Re: controlling p2p & bittorrent
On Sat, 31 Jul 2010 12:21:59 -0500
green <firstname.lastname@example.org> wrote:
> Steven Piercy wrote at 2010-07-30 12:27 -0500:
> > so couldn't you use the uid of your fw/shaper process and apply
> > the mangle method to all tcp connections through the fw?
> I don't understand. Would not something like that include all
> connections? I just want p2p/bittorrent...
Not if you run the p2p daemon as a specific user ie 'deluge' etc.
You can also setup a group for all your p2p software to use, which you
can share to access the files, then use something like
iptables -A OUTPUT -m owner --gid-owner p2p ....
Of course it's far more useful to be able to match traffic on a router
between the pc with p2p and the internets, but then its harder to match
which pkts are p2p. If you trust the machine traffic is coming from
then you could use xt_owner on the machine generating the traffic to
accurately mark the p2p pkts then set the TOS bit or something so the
router can easily identify which pkts are p2p.
Alternatively if you have control over the box generating the p2p then
using port based rules would be easier again.
To authenticate network connections across hosts one could use nuFW
I tried http://l7-filter.sourceforge.net/ without my success, there is
also http://www.ipp2p.org/ but i think that is no longer maintained and
I haven't tried it.
That's now in xtables-addons (http://xtables-addons.sourceforge.net/
as module called ipp2p.
In my experience I've found guessing p2p traffic on simply large udp
pkts is more successful than these filters, especially now most p2p
clients support encryption etc.