How to use the Netfilter/IPtables control P2P traffic

In April of this year, saw a report saying that although a broadband company's existing technology can accommodate network user with a capacity of 400 to 600 million users, but at present, accommodate 45 million users, the network is already crowded, often a broken network, to the Internet, network speed will decrease dramatically.

Why network would be so crowded? this is because since such as eMule, Kazaa, P2P software, such as BT, the mass of data files (such as bulk file exchange, video downloads, etc) has a majority of the network bandwidth. P2P this new application to the user brings unprecedented convenience and a wealth of resources, but also triggered a network bandwidth, and security issues. How to play the powerful P2P subject to the necessary restrictions? this article describes how to use Linux netfilter/iptables for P2P application flow restrictions. Upgrading the kernel since the public release of the Linux kernel files, various parameters related to iptables not on P2P property parameter, you must upgrade the Linux kernel and iptables to play on this patch, so that it supports P2P property settings. In concrete actions, to learn more about upgrading the kernel patches need some related software: linux-2.4.20-8.tar.gz, patch-o-matic-20040609.tar.bz2, iptables-1.2.8.tar.bz2, iptables-p2p-0.3.0a.tar.gz and ipp2p-0.5c.tar.gz. Here's the test environment for 2.4.20 kernel for RedHat9.0-8. Because 2.4. * is a stable kernel, so you cannot take the current development of the new features introduced into the main kernel, but only the first test in patch-o-matic and patched in the kernel. In CVS, you can find the latest patch-o-matic package — Patch-o-matic-20040609.tar.bz2. There is a kernel support, also requires iptables support, including iptables-p2p-0.3.0a.tar.gz for netfilter/iptables organization development of specialized support iptables extension package of P2P; ipp2p-0.5c.tar.gz to support the development of a EickeFriedrich P2P of iptables expansion pack. The two expansion packs have their own characteristics, will be introduced later. Mount the module first unzip the package under the/usr/src: # bzip2-dpatch-o-matic-20040609.tar.bz2 generated patch-o-matic-20040609.tar.out. # Tarxvfpatch-o-matic-20040609.tar.out generated patch directory patch-o-matic-20040609. In the default kernel RedHat9.0 directory/usr/src/linux-2.4. Enter patch directory/usr/src/patch-o-matic-20040609, because support for P2P protocol control options need CONNMARK module, the module in extra subdirectory, so you need to run the following command to upgrade the kernel patch. # KERNEL_DIR =/usr/src/linux-2.4./runmeextra run this command after a module select interface, the interface has two zones, one for the related module name, module, function, usage and grammar instance; another given various options, such as N/y/b/r.../q/?, the first capital letters that represent the default option, n represents the next module, y, b represents the previous module, q to quit. First you should determine the current module is needed, do not need to press "N" key after the carriage return, continue to display the next module. When you receive the necessary module, press the "Y" key to confirm, at the same time should be inside the related grammar instance reproduced down to standby. Once you have selected all the required module, press the "Q" key to exit. Compile the kernel into the kernel file to start the directory/usr/src/linux-2.4, compile the kernel: # makemrproper # makexconfig (or # makemenuconfig) Note that the configuration options you must select Networkingoptions → IP: NetfilterConfiguration → Connectionmarktrackingsupport and CONNMARKtargetsupport two options. Make sure the key file in the correct position: # makedep compile large kernel: bordercolorlight="black"bordercolordark="#FFFFFF"align="center">

# MakebzImage compile selected modules: # makemodules will compiled module to system standard location: # makemodules_install let the system automatically modify the boot configuration file grub.con: # makeinstall reboot the system, select RedHatLinux (2.4.2 

0-8custom) option, you start a new compilation of the kernel. Upgrade iptables Setup iptables-1.2.8 first extract iptables-1.2.8.tar.bz2 file: # bzip2-diptables-1.2.8.tar.bz2 # tarxvfiptables-1.2.8.tar.out compile iptables-1.2.8: # makeKERNEL_DIR =/usr/src/linux-2.4 # makeinstallKERNEL_DIR =/usr/src/linux-2.4 # makeinstall-devel copy the executable file to the appropriate directory: # cpiptablesiptables-saveiptables-restore/sbin iptables-p2p software first unzip installed iptables-p2p-0.3.0a.tar.gz: # tarzxvfiptables-p2p-0.3.0a.tar.gz # iptables-1.2.8 cdiptables-p2p-0.3.0a copy header files to the appropriate directory: # cp-a/usr/src/iptables-1.2.8/include/*/usr/include run "make" compile iptables-p2p and copy the relevant files to the appropriate directory: # make # cpkernel/ipt_p2p.o/lib/modules/kernel 2.4.20-8custom//net/ipv4/netfilter/# cpiptables/libipt_p2p.so/lib/ipp2p iptables/install software first modify the Makefile file in the source directory, the directory and the version number of the netfilter kernel, the following: IKERNEL =-I/usr/src/linux/include IUSER =-I/usr/src/iptables-1.2.7a/include NETFILTER_VERSION = \ "1.2.7a\" read: IKERNEL =-I/usr/src/linux-2.4/include IUSER =-I/usr/src/iptables-1.2.8/include NETFILTER_VERSION = \ "1.2.8 \" compile software and copy the library file to the appropriate directory: # make # cplibipt_ipp2p.so/lib/iptables load module: # insmodipt_ipp2p applications and detection of P2P throttling iptables-p2p 1.iptables-p2p currently support the following applications: ◆ FastTrack (KaZaa, Grokster ... ... ）　　◆eDonkey（eDonkey、eMule...... ) · DirectConnect ◆ Gnutella (regularclientsandShareaza'sgnutella2) · BitTorrent ◆ OpenFT (giT) will need to install CONNMARK module, the markup by CONNMARK module to use iptables-p2p package. 2. through the-get help help parameters: # iptables-mp2p-elp ... P2Pmatchv0.3.0aoptions:　　--p2p-protocol[!] protocol[,...] --P2p ... matchapplication-layerprotocol (matching application layer protocols) Validp2pprotocols: (P2P support effective agreement:) fasttrack gnutella edonkey dc bittorrent opent iptables-p2p module via-mp2p parameter to implement on all known P2P connection request of recognition. Note that you can only identify P2P mp2p-type connection request, does not recognize all P2P package, you can pass--p2p-protocol sub parameter to identify the various known P2P protocol type. 3. application examples # iptables-AFORWARD-mp2p-jDROP blocking network all P2P connection request. # Iptables-AFORWARD-mp2p--p2p-protocolfasttrack, bittorrent-jDROP blocking network bittorrent protocol on fasttrack and connection requests. In actual use be and CONNMARK target, and then filter by tc to true on all the P2P package limit. More information you can refer to an instance of example/limit-p2p.sh script. Application of the present ipp2p 1.ipp2p supports the following Linux kernel and iptables version: ◆ Linux-Kernels2.6: 2.6.3 ◆ Linux-Kernels2.4: 2.4.18,2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23 ◆ iptables www.netfilter.org 1.2.7a, 1.2.8, 1.2.9 2. gets ipp2p help # iptables-mipp2p--elp ... IPP2Pv0.5coptions:--ipp2pGraballknownp2ppackets (grab all known P2P package)--ipp2p-dataGraballknownp2pdatapackets (grab all known P2P packets)--edkGraballknowneDonkey/eMule/Overnetpackets (grab all known eMule/eDonkey/Overnet type)--edk-dataGraballeDonkey/eMule/Overnetdatapackets (grab all known eMule/eDonkey/Overnet packet)--dcGraballknownDirectConnectpackets (grab all known direct connectivity package)--dc-dataGraballDirectConnectdatapackets (grab all known direct connection packets)--kazaaGraballKaZaApackets (grab all KaZaA package)--kazaa-dataGraballKaZaAdatapackets (grab all KaZaA packet)--gnuGraballGnutellapackets (grab all Gnutella package)--gnu-dataGraballGnutelladatapackets (grab all Gnutella packet)--bitGraballBitTorrentpackets (beta-handlewithcare) (grab all BitTorrent package)--appleGraball