Ïîääåðæêà l7-filter â ïðîøèâêå ýíòóçèàñòîâ

[sonice]

1. Ïåðåéòè íà ïðîøèâêó ýíòóçèàñòîâ. Åñòü ñòàáèëüíûå ñáîðêè, à åñòü íî÷íûå ñáîðêè (Âíèìàíèå! Çäåñü ïðîøèâêè çààðõèâèðîâàíû). Åñòü 2 âåòêè: íà ÿäðå 2.4 (wl/-d-) è íà ÿäðå 2.6 (rtn), íî ïîä êàæäóþ âåòêó åñòü ñâîé ôàéë modules, êîòîðûé ëåæèò ðÿäîì ñ ïðîøèâêîé.
2. Ïîêà õâàòèò?

Çà÷åì ìíå ñëûøàòü ïðî êàêèå òî "íî÷íûå ñáîðêè"? ó ìåíÿ êîíêðåòíàÿ ïðîøèâêà RT-N16-1.9.2.7-rtn-r2274.trx.

Code:

$ lsmod | egrep 'layer7'
xt_layer7              15248  0

À êàê ðåàëüíî íàñòðîèòü âîò òóò íàïèñàíî âñå ïîíÿòíî
http://wiki.openwrt.org/oldwiki/MiniHowtos/QoSHowto

íî ëèíê íå ðàáîòàåò
http://downloads.openwrt.org/people/nbd/qos/

à ïîïðîáîâàë äàëüøå îòñþäà Another Qos Package, âûäàåò îøèáêè...

Code:

ipkg install http://files.eschauzier.org/qos-re_1.0_all.ipk
Downloading http://files.eschauzier.org/qos-re_1.0_all.ipk
Installing qos-re (1.0) to /opt/...
Nothing to be done
An error ocurred, return value: 1.
Collected errors:
ERROR: Cannot satisfy the following dependencies for qos-re:
         kmod-sched kmod-ipt-conntrack iptables-mod-conntrack kmod-ipt-ipopt ipt                        ables-mod-ipopt kmod-ipt-extra iptables-mod-extra ip kmod-imq iptables-mod-imq t                        c kmod-ipt-filter iptables-mod-filter

Âîò åùå How to L7-filter Userspace Version:

http://l7-filter.sourceforge.net/HOWTO-userspace#Doing

Çàãðóçèë netfilter-layer7-v2.22.tar.gz îòñþäà-

wget http://sourceforge.net/projects/l7-f...ar.gz/download

Ó ìåíÿ

Code:

uname -a
Linux Asus 2.6.22.19 #1 Sun Aug 15 14:55:34 YEKST 2010 mips GNU/Linux

Code:

vi README
- iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.{c,man}

  Use these files if you are compiling iptables 1.4.3 or later against Linux
  2.6.20 or later.

- for_older_iptables/

  Use these files if you are using an older version of iptables or Linux.
  Note that not all combinations are supported.  This includes, but is not
  limited to:

  -- Compiling iptables 1.4.x against Linux 2.6.19.x or earlier.

  -- iptables 1.4.1, period.


General notes:

- You do NOT need to recompile iptables if you change your running kernel
version across the 2.6.20 boundary and you already have a working iptables.

- You DO need to recompile iptables if you switch from a kernel patched
with l7-filter <= v2.10 to one patched with l7-filter >= v2.11.

Òàêæå èìåÿ iptables v1.3.8 íî íåïîíÿòíî ãäå íàõîäèòüñÿ "patched kernel source"?

Code:

iptables 1.4.0 and older

Use the appropriate iptables patch to to patch[1] iptables. Compile iptables, pointing it at your patched kernel source:

Run "chmod +x extensions/.layer7-test" (information about file permissions can't be contained in the patch)
Then "make KERNEL_DIR=/path/to/patched/kernel_source" (you must have configured your kernel source before this step)
And install (as root): "make install KERNEL_DIR=/path/to/patched/kernel_source"

Êàê compile into your kernel module ip_conntrack_netlink or nf_conntrack_netlink?

Code:

Either way, you need either the module ip_conntrack_netlink or nf_conntrack_netlink or the same code compiled into your kernel.

Âîïðîñ - êòî íèáóòü ðåàëüíî ñìîã íàñòðîèòü QoS íà Layer 7?

[LA_]

Ïåðåõîäèòå íà ïðîøèâêó ýíòóçèàñòîâ. Áåðåòå modules îò ñâîåé ïðîøèâêè, áåðåòå èç íåãî xt_layer7.ko, íà ðîóòåðå äåëàåòå insmod xt_layer7 ... è âñå, ïîëüçóåòåñü!

à ýòîò layer 7 - ïîëíîöåííûé øåéïåð? äàòü ïðèîðèòåò web-ñåðôèíãó íàä òîððåíòàìè ñìîæåò?
ïîñëå óñòàíîâêè ýòîãî ìîäóëÿ êàêîé-íèáóäü âåá-èíòåðôåéñ áóäåò?

[Basile]

LA_, ñàì øåéïåð óæå âñòðîåí â ïðîøèâêó, à xt_layer7 - ýòî âñåãî ëèøü ìîäóëü, êîòîðûé ïîçâîëÿåò êëàññèôèöèðîâàòü ïàêåòû. Cóäÿ ïî êîììåíòàðèÿì âûøå, çàãðóçêîé òîëüêî ýòîãî ìîäóëÿ íå ïðîáëåìó íå ðåøèòü.

P.S. Ñàì ÿ íå íàñòðàèâàë QoS

[LA_]

à øåéïåð áåç ýòîãî ìîäóëÿ ðàáîòàåò? (åñëè íåò, òî çà÷åì îí â ïðîøèâêå?)

[Chehov]

 pfsens'å layer7 ðàáîòàåò îòëè÷íî. Íà rt-n16 ïîêà íå ïîëó÷àåòñÿ äîáèòüñÿ òîãî æå ñàìîãî.

[aau6]

Уважаемые гуру. Поделитесь пожалуйста с новичком как в asus wl500g premium забанить порты и протоколы торрентов. Ситуация банальная, через сей девайс раскуриваем yota на 4 человек в офисе. Но есть несознательные люди, думающие, что они хитрее всех. В итоге нет даже простого серфа по страницам((. Заранее благодарен за ссылку на статьи или помощь.

[tempik]

Óâàæàåìûå ãóðó. Ïîäåëèòåñü ïîæàëóéñòà ñ íîâè÷êîì êàê â asus wl500g premium çàáàíèòü ïîðòû è ïðîòîêîëû òîððåíòîâ. Ñèòóàöèÿ áàíàëüíàÿ, ÷åðåç ñåé äåâàéñ ðàñêóðèâàåì yota íà 4 ÷åëîâåê â îôèñå. Íî åñòü íåñîçíàòåëüíûå ëþäè, äóìàþùèå, ÷òî îíè õèòðåå âñåõ.  èòîãå íåò äàæå ïðîñòîãî ñåðôà ïî ñòðàíèöàì((. Çàðàíåå áëàãîäàðåí çà ññûëêó íà ñòàòüè èëè ïîìîùü.

Çàïðåò ïðîáðîñà ïîðòîâ ÷åðåç UPnP èñêëþ÷èò ðàçäà÷ó ôàéëîâ ÷åðåç òîððåíò (åñëè íåò ïðîïèñàííûõ ïðîáðîñîâ ïîðòîâ). Ñêà÷êà èäåò ÷åðåç ïðîòîêîë TCP è ñîîòâåòñòâåííî çàïðåòèòü åãî íåëüçÿ ...
Àíàëèç òðàôèêà, ýòî íå äëÿ ðîóòåðà ... ÈÌÕÎ åäèíñòâåííîå ðåøåíèå ïðîêñè-ñåðâåð íà ðîóòåðå (íî ýòî îòêàç îò îñòàëüíûõ íå HTTP/FTP ñåðâèñîâ) äà è îïÿòü ìîùíîñòè ðîóòåðà ìàëîâàòî ...
Ç.Û. Ðàç ðàçãîâîð èäåò ïðî îôèñ, òî âñå ïðîùå ... Àäìèíèñòðàòèâíûå äåéñòâèÿ (ïðàâà ïîëüçîâàòåëÿ íà êîìïå, øòðàôû è ò.ä.)

[FilimoniC]

Çàïðåò ïðîáðîñà ïîðòîâ ÷åðåç UPnP èñêëþ÷èò ðàçäà÷ó ôàéëîâ ÷åðåç òîððåíò (åñëè íåò ïðîïèñàííûõ ïðîáðîñîâ ïîðòîâ). Ñêà÷êà èäåò ÷åðåç ïðîòîêîë TCP è ñîîòâåòñòâåííî çàïðåòèòü åãî íåëüçÿ ...
Àíàëèç òðàôèêà, ýòî íå äëÿ ðîóòåðà ... ÈÌÕÎ åäèíñòâåííîå ðåøåíèå ïðîêñè-ñåðâåð íà ðîóòåðå (íî ýòî îòêàç îò îñòàëüíûõ íå HTTP/FTP ñåðâèñîâ) äà è îïÿòü ìîùíîñòè ðîóòåðà ìàëîâàòî ...
Ç.Û. Ðàç ðàçãîâîð èäåò ïðî îôèñ, òî âñå ïðîùå ... Àäìèíèñòðàòèâíûå äåéñòâèÿ (ïðàâà ïîëüçîâàòåëÿ íà êîìïå, øòðàôû è ò.ä.)

Åñëè ó âàñ íå it-êîìïàíèÿ, çàïðåòèòå çàïóñê ïðîãðàììû ïî õåøó.
Åñëè âàì íóæíî òîëüêî HTTP\HTTPS, çàïðåòèòå âñå êðîìå ïîðòîâ 443 è 80.

[tempik]

Åñëè ó âàñ íå it-êîìïàíèÿ, çàïðåòèòå çàïóñê ïðîãðàììû ïî õåøó.
Åñëè âàì íóæíî òîëüêî HTTP\HTTPS, çàïðåòèòå âñå êðîìå ïîðòîâ 443 è 80.

Íà ñêà÷êó ìîæíî þçàòü ëþáûå ðàçðåøåííûå íà âûõîä ïîðòû ... Åñëè åñòü âîçìîæíîñòü ñòàâèòü íà êëèåíòå ïðîãðàììû óðîâíÿ ÿäðà-äðàéâåðà .... Ó ìåíÿ êîðåø èç áàíêà òàê êà÷àë ÷åðåç åäèíñòâåííûé ïîðò îòêðûòûé íàðóæó èç ñåòè (ICQ äëÿ ïîääåðæêè êëèåíòîâ), íå ñïðàøèâàéòå ìåíÿ ïî÷åìó òàì òàê áûëî çàäóìàíî (ñàì òàê è íå ïîíÿë)... Ñîáñòâåííî èç-çà íåãî è ïîÿâèëàñü òåìà http://wl500g.info/showthread.php?p=51624#post51624 òàê ÷òî îïòèìàëüíîå ðåøåíèå "Àäìèíèñòðàòèâíîå" (áóäåòå êà÷àòü îáðåæåì âñå)
Ç.Û. Äëÿ ïîíèìàíèÿ ñòàðîæèëîâ Mirage-Net ýòî ÿ äî àâàðèè ... ïðîñòî äîëãî îêëåìûâàëñÿ ... , à ïîòîì ïîñ÷èòàë ÷òî è òàê ñîéäåò (çäåñü íå òîððåíò ðåéòèíãà íå íóæíî

[FilimoniC]

Íà ñêà÷êó ìîæíî þçàòü ëþáûå ðàçðåøåííûå íà âûõîä ïîðòû ... Åñëè åñòü âîçìîæíîñòü ñòàâèòü íà êëèåíòå ïðîãðàììû óðîâíÿ ÿäðà-äðàéâåðà .... Ó ìåíÿ êîðåø èç áàíêà òàê êà÷àë ÷åðåç åäèíñòâåííûé ïîðò îòêðûòûé íàðóæó èç ñåòè (ICQ äëÿ ïîääåðæêè êëèåíòîâ), íå ñïðàøèâàéòå ìåíÿ ïî÷åìó òàì òàê áûëî çàäóìàíî (ñàì òàê è íå ïîíÿë)... Ñîáñòâåííî èç-çà íåãî è ïîÿâèëàñü òåìà http://wl500g.info/showthread.php?p=51624#post51624 òàê ÷òî îïòèìàëüíîå ðåøåíèå "Àäìèíèñòðàòèâíîå" (áóäåòå êà÷àòü îáðåæåì âñå)
Ç.Û. Äëÿ ïîíèìàíèÿ ñòàðîæèëîâ Mirage-Net ýòî ÿ äî àâàðèè ... ïðîñòî äîëãî îêëåìûâàëñÿ ... , à ïîòîì ïîñ÷èòàë ÷òî è òàê ñîéäåò (çäåñü íå òîððåíò ðåéòèíãà íå íóæíî

ß ïîíèìàþ, íî íå òàê óæ ìíîãî ëþäåé îòêðûâàþò 80 è 443 äëÿ òîððåíòîâ.
À äûðêó íàéòè âñåãäà ìîæíî. "Ñîâñåì âñå" çàïðåòèòü âñå ðàâíî âîçìîæíî òîëüêî ïîëó÷èâ ãåìîððîé\ïîëó÷èâ áåñïîëåçíûé âûõîä â èíòåðíåò

[someoneelse]

Õì, ÷òî-òî íå ïîëó÷àåòñÿ.
Ñêà÷àë bittorrent.pat (äëÿ ïðèìåðà), ïîëîæèë â /etc/l7-protocols,

Code:

$ iptables -I FORWARD -m layer7 --l7proto bittorrent -j DROP
iptables: No chain/target/match by that name
$

Åñëè óêàçàòü ïðîòîêîë, äëÿ êîòîðîãî íåò ñèãíàòóð, òî

Code:

$ iptables -I FORWARD -m layer7 --l7proto jpeg -j DROP      
iptables v1.3.8: Couldn't find a pattern definition file for jpeg.

$

Ò.å. ïàò÷è âðîäå åñòü, íî ïî÷åìó-òî ðàáîòàòü îíî íå õî÷åò.  ÷åì ìîæåò áûòü äåëî?

Äîáðûé äåíü!! ñëó÷èëàñü ó ìåíÿ òàêàÿ æå ñèòóàöèÿ. Êîìàíäó
iptables -I FORWARD -m layer7 --l7proto bittorrent -j DROP
íàøåë âîò òàêîì ëèíêå
http://wl500g.info/showthread.php?t=24444
îò óâàæàåìîãî theMIROn

È âîò ýòà êîìàíäà ìíå âûäàëà òàêîé æå îòâåò
iptables: No chain/target/match by that name

Ïðåäûñòîðèÿ: Ðàñøèðèë wifi ñîñåäÿì íà õàëÿâó, à ñîñåäó ïðèñåëè íà torrent è çàäóøèëè ìîé õèëåíüêèé adsl mgts internet ñ upload â 50êá\ñ. Ó ìåíÿ ñòîèò ñâÿçêà adsl modem asus am604 â ðåæèìå ðîóòåð(ñàìîå óçêîå ìåñòî, äóìàþ ïåðåêëþ÷èòü åãî â ðåæèì áðèäæ, ÷òîáû îí âîîáùå íå "äóìàë") è çà íèì rt-n 16, ñ ïðîøèâî÷êîé íà íåì 1.9.2.7-rtn-r2775

Èòàê, îøèáêà ðåøèëàñü âîò òàê - ó ìåíÿ áûëè ñêà÷åíûå äàâíûì-äàâíî ïîä ìîå ÿäðî 2.6.22.19, Ëåæàò îíè, çàëèíêàíûå íà /lib/modules.
ïîäêëþ÷àåì íåçàãðóæåííûé ìîäóëü

Code:

modprobe xt_layer7

à óæå ïîòîì äîáàâëÿåì ïðàâèëî

Code:

iptables -I FORWARD -m layer7 --l7proto bittorrent -j DROP

È ìîé iptables ñõàâàë åãî áåç îøèáîê.
Ïðîâåðÿåì iptables-save, è âîò ÷òî îòâåòèë

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [935:62573]
:OUTPUT ACCEPT [17626:16706305]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -i br0 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD ! -i br0 -o vlan2 -j DROP 
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT 
-A FORWARD -o br0 -j DROP 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN 
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN 
-A SECURITY -j DROP 
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode 
-A logaccept -j ACCEPT 
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode 
-A logdrop -j DROP 
COMMIT

Âèæó ÷òî ïðàâèëî âñòàâèëîñü, ïàòåðí åñòü. Ïðîâåðÿþ ñêà÷êó òîððåíò ÷åðåç ñâîé linux transmission íà ìîåì íîóòáóêå - êà÷àåò ïî ìàêñèìóìó èç èíòåðíåòà - ïðîáðîñ ðàáîòàåò, ïðîáëåìà ìîÿ îñòàëàñü.

 transmission â íàñòðîéêàõ ñòîèò øèôðîâàíèå ïàêåòîâ è îòêëþ÷èòü åãî íå çíàþ êàê, âûáðàòü ìîæíî òîëüêî:
- ðàçðåøèòü øèôðîâàíèå
- ïðåäïî÷èòàòü øèôðîâàíèå
- òðåáîâàòü øèôðîâàíèå
Åñëè ÿ óæ ñâîé êëèåíò íå ìîãó íàñòðîèòü, òî ñîñåäè óæ òî÷íî ýòîãî äåëàòü íå ñòàíóò.

Ïîñëåäíÿÿ íàäåæäà ýòî ñäåëàòü drop ïî óìîë÷àíèþ âñåãî êðîìå http, https, ftp è dns. Ãäå-òî íàõîäèë íà ôîðóìå êàê ýòî ñäåëàòü, äà âîò òîëüêî ïîòåðÿë - ãðóùó.

[AleksandrN]

à ðàçâå modprobe ïîäêëþ÷àåò ìîäóëü?
ó ìåíÿ â post-boot äîáàâëåííî insmod xt_layer7.ko,
à â ïàïêó /etc/l7-protolols ïîëîæèë bittorrent.pat
íó è IPTABLES -A PREROUTING -t mangle -m layer7 --l7proto bittorrent -j DROP
,

[theMIROn]

îòêëþ÷èòå fastnat, èíà÷å íå áóäåò ðàáîòàòü
nvram set misc_fastnat_x=0 && nvram commit && reboot

[VA_DOS]

à ðàçâå modprobe ïîäêëþ÷àåò ìîäóëü

Êîíå÷íî. Ïî ñóòè åãî ìîæíî íàçâàòü íàäñòðîéêîé íàä lsmod, rmmod è insmod.

[featZima]

Ïîäñêàæèòå, â êàêóþ ñòîðîíó ìîæíî êîïàòü...

âåðñèÿ ïðîøèâêè: 1.9.2.7-rtn-r3936
âûâîä êîìàíäû lsmod:

Module Size Used by Tainted: P
xt_layer7 14704 0
ipip 9264 0
tcp_vegas 2624 0
ipt_set 1536 2
ip_set_macipmap 3568 1
ip_set 17536 3 ipt_set,ip_set_macipmap
ntfs 117040 0
usb_storage 83328 3
sd_mod 23680 4
scsi_mod 93376 2 usb_storage,sd_mod
usblp 14096 0
ohci_hcd 20048 0
ehci_hcd 38064 0
usbcore 135200 5 usb_storage,usblp,ohci_hcd,ehci_hcd
xt_recent 8560 2
nf_nat_ftp 2304 0
nf_conntrack_ftp 7296 1 nf_nat_ftp
pppoe 11616 4
pppox 2192 1 pppoe
wl 1634048 0
et 52608 0
igs 17552 1 wl
emf 21248 2 wl,igs
xt_HL 2016 0
xt_hl 1472 1

Íî ïðè ýòîì ïðàâèëî íå ðàáîòàåò:

[root@RT-N16 root]$ iptables -A PREROUTING -t mangle -m layer7 --l7proto bittorrent -j DROP
iptables v1.4.9: Couldn't load match `layer7':File not found