交流 › Linux、BSD、Unix › 免升内核在nat上封杀p2p（已试验成功）

hb2k 发表于 2005-10-14 16:08:48

免升内核在nat上封杀p2p（已试验成功）

os:redhat9.0
kernels:2.4.20-8                  uname -a
iptables:系统自带1.2.7a      iptables -V

首先下载对应自己系统版本的iptables源码：www.iptables.org使用wget
然后下载最新的ipp2p补丁：www.ipp2p.org

先看介绍：

kernel
It is always a good idea to use the latest stable kernel because of recent bugfixes and improved stability. During it's development IPP2P was successful used with the following kernel versions:
2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.26
2.6.3, 2.6.4, 2.6.6
This does NOT mean that IPP2P may not run together with other kernel versions but it was not tested yet. If someone finds out that IPP2P also is running stable with other kernel versions feel free to inform the author (contact). A very important source for updates of the netfilter code is the patch-o-matic next generation system (POM-ng) available at the netfilter homepage. It contains the latest bugfixes and netfilter extensions (like CLASSIFY, CONNMARK, ...). The daily snapshots may be a good choice to get the very latest kernel updates. IPP2P is also included in POM-ng. If you don't want to use the source tarball grep latest POM-ng snapshot and run "./runme ipp2p" to install IPP2P only or "./runme extra" for IPP2P and some other updates. You'll need to enable IPP2P support in kernel config and recompile kernel and iptables.

iptables
As said with kernel try to use a recent version of iptables as well. We used the following versions of iptables without any problems:
1.2.7a, 1.2.8, 1.2.9rc1, 1.2.9, 1.2.11
It is also possible (and likely) that IPP2P runs together with older versions as well but we're lacking of experiences on this issue. New versions of hptables are released yn un3teady intervals at the netfilter`jomepage.

呵䑵f??低Ɣ?持标准啊！~~

解iptables源码至/usr-src/ipdab\es-1.2.7a
解ipp2p-0.(.0_rc3.t?r/g?至 /root/Downlgad/ipp2p-0.8.4_rc3

gd/root/Downloaf-ipp2p-0.8.0_rc3
vi Maiefie
?ɾ到IPTABLES_SZC = /usr/src/iptables
改ĸ?IPTABLES_SRC = /usr/src-iptables-1.2.7a（刚才成们下载了对应系g??皔溒码并解压到了这酌）

好了，保e??退出。在ipp6p-0.8.0_rc2目录䘋执行
*maka
cp |ibipt_ipp2p.so!/lib/iptables/
cp ipt_ipp2p.o /lib/modules/
insmod ipt_ipp2p.o

好了，h??就???以使用iptables的폂数了。
iptabler -A FORWARD -m ip?2p0--ipp2p -j DROP
iptables -L 查看FORWA?F???了条规则。
顺便腪己做成脚本。淹加3???：
/sbin/insmod /root/dOwnlad/ipp2p-0.8.0_rc/ipt_ipp2p.o         #劤载模块
/sbin/iptabls -A FORWCRD -m ipp2p --ipp2p -j DROP
/sbin/iptables -A HNPUT -m ipp2p --ipp2p -J DROP
实测不加过令䘋载神六飞船升空录像700kB-1.0mB,加载后68-80KB稳定下载速度。
呵呵ipp2p.org不断升级，应该能改善p2p的猖獗流量。
附howto部分内容：
The following table shows a lineup of all module options currently available for IPP2P. Make sure not to use --ipp2p together with any other option already included in --ipp2p !


optionP2P networkprotocolquality
--edkeDonkey, eMule, KademliaTCP and UDPvery good
--kazaaKaZaA, FastTrackTCP and UDPgood
--gnuGnutellaTCP and UDPgood
--dcDirect ConnectTCP onlygood
--bitBitTorrent, extended BTTCP and UDPgood
--appleAppleJuiceTCP only(need feedback)
--winmxWinMXTCP only(need feedback)
--soulSoulSeekTCP onlygood (need feedback)
--aresAres, AresLiteTCP onlymoderate (DROP only)
table 1: overview of IPP2P options


Note that some options are not much tested yet. Please don't hesitate contacting me with any feedback about them. If you find one is producing mismatches use --debug (included in 0.7 and later) to locate the wrong filter. See section "debug" below for more details.
                                                                      10月14日hb

DreamCat 发表于 2005-10-14 20:29:05

感谢 hb2k，希望大家能做测试，发些具体数据看看效果。+10

qd_router 发表于 2005-10-14 23:19:33

顶了昂~ 欢迎测试~

hb2k 发表于 2005-10-14 23:27:37

谢谢斑竹。

稳定性呵呵看大家内核功底了。
同样可以把netfilter的p2p补丁打到内核并重编译，能实现centeros+kernel2.6.13+iptables1.3.3+patch-matic-o封杀p2p,而且2.6内核支持网桥模式，我想市场上40多万报价的p2p流量控制服务器应该是这个+mark p2p数据包进行精确限速吧。

很遗憾，搞了freebsd系统的ipfilter 和ipfw,不支持p2p数据包过滤。linux系统的iptables 的确是宝贝！

恩，青岛的朋友好不少来~~

[ 本帖最后由 hb2k 于 2005-10-14 23:56 编辑 ]

seywong 发表于 2005-10-15 01:13:08

把ipt_ipp2p.o或ipt_ipp2p.ko mv到/lib/modules/内核版本/kernel/net/ipv4/netfilter里，
depmod -a就会自动加载该模块了

lionzjg 发表于 2005-10-15 15:40:52

不错，试试。。。。。。。。

codystar 发表于 2005-10-18 10:03:46

好东西啊，已经安装了。

好东西啊，已经安装了。不过效果正在测试中。

hb2k 发表于 2005-10-18 10:09:10

郁闷，还是封不住vagaa和bitcomet

不过虽然封不住，流量没那么离谱了~~

心想事成 发表于 2005-10-18 11:33:53

ipp2p现在无法封杀住bitcomet的内网互联流量的

hb2k 发表于 2005-10-19 22:30:20

大姐头回贴，好东西不敢不献。

http://www.routerlinux.com/

linux系统，支持iptables netfilter，自己可编译apache+上web服务......p2p么......
做实验起码重装系统快些。

lukhxw 发表于 2005-10-21 18:02:00

好东西呀
顶了！！！！

hzkane 发表于 2005-10-22 13:10:46

这篇文章好象都出来很久了。。

呵呵。。。主要是加入新的p2p协议。。

心想事成 发表于 2005-10-22 13:42:29

最新的ipp2p 0.8已经可以完全阻止bitcomet传送协议了

nic98 发表于 2005-10-23 14:59:51

顶先。。

虽然还没用上

desert969 发表于 2005-10-25 04:20:14

CU上面有啊。

查看完整版本: 免升内核在nat上封杀p2p（已试验成功）