[LARTC] know if packets are marked
Hi !! I marking packets in a bridge: Mark outbound www packets from clients: /usr/local/sbin/iptables -A PREROUTING -t mangle -m physdev --physdev-in eth1 -p tcp --dport 80 -j MARK --set-mark 2 How I can know if this packets are marked ? roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] mark and route traffic in a bridge
Hi all !! I would to like to mark and route some kind of traffic (ie: outbound www, now by simplicity) ---inet1eth0| | |linux | --eth1--- clientes ---inet2(90.0.0.1)eth2-| | I have eth0 and eth1 bridged (eth2 is not bridged). I would to route www outbound clients traffic through eth2. This scheme works ? I wrote this scripts: a) add this line to /etc/iproute2/rt_tables 200 web b) I assign ip to eth2: /sbin/ifconfig eth2 90.0.0.2 c) Mark outbound www packets from clients: /usr/local/sbin/iptables -A PREROUTING -t mangle -m physdev --physdev-in eth1 -p tcp --dport 80 -j MARK --set-mark 2 d) I routing this marked packets /sbin/ip rule add fwmark 2 table web /sbin/ip route add default via 90.0.0.1 dev eth2 table web e) Now I run iptraf listen eth2 but through eth2 is nothing of traffic. What's a doing wrong ? How I can do it with a bridge ? Thanks in advance for any hint and excuse my english. roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] bridge and ipp2p question
Thanks Marco. Very useful your reply. Roberto 2007/1/18, Marco Aurelio <[EMAIL PROTECTED]>: This is not possible because ipp2p does not match every p2p packet but only some essential signaling packets. By filtering these packets, the p2p client cannot estabilish connections to transfer data, and that's how it filters it. Sometimes, ipp2p 'discovers' that this is a p2p related connection after the connection has been established, and then drops the signaling packets. And since you are not an AS and you have one different address per connection, you cannot route packets with a different source address than the one the connection has been established. I have a different approach on this, it is not a perfect soulution, but it work quite well on some enviroments: I route all the traffic through one NIC (the garbage p2p connection) and then (with iptables or u32) direct the important traffic by port (HTTP, FTP, IRC, MSN, DNS, SMTP, POP, etc) through the other NIC (the non-p2p connection). Then I filter (with ipp2p) the p2p traffic on the non-p2p NIC because some p2p clients try to mask the connections as it were these services. This works quite well, but you need to know every service your clients use. I use this on a router, I never tested this with a bridge, but it may work too. -- Marco On 1/17/07, Roberto Pereyra <[EMAIL PROTECTED]> wrote: > > Hi all !!! > > I have a firewall bridge (not router) with two nics that filter p2p with ipp2p. > > All works fine but now I need to add a third nic to route all p2p traffic > through this nic. > > It is that possible with a bridge ? > > Later (with other server) connect to this nic I do loading balancing > with two adsl lines to route all p2p traffic. > > Any hint ? > > Any howto ? > > Thanks in advance. > > roberto > > > -- > Ing. Roberto Pereyra > ContenidosOnline > Looking for Linux Virtual Private Servers ? Click here: > http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] bridge and ipp2p question
Hi all !!! I have a firewall bridge (not router) with two nics that filter p2p with ipp2p. All works fine but now I need to add a third nic to route all p2p traffic through this nic. It is that possible with a bridge ? Later (with other server) connect to this nic I do loading balancing with two adsl lines to route all p2p traffic. Any hint ? Any howto ? Thanks in advance. roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] enable p2p to some host (ipp2p)
Hi I using ipp2p to block p2p traffic. How to enable to use p2p to me host in my net ? I using this setup: iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -j DROP This setup: iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -d ! mynet -j DROP iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -s ! mynet -j DROP not works roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] trying to prioritize voip traffick
Hi Take a look to this link: http://www.krisk.org/astlinux/misc/astshape roberto 2006/8/12, John covici <[EMAIL PROTECTED]>: I am using a server with asterisk and I am trying to prioritize voip traffick -- I am a newbie at this traffic shaping, so please bear with me. I used the script below and what happens is thatall traffic in the bulk class stops after a couple of minutes. Also, should I include the ports for rtp in the filter statements with the ports 5061 and 4569? Note I have a fairly big pipe -- supposed to be able to do the full 100mb out. Here is the script. #!/bin/sh # VARIABLES ## # # e=eth0 # interface t1=70Mbit # size of your WAN - remember you can't max this or you'll experience latency. 75-80% of max is a good place to start. el=100Mbit # size of eth0 w=7.5Mbit # weighting of your WAN (10% of t1) sizeCitrix=5Mbit sizeVoIP=55Mbit sizeBulk=10Mbit weightCitrix=0.5Mbit weightVoIP=5.5Mbit weightBulk=1Mbit # # # # # Delete any old rules # set -v set -x tc qdisc del root dev $e ## each class is able to take more bandwidth as it is available, but must ## surrender it as the higher priorities (2, 3, then 4) need it. ## The lower the priority number, the more priority it gets. Thus when ## there is extra bandwidth available, the lower number classes get it as ## they need it. # root qdisc / qdisc = queueing discipline # tc qdisc add dev $e root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8||exit 1 tc class add dev $e parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate $t1 weight $w prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded||exit 1 # child qdiscs (like child nodes on a tree) # tc class add dev $e parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate $sizeCitrix weight $weightCitrix prio 8 allot 1514 cell 8 maxburst 20 avpkt 300 isolated||exit 1 tc qdisc add dev $e parent 1:3 handle 30: sfq perturb 20||exit 1 tc class add dev $e parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate $sizeVoIP weight $weightVoIP prio 8 allot 1514 cell 8 maxburst 20 avpkt 204 bounded ||exit 1 tc class add dev $e parent 1:1 classid 1:9 cbq bandwidth 100Mbit rate $sizeBulk weight $weightBulk prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000||exit 1 tc qdisc add dev $e parent 1:9 handle 90: sfq perturb 20||exit 1 # ### Citrix ## # # # SSH # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 22 0x flowid 1:3||exit 1 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 22 0x flowid 1:3||exit 1 # ### VoIP # # # IAX # this is the old format - IAX2 should be what's really seen going #on tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 5061 0x flowid 1:5||exit 1 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 5061 0x flowid 1:5||exit 1 # IAX2 # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 4569 0x flowid 1:5||exit 1 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 4569 0x flowid 1:5||exit 1 # # Bulk / Default # # tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip src 0.0.0.0/0 flowid 1:9||exit 1 tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip dst 0.0.0.0/0 flowid 1:9||exit 1 Any assistance would be appreciated. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ESFQ and bridges
Hi ESFQ works with bridges ? Thanks a lot roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ipp2p don't block Ares
2006/2/27, Roberto Pereyra <[EMAIL PROTECTED]>: Hi Klaus >AFAIK ipp2p should block the newest version of ares (at least the >login). Yes, ipp2p block latest version Ares login (looks connecting ...) but without connecting upload and download files. I have the same bridge setup and some weeks back the blocking worked well. How I can help you ? roberto 2006/2/26, Klaus <[EMAIL PROTECTED]>: Hi,Andreas Klauer wrote:> On Thu, Feb 23, 2006 at 09:26:48AM -0300, Roberto Pereyra wrote:>>>This bridge works fine buts since two weeks can't block Ares traffic. All>>protocols block fine but Ares not (upload and download). >>>>Somebody are using ipp2p blocking the latest Ares version ?>>> Did you already contact the author about this? If the Ares protocol changed,> you've practically got a new protocol there, which requires it's own pattern > for matching. If you can provide details about the new protocol (by dumping> Ares packets or something) and help with testing, it should be not that hard> to fix, provided the new protocol isn't something nasty. Ares is a proprietary protocol and they change their signatures (eventhe login signatures) with every new version.AFAIK ipp2p should block the newest version of ares (at least thelogin). Traffic shaping does not work at the moment, because ares encrypts the data connections with an unknown method and without anygood signatures. I will check the newest version of ares this week andupdate the ares pattern if needed.My real job keeps me very busy at the moment (and I have been ill for three weeks now), but I will try to bring out a new version of ipp2pwith some bug fixes very soon.Klaus,maintainer of ipp2p___LARTC mailing list LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Ing. Roberto Pereyra ContenidosOnlineServidores BSD, Solaris y LinuxSoporte técnico ISPsJabber ID: [EMAIL PROTECTED] For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 -- Ing. Roberto PereyraContenidosOnlineServidores BSD, Solaris y LinuxSoporte técnico ISPsJabber ID: [EMAIL PROTECTED] For reliable and professional DNS, use DNS Made Easy!http://www.dnsmadeeasy.com/u/14989 -- Ing. Roberto PereyraContenidosOnlineServidores BSD, Solaris y LinuxSoporte técnico ISPsJabber ID: [EMAIL PROTECTED] For reliable and professional DNS, use DNS Made Easy!http://www.dnsmadeeasy.com/u/14989 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ipp2p don't block Ares
Hi Klaus >AFAIK ipp2p should block the newest version of ares (at least the >login). Yes, ipp2p block latest version Ares login (looks connecting ...) but without connecting upload and download files. I have the same bridge setup and some weeks back the blocking worked well. How I can help you ? roberto 2006/2/26, Klaus <[EMAIL PROTECTED]>: Hi,Andreas Klauer wrote:> On Thu, Feb 23, 2006 at 09:26:48AM -0300, Roberto Pereyra wrote:>>>This bridge works fine buts since two weeks can't block Ares traffic. All>>protocols block fine but Ares not (upload and download). >>>>Somebody are using ipp2p blocking the latest Ares version ?>>> Did you already contact the author about this? If the Ares protocol changed,> you've practically got a new protocol there, which requires it's own pattern > for matching. If you can provide details about the new protocol (by dumping> Ares packets or something) and help with testing, it should be not that hard> to fix, provided the new protocol isn't something nasty. Ares is a proprietary protocol and they change their signatures (eventhe login signatures) with every new version.AFAIK ipp2p should block the newest version of ares (at least thelogin). Traffic shaping does not work at the moment, because ares encrypts the data connections with an unknown method and without anygood signatures. I will check the newest version of ares this week andupdate the ares pattern if needed.My real job keeps me very busy at the moment (and I have been ill for three weeks now), but I will try to bring out a new version of ipp2pwith some bug fixes very soon.Klaus,maintainer of ipp2p___LARTC mailing list LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Ing. Roberto Pereyra ContenidosOnlineServidores BSD, Solaris y LinuxSoporte técnico ISPsJabber ID: [EMAIL PROTECTED] For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 -- Ing. Roberto PereyraContenidosOnlineServidores BSD, Solaris y LinuxSoporte técnico ISPsJabber ID: [EMAIL PROTECTED] For reliable and professional DNS, use DNS Made Easy!http://www.dnsmadeeasy.com/u/14989 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Fwd: [LARTC] ipp2p don't block Ares
> If you can provide details about the new protocol (by dumping >Ares packets or something) and help with testing, it should be not that hard >to fix, provided the new protocol isn't something nasty. Hi How I can dump Ares packages ? Thanks roberto -- Forwarded message --From: Andreas Klauer <[EMAIL PROTECTED]> Date: 23-feb-2006 11:12Subject: Re: [LARTC] ipp2p don't block AresTo: Roberto Pereyra <[EMAIL PROTECTED]>Cc: lartc@mailman.ds9a.nlOn Thu, Feb 23, 2006 at 09:26:48AM -0300, Roberto Pereyra wrote:> This bridge works fine buts since two weeks can't block Ares traffic. All> protocols block fine but Ares not (upload and download). >> Somebody are using ipp2p blocking the latest Ares version ?Did you already contact the author about this? If the Ares protocol changed,you've practically got a new protocol there, which requires it's own pattern for matching. If you can provide details about the new protocol (by dumpingAres packets or something) and help with testing, it should be not that hardto fix, provided the new protocol isn't something nasty. In case of a protocol change, other projects (like l7-filter) should sufferfrom this problem too. Maybe it'd be a good idea to test them and informthe authors as well.RegardsAndreas Klauer -- Ing. Roberto PereyraContenidosOnlineServidores BSD, Solaris y LinuxSoporte técnico ISPsJabber ID: [EMAIL PROTECTED]For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ipp2p don't block Ares
HI I have a bridge running ipp2p blocking Ares traffic and others protocols. This bridge works fine buts since two weeks can't block Ares traffic. All protocols block fine but Ares not (upload and download). Somebody are using ipp2p blocking the latest Ares version ? My system settings are: kernel : 2.6.13 iptables: 1.3.3 ipp2p: 0.81 rc1 iptables -L -v output: Chain FORWARD (policy ACCEPT 53M packets, 22G bytes) pkts bytes target prot opt in out source destination 2321K 194M DROP all -- anyany anywhere anywhereipp2p v0.8.1_rc1 --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares --mute --waste --xdcc Thanks for any help. roberto -- Ing. Roberto PereyraContenidosOnlineServidores BSD, Solaris y LinuxSoporte técnico ISPsJabber ID: [EMAIL PROTECTED]For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc