How to Use Netfilter/IPtables to control P2P Traffic

One report said that although a BROADBAND company's existing technology can accommodate 400 to 6 million users, but currently, it can accommodate 0.45 million users, the network is already crowded, and network disconnection often occurs. As soon as the Internet reaches the peak, the network speed will drop sharply.

Why is the network so crowded? This is because since the emergence of P2P software such as donkey, Kazaa, BT, and so on, massive data files such as large-capacity file exchanges and video file downloads gradually occupy most of the network bandwidth. The new P2P application brings unprecedented convenience and rich resources to users, but it also raises network bandwidth and security problems.

How can we impose some necessary restrictions on the powerful features of P2P? This article describes how to use netfilter/iptables in Linux to limit P2P application traffic.

Upgrade the kernel

Because the iptables parameters do not contain P2P attribute parameters in the publicly released Linux Kernel File, you must install the patch by upgrading the Linux kernel and iptables, enable P2P attribute settings.

Before proceeding, you must first understand the software required to upgrade the kernel patch: kernel.

The test environment is Red Hat 9.0 and the kernel is 2.4.20-8. Because 2. 4. * is a stable kernel. Therefore, you cannot submit some newly developed functions to the main kernel. Instead, you must first test the new functions in patch-o-matic and then patch them to the kernel. You can find the latest patch-o-maticpacket -patch-o-matic-20040609.tar.bz2 in cvs.

The iptablesextension Software Package ipp2p-0.5c.tar.gz for netfilter/iptablesorganization is a P2P-supported iptables extension package developed by Eicke Friedrich. The two extension packages have their own characteristics and will be introduced later.

Load Module

First, extract the software package under/usr/src:

#bzip2 -d patch-o-matic-20040609.tar.bz2

Generate patch-o-matic-20040609.tar. out.

#tar xvf patch-o-matic-20040609.tar.out

Generate the patch directory patch-o-matic-20040609. The default kernel directory in Red Hat 9.0 is/usr/src/linux-2.4. Go to the patch directory/usr/src/patch-o-matic-20040609, because the support for P2P protocol control option requires the CONNMARK module, which is under the extra subdirectory, you need to run the following command to upgrade the kernel patch.

#KERNEL_DIR=/usr/src/linux-2.4 ./runme extra

After running this command, a module selection interface is displayed. The interface has two areas: a module name, module function, usage, and syntax instance. The other provides various options, such as N/y/B/r... /q /?, The first one is an uppercase letter, indicating the default option. n indicates the next module, y indicates the confirmation, B indicates the previous module, and q indicates the exit.

First, you should determine whether the current module is required. If you do not need to, press the "N" key and press enter to continue displaying information about the next module. When a required module appears, press the "Y" key to confirm, and copy the corresponding syntax instance in it for backup. After selecting all required modules, press "Q" to exit.

Compile the kernel

Go to the directory/usr/src/linux-2.4 where the Kernel File is located and start compiling the kernel:

# Make mrproper # make xconfig or # make menuconfig)

Note: You must select Networking options → IP: Netfilter Configuration → Connection mark tracking support and CONNMARK target support in the Configuration options. Ensure that the key files are in the correct location:

# Make dep: <CENTER> <ccid_nobr> <table width = "400" border = "1" cellspacing = "0" cellpadding = "2" bordercolorlight = "black" bordercolordark = "# FFFFFF" align = "center"> <tr> <td bgcolor = "e6e6e6" class = "code" style = "font-size: 9pt "> <pre> <ccid_code> # make bzImage

Compile the selected module:

#make modules

Transfer the compiled module to the standard system location:

#make modules_install

Let the system automatically modify the startup configuration file grub. conf:

#make install

Restart the system and select Red Hat Linux2.4.20-8 custom) to start the newly compiled kernel.

Upgrade iptables

Install iptables-1.2.8

First, decompress the iptables-1.2.8.tar.bz2 file:

#bzip2 -d iptables-1.2.8.tar.bz2#tar xvf iptables-1.2.8.tar.out

Compile iptables-1.2.8:

#make KERNEL_DIR=/usr/src/linux-2.4#make install KERNEL_DIR=/usr/src/linux-2.4#make install-devel

Copy the executable file to the corresponding directory:

#cp iptables iptables-save iptables-restore /sbin

Install iptables-p2p Software

First release iptables-p2p-0.3.0a.tar.gz:

#tar zxvf iptables-p2p-0.3.0a.tar.gz#cd iptables-p2p-0.3.0a

Copy the header file of the iptables-1.2.8 to the appropriate directory:

#cp -a /usr/src/iptables-1.2.8/include/* /usr/include

Run make to compile the iptables-p2p and copy the relevant files to the appropriate directory:

#make#cp kernel/ipt_p2p.o /lib/modules/2.4.20-8custom/kernel/net/ipv4/netfilter/#cp iptables/libipt_p2p.so /lib/iptables/

Install ipp2p Software

First, modify the source directory, kernel directory, and netfilter version number in the Makefile file:

IKERNEL = -I/usr/src/linux/includeIUSER = -I/usr/src/iptables-1.2.7a/includeNETFILTER_VERSION = \"1.2.7a\"

Changed:

IKERNEL = -I/usr/src/linux-2.4/includeIUSER = -I/usr/src/iptables-1.2.8/includeNETFILTER_VERSION = \"1.2.8\"

Compile the software and copy the library file to the corresponding directory:

#make#cp libipt_ipp2p.so /lib/iptables

Load module:

#insmod ipt_ipp2p

Application and P2P detection restrictions

The Application of iptables-p2p

1. iptables-p2p currently supports the following protocols:

◆ FastTrackKaZaa, Grokster ......)
◆ EDonkeyeDonkey, eMule ......)
◆ Direct Connect
◆ Gnutellaregular clients and Shareaza's gnutella 2)
◆ BitTorrent
◆ OpenFTgiFT)

The CONNMARK module needs to be installed to use the iptables-p2p through the marking package of the CONNMARK module.

2. Get help using the-help parameter:

# Iptables-m p2p-help ...... P2P match v0.3.0a options: -- p2p-protocol [!] Protocol [,...] -- p2p... match application-layer protocol matching application layer protocol) Valid p2p protocols: the Valid protocol supported by P2P is as follows: fasttrackgnutellaedonkeydcbittorrentopenft

The iptables-p2p module uses-m p2p parameters to identify all known P2P connection requests. Note that-m p2p can only recognize P2P connection requests, but cannot recognize all P2P packets. It can identify various known protocol types of P2P through the -- p2p-protocol sub-parameters.

3. Application Instance

#iptables -A FORWARD -m p2p -j DROP

Blocks all P2P connection requests on the network.

#iptables -A FORWARD -m p2p --p2p-protocol fasttrack,bittorrent -j DROP

Blocks connection requests from fasttrack and bittorrent on the network.

In actual use, it must be combined with the CONNMARK target, and then be filtered by tc to truly limit all P2P packets. For more information, see the instance script for example/limit-p2p.sh.

Application of ipp2p

1. ipp2p currently supports the following Linux kernel and iptables versions:

◆ Linux-Kernels 2.6: 2.6.3
◆ Linux-Kernels 2.4: 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, and 2.4.23
◆ Iptableswww.netfilter.org) 1.2.7a, 1.2.8, and 1.2.9

2. Get ipp2p help

# Iptables-m ipp2p -- help ...... IPP2P v0.5c options: -- ipp2pGrab all known p2p packets catch all known P2P packets) -- ipp2p-dataGrab all known p2p data packets catch all known P2P packets) -- edkGrab all known eDonkey/eMule/Overnet packets: capture all known eDonkey/eMule/Overnet packages) -- edk-Snapshot Rab all eDonkey/eMule/Overnet data packets capture all known eDonkey/eMule/Overnet packets) -- dcGrab all known Direct Connect packets capture all known Direct connection packets) -- dc-parallel Rab all Direct Connect data packets capture all known Directly connect to the packet) -- kazaaGrab all KaZaA packets catch all KaZaA packets) -- kazaa-zoorab all KaZaA data packets catch all KaZaA packets) -- gnuGrab all Gnutella packets catch all Gnutella packets) -- gnu-javasrab all Gnutella data packets: captures all Gnutella packets. -- bitGrab all BitTorrent packets (beta-handle with care): captures all BitTorrent packets) -- appleGrab all AppleJuice packets (beta-handle with care) catch all AppleJuice packages) -- soulSoulSeek (beta-handle with care) So UlSeek type package )......

3. Application Instance

Ipp2p can only identify P2P connection requests, but cannot identify all P2P packets. Therefore, it must be used together with the CONNMARK target. Currently, only TCP protocol identification is supported. Let's look at an instance.

#iptables -A PREROUTING -t mangle -p tcp -j CONNMARK --restore-mark

The above Code indicates that the mark is restored from the CONNMARK target.

#iptables -A PREROUTING -t mangle -p tcp -m mark ! --mark 0 -j ACCEPT

The code above indicates that all non-0 tag packages are received.

#iptables -A PREROUTING -t mangle -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1

The code above indicates that ipp2p connections are marked as "1 ".

#iptables -A PREROUTING -t mangle -p tcp -m mark --mark 1 -j CONNMARK --save-mark

The code above indicates to save all packages marked as "1" to the CONNMARK target. The result obtained through the above settings is that each packet marked as a P2P connection is marked as "1", and then filtered by tc to perform the following operations:

#tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 1 fw classid 1:11#tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 1 fw classid 2:11

Use HTB and filtering to put all packages marked as "1" into each device category, and limit the bandwidth of P2P connections by limiting these devices. For more information, see http://rnvs.informatik.uni-leipzig.de/ipp2p /.

Application Results

The author applied iptables-p2p and ipp2p configuration on the firewall, and used greedy BTABC to test the FastTrack protocol of P2P, can effectively restrict P2P communication 1 ).

498) this. style. width = 498; ">

Related Articles]

• Linux Firewall limits P2P Traffic


• Build a firewall experiment environment based on netfilter/iptables


• Experts say P2P Traffic occupies over half of the total bandwidth in China.