| |
| |
| |
|
Page: 1 2
Comments:
<0> Hello. I have a daughter thats getting addicted to an mmorpg. Is there a way to setup a netfilter rule to only allow packets on a certain port for up to x hours a day?
<1> jblack: yes
<1> there is a time module for that ... can allow/not allow access at specified times =)
<0> Yeah. I know of timestart and timestop.
<0> I don't want to dictate when she can play, just for how long.
<1> hmmmmm'
<1> maybee you will need to work out her average data for xyz time
<1> then use connbytes or quota patch to only allow xyz amount of data to those ports everyday
<0> Heh. that would teach her to just avoid busy cities.
<0> the best idea I've had so far is to setup a page for her where she can "turn it on", and that'll insert a timestart/stop rule
<1> well best thing i could recommened then is a custom perl monitor / daemon
<1> watching logs ... then cuts traffic after time lapse has hit
<1> resets every night like @ about 4:00 am
<1> hmmm ... yeah kinda a sticky issue ;-)
<0> I know what I could do.
<0> eaven/odd from 0600 to 2200
<0> "Honey, good news and bad news. You can play agan. But only during odd numbered hours.
<1> lol
<1> whats the maximum amoutn of time you want for a single session ?
<1> how how many times a day do you want to allow it ?
<0> say.. an hour?
<0> twice a day?
<0> pardon.
<0> a total of 2 hours.
<0> I guess it would be ok if she did 15 here, 15 there... or 2 hours straight.
<0> I'm looking at http://linuxgazette.net/108/odonovan.html
<0> Think I can do the flip version of "recent Connections to Match Against" ?
<2> jblack, does mmorpg use one server while playing or multiple ?
<2> (hi :)
<0> It hits a variety of servers on two specific ports.
<0> Hi. :)
<2> hmm
<0> I can't just cut her off entirely, because she has the account for cutting the gr***.
<2> you don't want to do perl ?
<2> one thing would be rather easy
<0> Well, I suppose I could... I'm a little worried though that I'd have the interface eternally in promiscious mode?
<2> you add a rule
<2> no
<2> no need
<2> iptables -A [lots of stuff here to match the packet] -m limit --limit 1/minute -j LOG --log-prefix MMORPG_ACTIVE
<2> then, while she's playing, it outputs MMORPG_ACTIVE once a minute
<0> Hmmm. Yeah.
<2> then you create a script that tracks the syslog events and counts the number of those
<2> when you hit 120 (for 2 hours), you change the firewall to block those
<2> then, a cron script that resets the counter once a day at some specific time (say 6 am)
<2> (and restores the firewall)
<2> you could even use the "condition" helper as well
<0> Yeah. The same script.
<2> then you could avoid having to change the firewall alltogether
<0> Yeah. I think thats a good idea.
<2> you would just fiddle with /proc/net/ipt_condition/foobar
<2> files to turn on and off the rules that block or allow
<0> I'll have a little bit of a mess with log rotate.
<0> hmm.
<2> http://xkr47.outerspace.dyndns.org/tmp/jblack.sh
<2> jblack, there are syslogs out there that can feed you the loglines on stdin without need to tail files
<0> Yeah. I caught part. Its generally a good idea.
<0> Ohh.. huh.
<2> if you would use syslog-ng, you could configure it like this:
<0> Lets see... what is the facility and loglevel?
<0> kern. something.
<0> Can I specify a different facility?
<0> If not, thats fine.
<2> http://xkr47.outerspace.dyndns.org/tmp/jblack-syslog-ng.conf
<2> man iptables, search for LOG
<2> --log-level level
<2> Level of logging (numeric or see syslog.conf(5)).
<2> it seems it doesn't talk about facilities
<0> bye-bye sysklogd
<2> if you want, you can also use the ULOG target, but then you need to run the ulogd daemon also
<2> hehe
<0> great. that dropped right in.
<2> so the way my example config works is that upon startup, syslog-ng starts the script /root/mmorpg-syslog-monitor
<2> then, each time there's a log line that matches MMORPG_ACTIVE, it feeds that line to your script's stdin
<2> if you make any changes to the script, you need to restart syslog-ng
<2> (or then you add a wrapper script that monitors the actual script and restarts the script when it changes ;)
<0> hmm.
<2> an alternative would be to make two scripts; every time a line is coming in, the first script launches a second script
<0> With it out of the way of /var/log, logrotate won't touch it.
<0> I can have the script just open read it and track it.
<2> with what out of the way ?-)
<0> the log
<2> hmm ?
<3> ^(invite|register|cancel) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9] guys i am a newbie.. but wht does this stand for
<2> for me, syslog-ng creates /var/log/messages which I suppose sysklogd does too
<0> well, I'm thinking about the script starting up every minute for a couple hours at a time.
<0> I guess 120 runs a day isn't much... and I could always rewrite it in C
<2> santoshr, it's a regular expression that matches some IP telephony stuff
<3> i understand tht its looking for the packet beginnin with invite or register or cacncel.. but .. sip[\x09-\x0d -~] and in this its looking for from hex 09 to hex 0d..
<3> but wht are these 09 to 0d... ?
<2> jblack, yeah.. sounds reasonable
<3> xkr47: yeah understood tht.. this i took out from sip.pat from l7-protocols
<2> santoshr, they can be protocol specific stuff or then the ascii codes for TAB, NEWLINE and CARRIAGE RETURN
<2> oh wait.. it seems to match all "printable" ascii characters
<3> wht wht xkr47.. please explain.. i mean i am sorry i dint get it
<2> [\x09-\x0d -~] matches characters "\x09" to "\x0d" and " " to "~"
<2> if you check "man ascii" you'll find that that means ascii codes 9-13 and 32-126
<2> jblack, just ask if you get stuck :)
<0> Yup. just trying to work through the trivial stuff.
<3> " " to "~" would mean wht xkr47.. i am sorry to be askin this but i am new to regex
<0> You've given me good info. I should chew before the next spoonful. :)
<2> santoshr, ascii codes 32 to 126
<2> jblack, good luck :)
<0> Right now I'm getting a couple complaints from your rules. I suspect iptables here is choking on --condition
<0> the first condition line is griping that there isnt' a chain/target/match
<0> It seems that my connection extension isn't getting automatically loaded
<2> condition is probably not in the vanilla kernel
<0> looks like.. yeah.
<2> if you don't want to patch, you need to make do with changing the firewall instead
<0> I think I'll do that.
<2> but I think it could be pretty ok if you use the separate MMORPG chain for that as I had in my example
<3> so xkr47 sip[\x09-\x0d -~] would match sip[all printable characters] correct
<0> Yeah. I'll stick with that.
<2> santoshr, yeah, counting newlines and tabs as printable as well..
<3> yeah
<3> cool thanks man
<2> yw :)
<0> thanks for all the help xkr. :)
<4> any of u guys here comfortable with -m layer7
<4> i tried mking a custom protocol using somthing like this
<4> ^(c= IN IP4) (192\.168\..*\..*$)|(10\..*\..*\..*$)|(172\.(16-31)\..*\..*$) i was trying to look into the message body of a SIP packet
<4> so when i do this iptables -A INPUT -m layer7 --l7proto sdp -j DROP.. it should drop the packet which has the above mentioned regex in the application layer right..
<1> xkr47: Head Shot ...
<1> santosh1: never used l7-filter much ... but i know its there ... sorry cant help ... =(
<1> hehehe
<1> are you in AU ?
<2> who me ?
<1> yup ... looks to be most likely not
<1> considering the ipv6 connection
<2> finland aye
<1> owell ... my LAG is very grand
<2> I'm using sixxs
<1> gaming from here in AU to finland will totaly **** on my connection
<1> unless we can find a half way server maybee
<2> my lag sux, I try downloading stuff in the background, even bittorrent, but the qos built into linux just won't let me increase the lag no matter what!! :-O
<2> ;)
<1> lol
<2> how about germany, england ?
<2> we have pretty ok connections to germany
<1> yes default qos certainly can leave a bitter taste
<2> I was not being serious
<2> I have a custom-made qos script with which I can use bittorrent and stuff and lag stays ok
<1> yeah i know ... what you meant
<1> same here ... im jsut using simple htb + iptables mark + pfifo
<2> I switched to hfsc, it seems to work a bit better in some nasty conditions
<1> also plenty of cl*** proto rules to boot =P
<2> used htb before, the idea is the same, just the algorithm behind it slightly different
<2> I have 17 cl***es :)
<1> yes ... i have tried a fair few ... for what i do ... htb seems to achive 95% of my goal which is 5% over Target ;-)
Return to
#netfilter
or
Go to some related
logs:
#bash
#gimp
#perl
onresize closure
#web
#css
#fedora
#suse
adduser on ubunu
#lgp
|
|