- 论坛徽章:
- 0
|
PP2P, an extension to iptables to identify P2P traffic written by Eicke Friedrich.
This software is under development but it seems to run pretty stable. Use at your own risk!
Installation Instructions:
--------------------------
-modify the Makefile (change "IUSER = -I/usr/src/iptables/include" to wherever iptables.h is located)
-type "make"
-copy libipt_ipp2p.so to the iptables lib dir (/usr/lib/iptables/)
-insmod ipt_ipp2p.o / ipt_ipp2p.ko or copy to your kernel modules dir and do a "depmod -a"
-create your rules
Versions:
---------
Currently IPP2P is tested to be working together with:
-Linux-Kernels 2.6: 2.6.3, 2.6.4, 2.6.6, 2.6.17
-Linux-Kernels 2.4: 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.26
-iptables (from netfilter.org) 1.2.7a, 1.2.8, 1.2.9, 1.2.11, 1.3.0, 1.3.1
You can try to run IPP2P with different kernel or iptables versions. Feel free to contact me
with any kind of feedback or problems you may encounter. See section "Contact" at the end of this
document.
Help:
-----
After installing you can get help about IPP2P by typing
iptables -m ipp2p --help
This prints out the current version of IPP2P, a list of all available options and some hints.
Hints:
------
IPP2P identifies P2P patterns in TCP and UDP packets, the default behavior is to search TCP traffic
only. The need to specify "-p tcp" is reversed with IPP2P version 0.7-pre2 and above. You now have
different ways to search UDP and TCP packets:
iptables -A FORWARD -p tcp -m ipp2p --bit -j DROP /*TCP traffic only*/
iptables -A FORWARD -p udp -m ipp2p --bit -j DROP /*UDP traffic only*/
iptables -A FORWARD -m ipp2p --bit -j DROP /*UDP and TCP traffic*/
As you can see the default behavior equals to IPP2P before 0.7-pre2 so no need to change your ruleset
at the moment. If you want to use UDP filters use "-p udp" for IPP2P being able to getUDP packets.
Without the "-p" switch TCP and UDP packets will be searched. The help screen gives an overview of
available TCP and UDP filters. [TCP] means this is a TCP only filter, [TCP&UDP] means there are filter
for both protocols.
A word about filters marked as DROP-only (Ares and maybe still SoulSeek): these filters cannot identify
certain parts of P2P communication. This means accounting (as done by marking connections) will cover just
a small part of the P2P network communication. But you still can use a DROP-rule to prevent these
P2P networks from working.
How it works:
-------------
IPP2P is mainly intended to be used together with connection marking. As IPP2P only recognizes some but
not all packets (usually at the beginning) of a P2P connection. You can prevent P2P from working by
dropping all packets matched by IPP2P:
iptables -A FORWARD -m ipp2p --edk --kazaa --gnu --bit --apple --dc --soul --winmx --ares -j DROP
For shaping P2P traffic connection tracking and its extension CONNMARK is needed. An example for a
working setup using CONNMARK:
iptables -A PREROUTING -t mangle -p tcp -j CONNMARK --restore-mark
iptables -A PREROUTING -t mangle -p tcp -m mark ! --mark 0 -j ACCEPT
iptables -A PREROUTING -t mangle -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p tcp -m mark --mark 1 -j CONNMARK --save-mark
As result every UDP and TCP packet belonging to a identified P2P connection is marked with "1".
tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1 fw classid 1:11
tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 1 fw classid 2:11
Using HTB and these filters would put all packets marked with "1" into a class per device (eth0ð1 here).
Limiting the bandwidth of this class you could limit the bandwidth given to P2P connections.
DEBUG:
------
Since version 0.7-pre2 there is a debuging option (--debug). This will print a match identifier, both
IP adresses, portnumbers and IP payload length in your kernel logfile. Please keep in mind that P2P networks
create much traffic and IPP2P detects many of them. Together with --debug this will result in many entries
in your logfile! Use this option carefully.
The match identifier consists of the value for the filter (see ipt_ipp2p.h) and the last two digits are
the rule identifier. If it is "00" we just have only one rule inside this filter.
TODO:
-----
-DOCUMENTATION
-more P2P networks coming soon (OpenNap, S2S, etc.)
-extend & test UDP part
-remove obsolete data-filters
-more testing
Contact:
--------
Any suggestions or hints are more than welcome. Write a message to
ipp2p@ipp2p.org
and please put the word IPP2P into the subject of the mail otherwise it may be
treated as spam.
Find the official IPP2P homepage at:
http://www.ipp2p.org |
|
免费注册
发表于 2009-01-14 19:13
发表于 2009-01-15 08:58