Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
linux:iptables:l7patch [2007/04/01 12:15] a |
linux:iptables:l7patch [2007/06/09 17:31] a |
||
|---|---|---|---|
| Line 17: | Line 17: | ||
| .. more to come | .. more to come | ||
| + | |||
| Line 33: | Line 34: | ||
| Thanks to //Abel Martín// at debian-firewall mailinglist. | Thanks to //Abel Martín// at debian-firewall mailinglist. | ||
| + | |||
| + | ==== ipp2p best practices ==== | ||
| + | |||
| + | I suggest the following tcp and udp for connection tracking (see docu section) | ||
| + | |||
| + | 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark | ||
| + | 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT | ||
| + | 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 | ||
| + | 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark | ||
| + | 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1 | ||
| + | |||
| + | detect **TCP FIRST, SAVE MARK** , and detect udp after you saved the mark !! | ||
| + | You will have now every p2p packet marked, but a dramtic reduce of udp | ||
| + | mismatches. | ||
| ===== Yet another way to do it .. ===== | ===== Yet another way to do it .. ===== | ||
