Topic: ipp2p and sme 7.1 for P2P filtering

[gdbs]

Hi,

this is the new locationfor ipp2p rpms:

http://mirror.contribs.org/smeserver/releases/7.1/smedev/i386/RPMS/

below, how to install it with a i686 smp kernel:

rpm -Uvh http://mirror.contribs.org/smeserver/releases/7.1/smedev/i386/RPMS/kmod-ipp2p-smp-0.8.0-1.2.6.9_42.0.3.EL.i686.rpm
rpm -Uvh http://mirror.contribs.org/smeserver/releases/7.1/smedev/i386/RPMS/ipp2p-0.8.0-4.el4.sme.i686.rpm  
rpm -Uvh http://mirror.contribs.org/smeserver/contribs//gswallow/sme7/addons-testing/ipp2p/e-smith-ipp2p-0.1.0-01.noarch.rpm


then:

/sbin/e-smith/config setprop masq \
ipp2p-ipp2p tcp \
ipp2p-ares tcp \
ipp2p-apple tcp \
ipp2p-winmx tcp \
ipp2p-soul tcp \
ipp2p-bit tcp

then:

/etc/rc7.d/S36masq restart

finish with a post upgrade/reboot from the manager panel or:

signal-event post-upgrade
signal-event reboot

[william_syd]

Yum is nice.

wget http://mirror.contribs.org/smeserver/contribs//gswallow/sme7/addons-testing/ipp2p/e-smith-ipp2p-0.1.0-01.noarch.rpm
yum --enablerepo=smedev localinstall e-smith-ipp2p-0.1.0-01.noarch.rpm

[gdbs]

what is the difference please?

[stephen noble]

saves one command ?

yum will download and install the dependancies automatically
provided it can find them in a repository you have preconfigured
makes more sense when you have more dependancies

[kryptos]

hi,

i had no problem isntalling with this before. but a couple of weeks it seems the traffict are getting higher. as i check the configuration i found this.

db configuration show masq
masq=service
    DenylogTarget=drop
    Logging=most
    Stealth=no
    Trace=disabled
    ipp2p-apple=disabled
    ipp2p-ares=disabled
    ipp2p-bit=disabled
    ipp2p-ipp2p=disabled
    ipp2p-soul=disabled
    ipp2p-winmx=disabled
    pptp=yes
    status=enabled


I try to configure it again but there is already an error occured like this.

/etc/rc7.d/S36masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
done

result for uname -a

2.6.9-42.0.8.ELsmp #1 SMP Tue Jan 30 12:33:47 EST 2007 i686 i686 i386 GNU/Linux

[kryptos]

ok i got it...i found the rpms install the kmod-ipp2p-smp. Its working very well right now.

Thanks!

[gdbs]

new packages are on smetest repository... how does it work now?

I think ipp2p can be installed doing this:

yum --enablerepo=smetest install smeserver-ipp2p


but then if I do:

/sbin/e-smith/config setprop masq \
ipp2p-ipp2p tcp \
ipp2p-ares tcp \
ipp2p-apple tcp \
ipp2p-winmx tcp \
ipp2p-soul tcp \
ipp2p-bit tcp

and

etc/rc7.d/S36masq restart
signal-event post-upgrade
signal-event reboot

emule still work!

is there anything to do to make ipp2p work properly?

thx

[jonic]

From bugzilla (bug 2639 - NFR: Include IPP2P)

Properties have moved to the ipp2p service.

[gdbs]

thx for your reply... but so? ipp2p no longer work? do i have to wait the next release to make it work?

[cool34000]

Hi gdbs !

I installed this contrib with yum (with repo smetest temporary enabled)
I have the same problem as yours !
I checked the kmod installed by yum, they look good (same version as my kernel). What's wrong ??? Anyone knows how to fix this ?

[william_syd]

Does jonic's post answer the question ?

Instead of  

config setprop masq \
ipp2p-ipp2p tcp \
ipp2p-ares tcp \
ipp2p-apple tcp \
ipp2p-winmx tcp \
ipp2p-soul tcp \
ipp2p-bit tcp

something like

config set ipp2p service \
ipp2p-ipp2p tcp \
ipp2p-ares tcp \
ipp2p-apple tcp \
ipp2p-winmx tcp \
ipp2p-soul tcp \
ipp2p-bit tcp \
status enabled

Check first if the ipp2p service already exist. I don't know as I don't have it installed.

config show ipp2p

[gdbs]

thx for your help.

It doesn't work for me. emule still work...  

[william_syd]

Your answer is in here

Code: [Select]


    /sbin/iptables --new-chain ipp2p_block
    # Block p2p protocols
{
    foreach $service ('ipp2p','bit','apple','winmx','soul','ares')
    {
$proto = $ipp2p{$service} || 'disabled';
if ( $proto ne 'disabled' ) {
   $OUT .= "    /sbin/iptables -A ipp2p_block ";
   $OUT .= "-p tcp " if $proto eq 'tcp';
   $OUT .= "-p udp " if $proto eq 'udp';
   $OUT .= "-m ipp2p --$service -j denylog\n";
} else {
   $OUT .= "    # ipp2p ($service) disabled\n";
}
    }
}
    # Block p2p traffic at INPUT and FORWARD
    /sbin/iptables --append INPUT -j ipp2p_block
    /sbin/iptables --append FORWARD -j ipp2p_block

and here

Code: [Select]


    /sbin/iptables --flush ipp2p_block
    # Block p2p protocols
{
    foreach $service ('ipp2p','bit','apple','winmx','soul','ares')
    {
$proto = $ipp2p{$service} || 'disabled';
if ( $proto ne 'disabled' ) {
   $OUT .= "    /sbin/iptables -A ipp2p_block ";
   $OUT .= "-p tcp " if $proto eq 'tcp';
   $OUT .= "-p udp " if $proto eq 'udp';
   $OUT .= "-m ipp2p --$service -j denylog\n";
} else {
   $OUT .= "    # ipp2p ($service) disabled\n";
}
    }
}

and you probably need a

Code: [Select]

signal-event remoteaccess-update when your done.

[william_syd]

thx for your help.

It doesn't work for me. emule still work...  

I did say to check this before you did anything.

Code: [Select]

[root@c3 ~]# config show ipp2p
ipp2p=service
    apple=disabled
    ares=disabled
    bit=disabled
    ipp2p=disabled
    soul=disabled
    winmx=disabled
[root@c3 ~]#


So it would be (to fix what you did)

Code: [Select]

config delete ipp2pthen

Code: [Select]

config set ipp2p service \
apple all \
ares all \
bit all \
ipp2p all \
soul  all \
winmx all
or

Code: [Select]

config set ipp2p service \
apple tcp \
ares tcp \
bit tcp \
ipp2p tcp \
soul tcp \
winmx tcp
or

Code: [Select]

config set ipp2p service \
apple udp \
ares udp \
bit udp \
ipp2p udp \
soul  udp \
winmx udp
and maybe

Code: [Select]

signal-event remoteaccess-update

As you can tell, I can't read code.

Results..

Code: [Select]

/sbin/iptables --new-chain ipp2p_block
    # Block p2p protocols
    /sbin/iptables -A ipp2p_block -m ipp2p --ipp2p -j denylog
    /sbin/iptables -A ipp2p_block -m ipp2p --bit -j denylog
    /sbin/iptables -A ipp2p_block -m ipp2p --apple -j denylog
    /sbin/iptables -A ipp2p_block -m ipp2p --winmx -j denylog
    /sbin/iptables -A ipp2p_block -m ipp2p --soul -j denylog
    /sbin/iptables -A ipp2p_block -m ipp2p --ares -j denylog

/sbin/iptables --new-chain ipp2p_block
    # Block p2p protocols
    /sbin/iptables -A ipp2p_block -p tcp -m ipp2p --ipp2p -j denylog
    /sbin/iptables -A ipp2p_block -p tcp -m ipp2p --bit -j denylog
    /sbin/iptables -A ipp2p_block -p tcp -m ipp2p --apple -j denylog
    /sbin/iptables -A ipp2p_block -p tcp -m ipp2p --winmx -j denylog
    /sbin/iptables -A ipp2p_block -p tcp -m ipp2p --soul -j denylog
    /sbin/iptables -A ipp2p_block -p tcp -m ipp2p --ares -j denylog
   
/sbin/iptables --new-chain ipp2p_block
    # Block p2p protocols
    /sbin/iptables -A ipp2p_block -p udp -m ipp2p --ipp2p -j denylog
    /sbin/iptables -A ipp2p_block -p udp -m ipp2p --bit -j denylog
    /sbin/iptables -A ipp2p_block -p udp -m ipp2p --apple -j denylog
    /sbin/iptables -A ipp2p_block -p udp -m ipp2p --winmx -j denylog
    /sbin/iptables -A ipp2p_block -p udp -m ipp2p --soul -j denylog
    /sbin/iptables -A ipp2p_block -p udp -m ipp2p --ares -j denylog

-p, --protocol [!] protocol
              The protocol of the rule or of the packet to check.  The specified protocol can be one of tcp, udp, icmp, or all, or it  can  be  a  numeric
              value,  representing one of these protocols or a different one.  A protocol name from /etc/protocols is also allowed.  A "!" argument before
              the protocol inverts the test.  The number zero is equivalent to all.  Protocol all will match with all protocols and is  taken  as  default
              when this option is omitted

[cool34000]

Hi !

Thanks for your help william_syd, it's always very useful

God bless Australia