Hello, I am trying to block or at least drastically reduced the amount of wasted bandwidth—due to p2p—on a building wide network. My first attempt, was to block it out right. I am running debian etch on my router/proxy/dhcp/dns server. I loaded the ipp2p kernel module and the iptables module. Then I put the following rule in my rules file:
SECTION ESTABLISHED REJECT loc net ipp2p:all ipp2p REJECT net loc ipp2p:all ipp2p This did seem to stop bittorrent but not ares. So first question: is this the correct rule? Has some one successfully done this before? My second attempt was to at least make the use of p2p frustratingly slow. I seemed to have better results. Below are my tcrules, tcclasses, and tcdevices files. tcrules #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS # PORT(S) 5 0.0.0.0/0 0.0.0.0/0 icmp echo-request 5 0.0.0.0/0 0.0.0.0/0 icmp echo-reply RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 7 0.0.0.0/0 0.0.0.0/0 ipp2p:all SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 tcclasses #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth0 5 full/3 full 1 tcp-ack,tos-minimize-delay eth0 6 full/3 full 2 default eth0 7 1kbit 1kbit 3 eth1 5 full/3 full 1 tcp-ack,tos-minimize-delay eth1 6 full/3 full 2 default eth1 7 1kbit 1kbit 3 tcdevices #INTERFACE IN-BANDWITH OUT-BANDWIDTH eth0 1536kbit 512kbit eth1 1536kbit 512kbit I left the p2p reject rule in my rules file (I thought it couldn't hurt). The results were that bittorent was completely stopped, and ares was slow and would bounce up to 5k once in a while and then slowly (over the course of 30 sec or so) reduce to 0k and report “connecting.” Does anyone have any suggestions? Please tell me if any additional information would help. Also, since I have squid running I have blocked port 80 and forwarded www traffic to port 3128 with the following rule in the rules file: # Squid block port 80 accept on port 3128 REDIRECT loc 3128 tcp www ACCEPT loc $FW tcp 3128 ACCEPT $FW net tcp 80,443 Thanks, Banio ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
