I believe that whole question is in topic.
Is there any way to recognize ( and then shape ) p2p traffic which is
encrypted?
Modern p2p clients have this ability moreover some of them have this enabled
by default.
Now I'm using ipp2p for iptables but as I know this doesn't recognize
encrypted traffic.
One way to do this is to look for the style of traffic. For example, I
look for lots of connections from one PC to port numbers above 1024.
This will also incorrectly recognise some other traffic, but on the
whole it works well for me.
The following are some examples using connlimit (now included in vanilla
kernel) and ipset (see http://ipset.netfilter.org/)
# first look for style of traffic and log that client to an ipset
iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \
-m connlimit --connlimit-above 10 -j SET --add-set p2p src
iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \
-m connlimit --connlimit-above 10 -j SET --add-set p2p src
iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \
-m connlimit --connlimit-above 10 -j SET --add-set p2p dst
iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \
-m connlimit --connlimit-above 10 -j SET --add-set p2p dst
# then shape traffic above port 1024 for those detected clients
iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \
-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \
-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \
-m set --set p2p dst -j MARK --set-mark 60
iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \
-m set --set p2p dst -j MARK --set-mark 60
Regards,
Andy Beverley
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
