=== Описание работы модуля ipp2p ===
== Справка: ==
iptables -m ipp2p --help
Пример:
iptables -A FORWARD -p tcp -m ipp2p --bit -j DROP /*TCP traffic only*/
iptables -A FORWARD -p udp -m ipp2p --bit -j DROP /*UDP traffic only*/
iptables -A FORWARD -m ipp2p --bit -j DROP /*UDP and TCP traffic*/
== Возможные опции: ==
iptables -A FORWARD -m ipp2p --edk --kazaa --gnu --bit --apple --dc --soul --winmx --ares -j DROP
**//pp2p v0.10 match options://**
--edk [tcp,udp] All known eDonkey/eMule/Overnet packets
--dc [tcp] All known Direct Connect packets
--kazaa [tcp,udp] All known KaZaA packets
--gnu [tcp,udp] All known Gnutella packets
--bit [tcp,udp] All known BitTorrent packets
--apple [tcp] All known AppleJuice packets
--winmx [tcp] All known WinMX
--soul [tcp] All known SoulSeek
--ares [tcp] All known Ares
**//EXPERIMENTAL protocols://**
--mute [tcp] All known Mute packets
--waste [tcp] All known Waste packets
--xdcc [tcp] All known XDCC packets (only xdcc login)
== Маркировка цепочек: ==
Для маркироски P2P трафика необходим модуль CONNMARK. \\
Пример для маркировки и использования:
iptables -A PREROUTING -t mangle -p tcp -j CONNMARK --restore-mark # ctmark -> nfmark
iptables -A PREROUTING -t mangle -p tcp -m mark ! --mark 0 -j ACCEPT # if mark exist nothing to do
iptables -A PREROUTING -t mangle -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 # set nfmark to 1
iptables -A PREROUTING -t mangle -m layer7 --l7proto bittorrent -j MARK --set-mark 1 # set nfmark to 1
iptables -A PREROUTING -t mangle -p tcp -m mark --mark 1 -j CONNMARK --save-mark # nfmark -> ctmark
В результате каждый UDP и TCP пакет в содединении будет иметь метку "1".
И далее соответственно:
tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1 fw classid 1:11
tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 1 fw classid 2:11
----
Перевод выдержки из документации по ipp2p модулю.