Takto som si to upravil aby to fungovalo mne:
Toto pridat do terminalu:
Code: › /ip firewall layer7-protocol add name=skypenack regexp="[\\\\|\\xd5]"
l7 na rozpoznanie nack packetu, treba dat prve cislo vasej verejnej ip, tento algoritmus funguje na verejne ip zacinajuce 213.x.x.x a 92.x.x.x.
Toto pridat do firewall/mangle:
1.Code: › chain=forward action=add-src-to-address-list protocol=udp
address-list=skype address-list-timeout=1h layer7-protocol=skypenack
packet-size=39
toto pravidlo zachytava NACK packet, ktory skype pouziva na naviazanie komunikacie, na zaklade toho medzi akymi ip adresami v internete prebehne vymena tohto packetu, tieto ip adresy hodi do address listu a oznaci ich ako skype(tie tam ostavaju hodinu a potom sa vymazu).
2.
Code: › chain=prerouting action=mark-connection
new-connection-mark=conn_skype_in passthrough=yes protocol=udp
src-address-list=skype connection-rate=0-50k
Code: › chain=prerouting action=mark-packet new-packet-mark=skype_in
passthrough=no connection-mark=conn_skype_in
Code: › chain=postrouting action=mark-connection
new-connection-mark=conn_skype_out passthrough=yes protocol=udp
dst-address-list=skype connection-rate=0-50k
Code: › chain=postrouting action=mark-packet new-packet-mark=skype_out
passthrough=no connection-mark=conn_skype_out
tieto pravidla oznacia spojenie a pakety a nasledne sa vyuziju v queue tree, cim velkost paketu 50k vyradi zo znacenia posielanie suborov cez skype
3. queue tree:
Code: › name="voip_in" parent=IN packet-mark=skype_in limit-at=256k
queue=pcq-download priority=2 max-limit=2M burst-limit=0
burst-threshold=0 burst-time=0s
Code: › name="voip_out" parent=OUT packet-mark=skype_out limit-at=256k
queue=pcq-upload priority=2 max-limit=2M burst-limit=0 burst-threshold=0
burst-time=0s
Testujem na ros 4.10, zatial vyzera ze funguje velmi dobre. Neodchytava inu komunikaciu(ako skype l7 - ktory odchytaval torenty a ftp).
Tu je konverter HEX-DEC: http://www.parkenet.com/apl/HexDecConverter.html ale nechapem presne ako sa to hadze do l7(ako vytvorit l7 pravidlo na zaklade prveho cisla mojej verejnej ip). |