Iptables en edimax 7209 [INACTIVE]

Foro destinado a temas no relacionados con BrazilFW.

Iptables en edimax 7209

Mensagempor diego638 » Qua Ago 22, 2007 7:15 pm

Hola, estoy dando vueltas para hacer filtro de P2P con un edimax 7209 con firmware AProuter que aumenta la potencia del equipo y le da opciones de QoS y control de ancho de abnda que realmente anda muy bien. Lo que quiero hacer es limitar la conecciones de los P2P o asignarle un ancho de banda de 20KBps aprox. estuve volviendome loco leyendo cual tutorial de iptables encotre ya que desde la opcion "Edit Script File
This page is used to edit your personal script file, which is loaded from /etc/init.sh." se pueden establecer porliticas avanzadas para firewall y otras yerbas. pero ya meti por ejemplo:
#iptables -I FORWARD -m layer7 --l7proto edonkey -j REJECT
#iptables -I FORWARD -m layer7 --l7proto gnutella -j REJECT
#iptables -I FORWARD -m layer7 --l7proto ares -j REJECT
#iptables -I FORWARD -m ipp2p --ipp2p -j REJECT
Entre por SSH2 terminal y tengo instalados los modulos ipp2p layer7 iplimit udplimit y asi y todo no anda como quiero ya que el ares no hay con que pararlo. Asi que si alguien me puede dar una mano se lo agradeceria mucho.
saludos.
diego638
 

Mensagempor nachazo » Qua Ago 22, 2007 7:42 pm

El filtro l7 se matchea bien en la CHAIN POSTROUTING de la tabla mangle...

un ejemplo:

iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j DROP

saludos.
nachazo
 

Mensagempor diego638 » Qui Ago 23, 2007 3:47 pm

bueno muchas gracias por ayudarme resulta que despues de leerme mil articulos de iptables ipp2p y layer7 me di cuenta que en Editar Script Pessoal del 7209 podia poner cualquier cosa y no anda nada asi que entrando por ssh2 terminal y metiendo
/bin/iptables -I FORWARD -m layer7 --l7proto ares -j DROP
/bin/iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j DROP
funciona de maravillas el tema esta cuando reseteas el router no da ni bola y service iptables save no va ni para atras asi que si alguien quiere ampliar las reglas del firewall del 7209 hay que hacerlos por ssh2 saludos.
diego638
 

Mensagempor cemaraya » Dom Ago 26, 2007 8:03 pm

DIEGO
Como haces o de donde conseguis meter soft a un Edimax 7209 comun y silvestre?
cemaraya
 

Mensagempor diego638 » Qua Ago 29, 2007 2:49 pm

Yo compre el edimax 7209 ya con el firmware instalado y licenciado si es que te referis a eso. este firmware ya viene con un monton de aplicaciones iptables.
Aca te paso el iptables --help del edimax:

iptables v1.2.6a

Usage: iptables -[ADC] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--check -C chain Test this packet on chain
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

REJECT options:
--reject-with type drop input packet and send back
a reply packet according to type:
Valid reject types:
icmp-net-unreachable ICMP network unreachable
net-unreach alias
icmp-host-unreachable ICMP host unreachable
host-unreach alias
icmp-proto-unreachable ICMP protocol unreachable
proto-unreach alias
icmp-port-unreachable ICMP port unreachable (default)
port-unreach alias
icmp-net-prohibited ICMP network prohibited
net-prohib alias
icmp-host-prohibited ICMP host prohibited
host-prohib alias
tcp-reset TCP RST packet
tcp-reset alias


REDIRECT v1.2.6a options:
--to-ports <port>[-<port>]
Port (range) to map to.


TOS target v1.2.6a options:
--set-tos value Set Type of Service field to one of the
following numeric or descriptive values:
Minimize-Delay 16 (0x10)
Maximize-Throughput 8 (0x08)
Maximize-Reliability 4 (0x04)
Minimize-Cost 2 (0x02)
Normal-Service 0 (0x00)


MARK target v1.2.6a options:
--set-mark value Set nfmark value


TCPMSS target v1.2.6a mutually-exclusive options:
--set-mss value explicitly set MSS option to specified value
--clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - 40)

MASQUERADE v1.2.6a options:
--to-ports <port>[-<port>]
Port (range) to map to.


DNAT v1.2.6a options:
--to-destination <ipaddr>[-<ipaddr>][:port-port]
Address to map destination to.
(You can use this more than once)


SNAT v1.2.6a options:
--to-source <ipaddr>[-<ipaddr>][:port-port]
Address to map source to.
(You can use this more than once)


Standard v1.2.6a options:
(If target is DROP, ACCEPT, RETURN or nothing)

MARK match v1.2.6a options:
[!] --mark value[/mask] Match nfmark value with optional mask


iplimit v1.2.6a options:
[!] --iplimit-above n match if the number of existing tcp connections is (not) above n
--iplimit-mask n group hosts using mask


udplimit v1.2.6a options:
[!] --udplimit-above n match if the number of existing udp connections is (not) above n
--udplimit-mask n group hosts using mask


limit v1.2.6a options:
--limit avg max average match rate: default 3/hour
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--limit-burst number number to match in a burst, default 5


MAC v1.2.6a options:
--mac-source [!] XX:XX:XX:XX:XX:XX
Match source MAC address


multiport v1.2.6a options:
--source-ports port[,port,port...]
--sports ...
match source port(s)
--destination-ports port[,port,port...]
--dports ...
match destination port(s)
--ports port[,port,port]
match both source and destination port(s)

TCP v1.2.6a options:
--tcp-flags [!] mask comp match when TCP flags & mask == comp
(Flags: SYN ACK FIN RST URG PSH ALL NONE)
[!] --syn match when only SYN flag set
(equivalent to --tcp-flags SYN,RST,ACK SYN)
--source-port [!] port[:port]
--sport ...
match source port(s)
--destination-port [!] port[:port]
--dport ...
match destination port(s)
--tcp-option [!] number match if TCP option set


UDP v1.2.6a options:
--source-port [!] port[:port]
--sport ...
match source port(s)
--destination-port [!] port[:port]
--dport ...
match destination port(s)

mport v1.2.6a options:
--source-ports port[,port:port,port...]
--sports ...
match source port(s)
--destination-ports port[,port:port,port...]
--dports ...
match destination port(s)
--ports port[,port:port,port]
match both source and destination port(s)

state v1.2.6a options:
[!] --state [INVALID|ESTABLISHED|NEW|RELATED][,...]
State(s) to match


ICMP v1.2.6a options:
--icmp-type [!] typename match icmp type
(or numeric type or type/code)

Valid ICMP Types:
echo-reply (pong)
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
fragmentation-needed
source-route-failed
network-unknown
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
TOS-host-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
ip-header-bad
required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply

conntrack match v1.2.6a options:
[!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|SNAT|DNAT][,...]
State(s) to match
[!] --ctproto proto Protocol to match; by number or name, eg. `tcp'
--ctorigsrc [!] address[/mask]
Original source specification
--ctorigdst [!] address[/mask]
Original destination specification
--ctreplsrc [!] address[/mask]
Reply source specification
--ctrepldst [!] address[/mask]
Reply destination specification
[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
Status(es) to match
[!] --ctexpire time[:time] Match remaining lifetime in seconds against
value or range of values (inclusive)


helper match v1.2.6a options:
[!] --helper value Match helper value


IPP2P v0.8.1_rc1 options:
--ipp2p Grab all known p2p packets
--edk [TCP&UDP] All known eDonkey/eMule/Overnet packets
--dc [TCP] All known Direct Connect packets
--kazaa [TCP&UDP] All known KaZaA packets
--gnu [TCP&UDP] All known Gnutella packets
--bit [TCP&UDP] All known BitTorrent packets
--apple [TCP] All known AppleJuice packets
--winmx [TCP] All known WinMX
--soul [TCP] All known SoulSeek
--ares [TCP] All known Ares

EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :
--mute [TCP] All known Mute packets
--waste [TCP] All known Waste packets
--xdcc [TCP] All known XDCC packets (only xdcc login)

DEBUG SUPPPORT, use only if you know why
--debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER

Note that the follwing options will have the same meaning:
'--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'

IPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.
You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.

See README included with this package for more details or visit http://www.ipp2p.org

Examples:
iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01
iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP


LAYER7 match v1.2.6a options:
--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/
(--l7dir must be specified before --l7proto if used!)
--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat


pkt_type v0.1 options:
--pkt-type [!] packettype match packet type

Valid packet types:
host to us
broadcast to all
multicast to group


recent v --rttl For check and update commands above.
Specifies that the match will only occur if the source address and the TTL
match between this packet and the one which was set.
Useful if you have problems with people spoofing their source address in order
to DoS you via this module.
--name name Name of the recent list to be used. DEFAULT used if none given.
options:
[!] --set Add source address to list, always matches.
[!] --rcheck Match if source address in list.
[!] --update Match if source address in list, also update last-seen time.
[!] --remove Match if source address in list, also removes that address from list.
--seconds seconds For check and update commands above.
Specifies that the match will only occur if source address last seen within
the last 'seconds' seconds.
--hitcount hits For check and update commands above.
Specifies that the match will only occur if source address seen hits times.
May be used in conjunction with the seconds option.

TIME v1.2.6a options:
--timestart value --timestop value --days listofdays
timestart value : HH:MM
timestop value : HH:MM
listofdays value: a list of days to apply -> ie. Mon,Tue,Wed,Thu,Fri. Case sensitive
diego638
 

Mensagempor gamba47 » Qua Ago 29, 2007 2:52 pm

Yo quise entrar por ssh y no me deja, cual es la contraseña del root?? porque con admin no me deja seguir...


Saludos. gamba47
Avatar do usuário
gamba47
BFW Beneméritos
 
Mensagens: 7243
Registrado em: Ter Dez 27, 2005 1:51 pm
Localização: Buenos Aires, Argentina
BrazilFW Box: Pentium4 1256mb RAM HD 200gb
BrazilFW 3.0.237 without Squid
3 ADSLs & 1 Cablemodem
50 Users & more!

Mensagempor nachazo » Qua Ago 29, 2007 2:54 pm

mmm se puede por ssh...


me voy a fijar... por telnet tambien y por el webmin tenes una interfas de consola...

Saludos.
nachazo
 

Mensagempor gamba47 » Qua Ago 29, 2007 2:57 pm

Vi la consola, pero no me deja hacer mucho por ahi, me gustaria tirar algun script adentro o por lo menos mirar que tiene :S
Avatar do usuário
gamba47
BFW Beneméritos
 
Mensagens: 7243
Registrado em: Ter Dez 27, 2005 1:51 pm
Localização: Buenos Aires, Argentina
BrazilFW Box: Pentium4 1256mb RAM HD 200gb
BrazilFW 3.0.237 without Squid
3 ADSLs & 1 Cablemodem
50 Users & more!

Mensagempor nachazo » Qua Ago 29, 2007 2:59 pm

por consola podes poner iptables --help


o lsmod

o el comando que quieras....
nachazo
 

Mensagempor diego638 » Qua Ago 29, 2007 3:07 pm

uso putty SSH2
usuario: root
contraseña: root

Lo que si para meter una regla iptables tuve que cambiar el init.sh y meter la regla ahi con el comando VI y lo saque de este manual http://209.85.165.104/search?q=cache:0F ... =clnk&cd=1
diego638
 


Voltar para Otro Tema (Foro Off Topics)

Quem está online

Usuários navegando neste fórum: Nenhum usuário registrado e 2 visitantes

cron