver" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 12, 2004 7:22 AM Subject: [LARTC] Linux routing newbie Help!! > Hi, > > I need some help with a routing/shaping setup that is a bit beyond my > current linux routing knowledge. I've read the how-to and most of the > related mailing list topics, but I still need some help to solve this > problem. I've been asking questions on various lists, but it seems like the > answers just add additional confusion. I decided to just describe what I'm > trying to do with the hope that someone could point me in the right > direction. I've read a fair bit about the 2.4 kernel and it seems that linux > is capable of doing these things. I just need some help to get started. I > think if I could get the actual problem translated into a working config, it > would go a long way to helping me understand linux routing etc. > > Here is the needed config: > > Private net #1: 10.10.1.0 (Higher bandwidth priority) > > Private net #2: 10.10.2.0 > > Private net #3: 10.10.3.0 > > Private net #4: 10.10.4.0 > > Private net #5: 10.10.5.0 > > Public net: 67.65.229.0 > > Goal: > > 1. Route the five private networks to the T1. > 2. Run dhcpd and hand out dynamic ip addresses to private nets #2-#5 > 3. Do bandwidth sharing giving net #1 a higher priority > 4. Do the usual firewall stuff (ICMP limiting, DOS attacks, etc.) > 5. Do traffic shaping for interactive traffic, www, etc. > 6. Do NAT for the private nets with the ability to add a specific public to > private ip mappings for net #1. > 7. Set up public address pools for NAT on net #2-#5? > > > We initially looked at a Cisco solution for this, but the price was simply > to high. I have installed a RedHat 9 on a pc with a sufficient number of > nics to do the job. > > I'm just trying to get the routing and NAT to work right now, but I'm not > having much luck. Could anyone offer any advice on the best way to set this > up? > > ip route > 67.65.229.0/24 dev eth0 proto kernel scope link src 67.65.229.253 > 10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.254 > 10.10.2.0/24 dev eth2 proto kernel scope link src 10.10.2.254 > 10.10.3.0/24 dev eth3 proto kernel scope link src 10.10.3.254 > 10.10.4.0/24 dev eth4 proto kernel scope link src 10.10.4.254 > 10.10.5.0/24 dev eth5 proto kernel scope link src 10.10.5.254 > default via 67.65.229.254 dev eth0 > > I can ping addresses on all of the networks from the linux router machine, > but I can't ping from one private network to another or the internet. > > > > Thanks in advance, > Gerry > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Linux routing newbie Help!!
Hi, I need some help with a routing/shaping setup that is a bit beyond my current linux routing knowledge. I've read the how-to and most of the related mailing list topics, but I still need some help to solve this problem. I've been asking questions on various lists, but it seems like the answers just add additional confusion. I decided to just describe what I'm trying to do with the hope that someone could point me in the right direction. I've read a fair bit about the 2.4 kernel and it seems that linux is capable of doing these things. I just need some help to get started. I think if I could get the actual problem translated into a working config, it would go a long way to helping me understand linux routing etc. Here is the needed config: Private net #1: 10.10.1.0 (Higher bandwidth priority) Private net #2: 10.10.2.0 Private net #3: 10.10.3.0 Private net #4: 10.10.4.0 Private net #5: 10.10.5.0 Public net: 67.65.229.0 Goal: 1. Route the five private networks to the T1. 2. Run dhcpd and hand out dynamic ip addresses to private nets #2-#5 3. Do bandwidth sharing giving net #1 a higher priority 4. Do the usual firewall stuff (ICMP limiting, DOS attacks, etc.) 5. Do traffic shaping for interactive traffic, www, etc. 6. Do NAT for the private nets with the ability to add a specific public to private ip mappings for net #1. 7. Set up public address pools for NAT on net #2-#5? We initially looked at a Cisco solution for this, but the price was simply to high. I have installed a RedHat 9 on a pc with a sufficient number of nics to do the job. I'm just trying to get the routing and NAT to work right now, but I'm not having much luck. Could anyone offer any advice on the best way to set this up? ip route 67.65.229.0/24 dev eth0 proto kernel scope link src 67.65.229.253 10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.254 10.10.2.0/24 dev eth2 proto kernel scope link src 10.10.2.254 10.10.3.0/24 dev eth3 proto kernel scope link src 10.10.3.254 10.10.4.0/24 dev eth4 proto kernel scope link src 10.10.4.254 10.10.5.0/24 dev eth5 proto kernel scope link src 10.10.5.254 default via 67.65.229.254 dev eth0 I can ping addresses on all of the networks from the linux router machine, but I can't ping from one private network to another or the internet. Thanks in advance, Gerry --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Dynamic ip adressess..
On Thursday 11 March 2004 15:59, Leonardo Moreno wrote: > I want to setup a split access and load balanced connection just like the > common configuration in the how to... my problem is that i have dynamic ip > adressess on both internet connections... ppp0 (pppoe access) and eth2 > (dhcp) I need to put in the config files the ip adresseses asociated with > the interfaces but this ip's change all the time... how i can change the > ip's in my config file automaticaly when the ISP change my IP? It depends on the dhcp client you use, but most of the time you can run a script if the dhcp clients gets a new ip address. You can probably do the same for the ppoe interface. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Dynamic ip adressess..
I want to setup a split access and load balanced connection just like the common configuration in the how to... my problem is that i have dynamic ip adressess on both internet connections... ppp0 (pppoe access) and eth2 (dhcp) I need to put in the config files the ip adresseses asociated with the interfaces but this ip's change all the time... how i can change the ip's in my config file automaticaly when the ISP change my IP? P.D: sorry about my poor english :( This message was sent using IMP, the Internet Messaging Program. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Wondershaper breaks IPSec tunnels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am I silently being told that this is the wrong question to ask of this list? :) Jason A. Pattie wrote: | Hello, been awhile since I've written. | | I now have a situation where I get to use traffic shaping for a client. | ~ We implemented the WonderShaper script on our own firewall and | experienced no problems. I made some modifications to it to add IPSec | protocol packets into the 1:10 high priority class using the u32 filter. | ~ So far on our network, it's worked flawlessly, and we've received much | benefit from it. Interactive SSH and VNC sessions are now much, much | smoother when, for example, we do an apt-get update/upgrade/install at | the same time or any downloading, e-mailing, etc. | | However, yesterday, I installed it for a client using the same | modifications we have been using, and at first, I only added the | modifications to the client's external interface (eth1). Within an | hour, the FreeS/WAN VPN connections could no longer negotiate new | tunnels when rekeying. In his scenario, he has two DSL connections | (eth1, eth2) coming into the firewall with a single internal interface | (eth0). It appears that something broke the VPN negotiation when I | installed the WonderShaper. As long as the tunnels are up when I start | WonderShaper, they work fine, until they need to rekey. Then they throw | errors saying things like "max number of retransmissions reached", and | "Possible authentication failure: no acceptable response to our first | encrypted message", etc. The moment I 'stop' the WonderShaper, the VPN | tunnels can be reestablished successfully. | | I was wondering if anyone else has experienced these kinds of problems | with the WonderShaper and IPSec tunnels? | | Also, I'm attempting to prioritize RDP packets on the ipsec0 interface. | ~ Is this as simple as copying every line in the script except changing | $DEV to $DEV2 which is assigned to ipsec0 and adding a u32 match for | sport 3389? That's currently what I've done. | | I just can't get over the fact that it works (in almost the exact same | scenario, except for the 2 DSL circuits) on our firewall, but not our | client's. | | These are the changes that I made to match IPSec traffic and place it | into the high priority class (where DEV = eth1 -- the Internet): | -- | # IPSec traffic in 1:10 | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ | ~ match ip protocol 0x32 0xff \ | ~ flowid 1:10 | | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ | ~ match ip protocol 0x33 0xff \ | ~ flowid 1:10 | | | These are the changes to match RDP on the IPSec interface (where DEV2 = | ipsec0): | -- | # RDP (Remote Desktop Protocol) in interactive class 1:10 on ipsecN | interfaces | tc filter add dev $DEV2 parent 1: protocol ip prio 10 u32 \ | ~ match ip sport 3389 0x \ | ~ flowid 1:10 | | | Are these even valid? | | Thank you for your time. | - -- Jason A. Pattie [EMAIL PROTECTED] Xperience, Inc. (http://www.xperienceinc.com) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFAUH7luYsUrHkpYtARAtrwAJ0VMDLsj3OkSC8y9q2ATpn1atZsQQCfSXwb qJ8gocIXuwXk04MWvF/tKBY= =07VU -END PGP SIGNATURE- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Doubt on dsmark
Hi all, Atlast i successfully marked IP packets with dsmark.I want to know exactly in which place the dsmark will work? Suppose i have firewall on my traffic control machine.I am curious to know whether marking is done before getting firewall the packet or after firewall?Diagramatically it is like below: - tc utility | | | --- Firewall | | | -- Interface --- I want to know where exactly packets are marked and queued? Thanks in advance, Aravind. Yahoo! India Insurance Special: Be informed on the best policies, services, tools and more.
[LARTC] Requesting Ingress Policing Examples
Hi, I'm a complete newbie to tc, but have been learning enough to get a very basic grasp. (studying 'wondershaper', 'snitch' and other tc-using scripts has helped muchly). My question relates to ingress policing. I've got a basic understanding of setting up specific ingress policers, for example setting up one policer to limit HTTP download rates, and another to limit FTP download rates. But from what I can gather, these limits are independent. For instance, if I set the HTTP download policer to a ceiling to 40kbit, and an FTP policer to a download ceiling to 20kbit, then concurrent HTTP and FTP downloads will total 60kbit. tc qdisc add DEV ingress handle : tc filter add DEV parent : protocol ip prio 50 u32 \ match ip sport 80 0x \ police rate 40kbit burst 10k drop flowid :1 tc filter add DEV parent : protocol ip prio 50 u32 \ match ip sport 21 0x \ police rate 20kbit burst 10k drop flowid :1 But what I'm wanting to do is set up a download pool of (say) 64kbit, and share that amongst n different filters. I'm slowly gaining some clarity on how to do that via htb for outbound traffic, but is there any any way to set up shared pools for inbound? I saw on the list archives some example using 'index nnn' as an argument, but the example was incomplete. I've also scoured Google, but am not coming up with much. Can anyone please point me to a rich set of working tc ingress policing examples, enough for me to build a general understanding? Thanks muchly in advance -- Kind regards David -- leave this line intact so your email gets through my junk mail filter ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] script to perform dead gateway detection
Try using the -I option for ping, this forces it to use a certain interface:
ping -I ${MY_IP_1} -c 1 ${GATEWAY_1}
You can also add a route to the gateway to force it to use that interface. I
do the same for the 2 SMTP servers of the different ISP's. I can't connect
to one SMTP server from the other ISP anyway, so better make it impossible
altogether.
sufcrusher
- Original Message -
From: "Ming-Ching Tiew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 11, 2004 3:29 AM
Subject: [LARTC] script to perform dead gateway detection
>
> I am also having some difficulty in doing dead gateway
> detection using a shell script :-
>
> Basically I am using ping -c 1 ${GATEWAY_1} If it times
> out, I supposed it got into error, so it is probably time for me to
> change route.
>
> However, even if the ping comes back, it does not mean the
> GATEWAY is alive as my nexthop; this is because I figured
> that the packet could have made a U-turn via the one of the alive
> links to come back to answer the ping request, ie the gateway
> is alive for a packet on the external network, but the gateway
> is still down from inside point of view, and this can happen
> due to a faulty connection between by second link IP and the
> second link gateway !
>
> Without patching the kernel to do dead gateway detection,
> how do I find out if a particular gateway is dead as my
> NEXTHOP ?
>
>
>
>
>
>
>
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IPP2P v0.5 not working and more...
Hi, > I'm tried to use v0.5b but it not worked. Now i'm using v0.4 with no > problems... There has been a bug introduced with IPP2P 0.5rc1 wich lets kazaa downloads still go through but this bug was fixed in 0.5a. I'll take a look at the current code again. > The rule i'm using...: > iptables -I FORWARD -p tcp -m ipp2p --ipp2p -j DROP Rule is fine. > remove the ipt_ipp2p.o mod (v0.4) > configue the Makefile of the 0.5b version > install libipt_ipp2p.so - overwriting the old one > run insmod ipt_ipp2p.o successfully > set iptables -I FORWARD -p tcp -m ipp2p --ipp2p -j DROP > NOTHING HAPPENS - Kazaa can download files again I'll review the kazaa code. Can you give me the output of iptables running IPP2P 0.5b again please? If you're using different p2p networks at once split it into serveral rules like this: iptables -A FORWARD -p tcp -m ipp2p --edk -j DROP iptables -A FORWARD -p tcp -m ipp2p --kazaa -j DROP iptables -A FORWARD -p tcp -m ipp2p --gnu -j DROP etc. and give me the output. > Do you use any kind of traffic shaper? What's your configuration/rules? As posted on the official homepage example #2. I'm not dropping packets im shaping them. > Well... suport for these networks would be great. And yes... i can do > some tests for you. This weekend I'll take a look at this and the kazaa thing as well. I'll report back to you here with any news. Regards -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] IPP2P v0.5 not working and more...
Hello, Hi,#What version do you use? If it's IPP2P 05 try the updated version 05b. If#this does not help post your ruleset and an output of "iptables -L -n -v -x"#for the appropriate table here please. I'm tried to use v0.5b but it not worked. Now i'm using v0.4 with no problems... The rule i'm using...: iptables -I FORWARD -p tcp -m ipp2p --ipp2p -j DROP The command iptables -L -n -v -x returns: Chain INPUT (policy ACCEPT 388 packets, 97441 bytes) pkts bytes target prot opt in out source destination 929 186369 RH-Lokkit-0-50-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 10960 packets, 6220585 bytes) pkts bytes target prot opt in out source destination 317 36866 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.4 --ipp2p 21307 10219893 RH-Lokkit-0-50-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 866 packets, 152845 bytes) pkts bytes target prot opt in out source destination Chain RH-Lokkit-0-50-INPUT (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 200.150.13.244 0.0.0.0/0 udp spt:53 dpts:1025:65535 0 0 ACCEPT udp -- * * 200.150.13.243 0.0.0.0/0 udp spt:53 dpts:1025:65535 0 0 ACCEPT udp -- * * 200.150.4.5 0.0.0.0/0 udp spt:53 dpts:1025:65535 31 5173 ACCEPT udp -- * * 200.150.4.4 0.0.0.0/0 udp spt:53 dpts:1025:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02 4 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 9 432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 flags:0x16/0x02 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 81 26636 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 62 3100 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 10654 4046161 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable 47 6542 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable At this setup... everything goes fines. But if try to use v0.5b, nothing happens... I stop iptables remove the ipt_ipp2p.o mod (v0.4) configue the Makefile of the 0.5b version install libipt_ipp2p.so - overwriting the old one run insmod ipt_ipp2p.o successfully set iptables -I FORWARD -p tcp -m ipp2p --ipp2p -j DROP NOTHING HAPPENS - Kazaa can download files again #I've never tried the wondershaper script myself but according to information#from IPP2P users this shall work. Do you use any kind of traffic shaper? What's your configuration/rules?#Well not yet - the supported p2p-networks are:#-eDonkey#-KaZaA#-Gnutella#-Direct Connect#-BitTorrent (working well for me but still beta)#-AppleJuice (still beta)##If this feature is very important to you and if you are willing to do some#testing for me I'll take some time and try to implement these networks. I was#going to do this anyway but not at the moment. Well... suport for these networks would be great. And yes... i can do some tests for you. I'm testing the setup using Kazaa Lite and Overnet. Thanks a lot. LEANDRO TRAVAGLIA ---Outgoing mail is certified Virus Free.Checked by AVG anti-vir
