| |
| |
| |
|
Page: 1 2 3
Comments:
<0> btw, if I jump l7 to a chain, then I need a chain for each priority, i.e. if I would like to mark the packages of l7 with different prios?
<1> yes; I'd call the subchains something like "bittorrent"
<0> hm, that makes things complicated
<0> another question, what about cpu usage if instead of outgoing traffic only all traffic is sent thru a chain?
<1> probably depends on how much more traffic goes through the chain
<0> I now changed the chain to contain all PREROUTING and POSTROUTING without specifying the device. I changed the rules to mark only outgoing traffic and now l7-filter is able to mark outgoing packages, too.
<0> crazy
<0> but of course now all traffic goes thru the chain, so my concern is how does this affect the performance
<0> well, of course not positive, but how much?
<0> I have no idea
<0> if I define a 2nd chain for l7-filter and mark those packages, how can I be sure, they wont p*** thru the other chain?
<2> hello
<2> Can I have some help to configure my iptables rules ? I have this rules : http://pastebin.com/658582. But anything is logging. Is it normal ?
<3> hello people
<3> do we have any good guide to QoS with iptables?
<0> atmat, I have one for myself
<0> but it mainly works like: http://gentoo-wiki.com/HOWTO_Packet_Shaping
<3> ah gentoo-wiki.. cool
<3> thnx
<0> welcome
<3> gentoo forums and the wiki should substitude the linux doc project
<3> heh
<0> ;-)
<0> which is the prefered method: the cl***ify or the mark target for QoS?
<3> what is tha diff between them?
<4> someone help me , im using prot forwarding on iptables.
<4> i seem losing packets...
<4> from ppp to eth1
<4> i ddont know what exxactly the problem
<4> im using debian ;)
<5> greetings.
<5> i intend to write a firewall which will intercept new connections that are coming into the box, and then give a user the option to allow it or otherwise etc... can anyone give me any pointers on how to go about this ? what type of matches would i need and how do i p*** the info to userspace etc... need the port to be blocked initially.. so how would one catch the connection.?
<1> voidy: you would p*** the packets to userspace using QUEUE, and match on --state new
<5> cool.. so do i need to actually manipulate the packets in userspace? with libpcap or something?
<1> yes, with libipq
<1> or netlink_queue if you have a 2.6.14+ kernel
<5> i see
<1> libipq is going to be deprecated sometime in the next few months
<5> i'm on 2.6.15 so yes..
<5> won't bother starting on that one then
<5> is it easy just to queue the packets and then either let them all through or delete them?
<1> you queue the first packet of a connection, then let it through if the app says so
<1> then the rest are not even p***ed to userspace
<5> ah wicked
<5> another thing.. do you know of a python interface to netlink/filter?
<1> no; the main interface is in C, and libipq has a perl interface
<1> there is a compatability library for libipq, so I think you could still use it
<5> i'm much more experienced in C but i love python more recently hehe
<1> well, there might be a library, I don't use python so I don't know
<5> looks like there's a python ipq lib heh
<6> iptables-restore: match `ipp2p' v1.3.1 (I'm v1.3.5).
<6> is it ok to get that message?
<1> no
<6> i dont think ipp2p is loaded
<1> you need to update the .so to a newer version
<6> i dont think theres a version for 1.3.5 is there?
<1> you could compile one, can't you?
<6> the latest version is 0.8.1-rc1 i think
<6> yeah
<6> thats what that is
<1> you need to compile it against a 1.3.5 source
<6> what v of iptables are you running?
<6> i did
<6> hmm
<6> i downloaded the src
<6> and pointed it at that
<6> lemme remake it
<1> I'm using 1.3.5, but I don't use ipp2p
<6> can you try: iptables -m ipp2p --help and see what it says?
<1> iptables: match pp2p' v1.3.3 (I'm v1.3.5).
<6> yeah
<1> er, add a `i in there
<6> right
<6> hmm
<1> you just need a libipt_ipp2p.so for 1.3.5
<6> right
<6> i see what the problem is
<6> i tried to and it has like 1000 errors
<1> really? I didn't think iptables changed that much from 1.3.3 to 1.3.5
<6> i htink i need my kernel source installed
<6> hmm
<6> well that was part of it
<1> I'm using the sources from svn, and ipp2p compiled fine
<1> er, actually, never mind...
<6> sweet
<6> got it
<6> thanks!
<1> yw
<6> sorry about all the confusion
<6> im fairly new to linux
<6> learning tons every day
<1> setting up stuff like this is a good way to learn, too :)
<6> yeah
<6> hmm
<6> so i just ran it with 2 rules
<6> -A FORWARD -s 10.10.0.2 -p tcp -m ipp2p --bit -j LOG
<6> -A FORWARD -s 10.10.0.2 -p udp -m ipp2p --bit -j LOG
<6> it said line 44 error
<6> line 44 is COMMIT
<6> using iptables-restore
<1> insert the rules manually
<6> oh ok
<1> there's an error in the kernel
<1> check dmesg|tail
<6> # iptables -A FORWARD -s 10.10.0.2 -p tcp -m ipp2p --bit -j LOG
<6> iptables: Unknown error 4294967295
<6> ok
<1> yeah, that's what the "Unknown error 4294967295" means
<6> its not adding any errors to /var/log/messages or dmesg
<1> do you have the ipp2p module loaded?
<6> eh?
<6> modprobe it?
<1> yes
<6> oh ok
<1> the module name is ipt_ipp2p
<6> not found
<1> you patched the kernel?
<6> ipt_ipp2p.ko ?
<1> yes
<6> oh i forgot to make install
<6> eh theres no rule for that
<6> where do i put that module?
<1> somewhere in /lib/modules
<1> you can always insmod it
<6> looks like this /lib/modules/2.6.16-1.2080_FC5/kernel/net/ipv4/netfilter/
<1> looks like the right location
<6> still not found
<6> should i just insmod?
<1> try it. worst thing that can happen is a kernel panic
<6> haha
<6> that woudlnt be too cool
<6> it worked!
<6> so did insmod copy it to the right place?
<1> no
<6> will it be ok if i reboot and delete all this from the install dirs?
<6> ok
<1> oh, you need to run depmod
<1> after copying the module over
<6> ok
<6> so i copied it into what looks like the right place in lib
<6> and i copied the .so to the iptables modules
<6> so i just run depmod and all is well?
<1> I think so
<7> hey, is there a safe way to forward ports for instant messenger file transfers?
<6> depmod output this line: /lib/modules/2.6.16-1.2080_FC5/kernel/net/ipv4/netfilter/ipt_ipp2p.ko: /lib/modules/2.6.16-1.2080_FC5/kernel/net/netfilter/x_tables.ko
<6> is there a way i can check that .ko module and make sure its the right version?
<1> no idea what that means, sorry
<6> haha ok
<6> awesome!
Return to
#iptables
or
Go to some related
logs:
file-get-contents error reporting
#gentoo
ubuntu change firefox taskbar icon
kdestartconfig
PASS_MIN_LEN +postgresql
nslu2 angstrom
#web
#asm
amarok m4a suse 10.1
xine encrypted or faulty dvd
|
|