CORPORATE PROFILES
I
I
I
I
I

  Router Solution
  ------------------------------------------
Overview
Pro Series Router
Industrial Series Router
Pro Series Network Card
Ind Series Network Card
   
  WAN Monitoring
  ------------------------------------------
WAN monitoring card
WAN monitoring tapper
   
  Technical Support
  ------------------------------------------
Manual Downloads
Technology
Case Study
Technical Notes
FAQ
   

 

  

 
ImageStream - Limiting Peer to Peer Traffic

ImageStream routers support powerful packet matching and traffic limiting techniques in Enterprise Linux version 4.2 and later releases. This document provides examples of identifying and limiting Peer to Peer (P2P) traffic. More in-depth information about the capabilities of the iptables utility is available in other Technical Notes and on the Other On-Line Resources page on this site.

Most, but not all, major P2P networks can be identified using the methods outlined below. ImageStream will be adding support for new P2P networks in future releases as necessary. Currently, ImageStream routers can match traffic from the following P2P networks:

  • eDonkey
  • eMule
  • Overnet
  • Direct Connect
  • KaZaa
  • Gnutella
  • BitTorrent

Threory of Operation

Enterprise Linux version 4.2 or greater supports matching of P2P using iptables rules. Once the ImageStream router identifies P2P packets, the router can add packets to a limited traffic class or a quota. As with other types of traffic, the iptables utility can be configured to drop P2P traffic completely. As with all Quality of Service techniques, the goals of limiting P2P traffic are to more effectively manage limited bandwidth resources, limit unnecessary congestion and prevent network resource abuse. Quality of Service is best managed on interfaces where data is transmitted. To limit P2P traffic, it may be necessary to add iptables rules to both inward-facing and outward-facing network devices. Dropping P2P traffic at the router on an inbound or outbound interface will eliminate all P2P traffic types supported above without the need to add additional rules.

Before You Start

In the example diagrammed above, the ImageStream router has a DS-3 (45 Mbps) connection to the Internet and a 100Mbit Ethernet connection to a local network. The example configuration below will limit a P2P client on the local network to 1 Mbit per second of throughput, but not restrict non-P2P traffic in any way. In this example, the DS-3 is on interface Serial0 and the local network is connected via Ethernet0. The appropriate interface to limit traffic flow decrease downstream P2P traffic is on the interface to the local network, Ethernet0. As noted above, data arriving from the Internet is transmitted to users on Ethernet0.

Limiting P2P traffic has two main steps: classifying P2P traffic and limiting that traffic. For this advanced application, you will use the standards-based Diffserv queuing utility 'tc' together with the iptables utility. The configurations listed in this example may not match the ones suitable for use on your network. Any device names, class identification numbers, bandwidth allocations or link speeds are provided as examples only. You will need to change the commands in the example below to match the settings suitable for your network.

Configuring the Quality of Service Classes for Limiting Peer-to-Peer Clients

Enter the Quality of Service menu and choose the option to configure Quality of Service rules. Enter the following commands in the router's Quality of Service configuration file: 


#Set up the Bandwidth Management for eth0
#(traffic transmitted TO users coming FROM the WAN)
tc qdisc add dev eth0 root handle 1: htb

# Setup the root class for all Traffic classes
# rate is set to 100 Mbps.
#The 'ceil' ceiling value is omitted,
#and will be set to the same value as the rate (100 Mbps)
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit

# The class for limited traffic (P2P traffic)
# rate is set to 1 Mbps.  'ceil' is omitted here also.
tc class add dev eth0 parent 1:1 classid 1:17 htb rate 1mbit
# Alternate example: Provide a minimum of 512 Kbps and set a maximum of 1 Mbps
#tc class add dev eth0 parent 1:1 classid 1:17 htb rate 512kbit ceil 1mbit

The set of commands above creates a traffic class, identified as 1:17, that is limited to transmitting at a maximum of 1 Mbit/sec. The first two commands initialize the hierarchical token bucket (HTB) queuing algorithm and are not necessary if a pre-existing htb root class is already configured on this interface. The third command defines the a class id (1:17, with '1' identifying the root class and '17' being a unique identification number selected arbitrarily). The 'rate' keyword sets the bandwidth limit for this class (1mbit). The alternate example shows how to use 'rate' and 'ceil' to create a lower and upper bandwidth limit for the class.


Configuring the Firewall Rules for Limiting Peer-to-Peer Clients

Now that the router has a traffic class to use for limited traffic, you must configure the iptables utility to sort P2P traffic into the limited class. Enter the router's Firewall menu and choose the option to configure Firewall rules. The placement of these commands is important! The use of these commands may require you to remove default configuration settings, insert rules into an existing configuration, or modify current packet marking configurations. For maximum effectiveness, these rules should be placed immediately below any rules that flush/clear existing firewall rules (commands that begin with 'iptables -F'). Enter the following commands in the router's Firewall configuration file: 

#Restore any previous connection marks
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark


#Do not remark any packets--Accept any packets already marked
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT


#Mark ALL supported P2P types with a value of 1
iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1


#Mark ALL packets belonging to P2P connections marked above with a value of 1
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark


#Associate marked packets transmitted on Ethernet0 with traffic class number 1:17
iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 -j CLASSIFY --set-class 1:17

The first command restores marks on packets as they arrive on the router. The second command ensures that packets already marked are not remarked by these rules.

The third command uses the ipp2p match provided with ImageStream's version of iptables to match all supported types of P2P requests and mark any matched requests with a mark of 1. The packets themselves are not altered in any way. The packet mark value is stored in the router's memory structure used for this packet. The fourth command instructs the router to mark all packets associated with the previously identified P2P requests with a value of 1. This command ensures that all packets, and not just the P2P requests, are identified by the router. This command is not necessary when dropping all P2P requests.

The last command sets the traffic class id on any packets to class id 1:17. This command also contains two critical additions: the first to add only packets marked with a value of 1 and the second to add only those packets that will be transmitted on Ethernet0 (eth0). The limits are important to prevent other traffic from being added to the limited class by mistake. This last command redirects all of the previously marked P2P traffic to the limited traffic class created in the QoS step. Traffic from P2P clients added to this limited class will be limited to a aggregate maximum of 1 Mbps.


Configuring the Firewall Rules for Dropping Peer-to-Peer Traffic

Denying the use of P2P client software on a network routed by an ImageStream router does not require the use of Quality of Service classes. To drop all supported P2P network traffic, the router only needs to identify and discard this traffic.

Enter the router's Firewall menu and choose the option to configure Firewall rules. The placement of these commands is important! The use of these commands may require you to remove default configuration settings, insert rules into an existing configuration, or modify current packet marking configurations. For maximum effectiveness, these rules should be placed immediately below any rules that flush/clear existing firewall rules (commands that begin with 'iptables -F').

Enter the following commands in the router's Firewall configuration file: 

#Drop all Peer-to-Peer network traffic
iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP

The iptables rule above will discard any P2P traffic that would normally be forwarded by the router. Users connected to this router will be unable to use the P2P services listed at the top of this page.
Configuring the Quality of Service Classes for Limiting Peer-to-Peer Network Individually
Enterprise Linux can distinguish between different types of P2P networks. The example below limits KaZaa traffic to only 256 Kbps, but places BitTorrent traffic in a separate 4 Mbps queue. To create this configuration, you will create two limited classes and use two sets of iptables ipp2p match rules. Enter the Quality of Service menu and choose the option to configure Quality of Service rules. Enter the following commands in the router's Quality of Service configuration file: 

#Set up the Bandwidth Management for eth0
(traffic transmitted TO users coming FROM the WAN)
tc qdisc add dev eth0 root handle 1: htb


# Setup the root class for all Traffic classes
# rate is set to 100 Mbps.
#The 'ceil' ceiling value is omitted,
#and will be set to the same value as the rate (100 Mbps)
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit


# The class for limited traffic (KaZaa traffic only)
# rate is set to 256 Kbps.  'ceil' is omitted here also.
tc class add dev eth0 parent 1:1 classid 1:17 htb rate 256kbit
# Alternate example: Provide a minimum of 256 Kbps and set a maximum of 1 Mbps
#tc class add dev eth0 parent 1:1 classid 1:17 htb rate 256kbit ceil 1mbit


# A second class for limited traffic (BitTorrent traffic only)
tc class add dev eth0 parent 1:1 classid 1:18 htb rate 4mbit

 

Configuring the Firewall Rules for Limiting Peer-to-Peer Network Individually

Enter the router's Firewall menu and choose the option to configure Firewall rules. The placement of these commands is important! The use of these commands may require you to remove default configuration settings, insert rules into an existing configuration, or modify current packet marking configurations. For maximum effectiveness, these rules should be placed immediately below any rules that flush/clear existing firewall rules (commands that begin with 'iptables -F').

Enter the following commands in the router's Firewall configuration file: 

#Restore any previous connection marks
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark


#Do not remark any packets--Accept any packets already marked
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT


#Mark KaZaa P2P traffic with a value of 1
iptables -t mangle -A PREROUTING -p tcp -m ipp2p --kazaa -j MARK --set-mark 1


#Mark BitTorrent P2P traffic with a value of 2
iptables -t mangle -A PREROUTING -p tcp -m ipp2p --bit -j MARK --set-mark 2


#Mark ALL packets belonging to KaZaa P2P connections marked above with a value of 1
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark


#Mark ALL packets belonging to BitTorrent P2P connections marked above with a value of 2
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark


#Associate marked KaZaa packets transmitted on Ethernet0 with traffic class number 1:17
iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 -j CLASSIFY --set-class 1:17


#Associate marked BitTorrent packets transmitted on Ethernet0 with traffic class number 1:18
iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 2 -j CLASSIFY --set-class 1:18

 

Top
COPYRIGHT © 2006 TELOGIC CO. ALL RIGHT RESERVED.