27.09.2006 release for version 0.8.2
New version 0.8.2

download the new version here

changes are:
  • compile cleanly for kernel >= 2.6.17 -- THANKS to

    I have seen some pieces of code from ipoque which can detect encypted bittorrent
    and edonkey traffic. Unforunately, this code will not work with iptables, because it needs
    more information about the flow history and the history of an ip address.

    Right now, I do not have the time and the money to develop a filter like this, but
    if you are interested in a developement in this direction, please contact me.

    I get a LOT of support emails, especially from companies selling traffic management
    solutions with a support request.

    If you are a company or an admin who earns money with traffic management and you
    have a question, then:
  • donate ipp2p
  • ask your question

    I have decided to put up a paypal button for every admin and / or company who wants
    to support me (see on the left menu bar)

    And also, feel free to contact me about further developements ;-)

    >> Contact
  • 04.01.2006 New test version 0.8.1_rc1 released
    New test version 0.8.1_rc1 is out

    download the new version here

    changes are:
  • new (experimental) protocols: mute, xdcc(block only) and waste (THX to joco)
  • detects BitComet header encryption
  • edonkey udp bug fixed
  • some new rules for winmx
  • more code cleanup (the code does not look very well)

  • All in all send me your results

    >> Contact
    20.10.2005 Stable version 0.8.0 released
    The latest test version 0.8.0_rc3 was so stable that I have had to
    fix only one iptables parameter error. (THX to Alex for his bug report)

    download the new version here

    I will integrate new p2p detections in the future.
    If you think P2P protocol X is important for you, contact me.
    Please do not ask for skype. It is impossible to block skype with just one
    It is possible to block Skype by a complete flow analysis.
    If you really need it, a solution is sold by ipoque

    Last but not least I have figured out that many companies and even some
    firewall vendors are using the ipp2p source code without any GPL-like regards
    The company ipoque uses my detection and have
    donated me a lot (like this webspace, a notebook,...)

    So feel free to contact me ;-)

    >> Contact
    02.07.2005 New version 0.8.0_rc3
    New test version out, changes are:
  • dropping ares works now (again)
  • removed unesseary rules, this should be a speedup
  • all BitComet packets will be detected now

  • download the new version here

    Some udp rules cannot be stronger, the detection of udp is weak.
    If you drop or shape udp packets, I suggest to do no connection tracking with udp
    packets, only with tcp packets. The udp rules should hit every udp packet
    because there is no udp data flow in any p2p programs.
    If someone uses VoIP or online games, there is now a statistical chance that
    ONE packet can be dropped, not the whole connection.

    I suggest the following tcp and udp for connection tracking (see docu section)
    01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
    02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
    03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
    04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
    05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1

    detect TCP FIRST, SAVE MARK , and detect udp after you saved the mark !!
    You will have now every p2p packet marked, but a dramtic reduce of udp missmatches.

    >> Contact
    It seems, the udp rules are not so strong as they should be.

    UDP makes more problems than it solves.
    Some games and VoIP clients create udp packets which looks like p2p.
    All p2p programs uses tcp for data transfer, so blocking tcp
    with ipp2p is enough to prevent p2p downloads.
    But some p2p programs will create traffic without blocking p2p.
    This traffic is very low (compared to the tcp traffic).

    There is a bug in the actual ares detection, i am working on a new better one.

    About kazaa 3.0, the first packet is a random 12 bytes packet
    and it looks like random data (secret key exchange ??).
    If someone know how to detect this, it would be a great help.

    I also checked the ipp2p filter with BitComet and it blocked all
    does anybody else have problems with BitComet and mark or drop ???

    >> Contact
    21.06.2005 next test version (ipp2p-0.8.0_rc2)
    I have disabled one rule, which detects Wolfenstein ET as Edonkey UDP packet.
    This update whould make some Wolfenstein ET players happy.
    If you block P2P with this filter, this rule has no effect.
    Only ONE very special P2P UDP packet is not detected.
    Thanks at Rene Koka for the dmesg output! :-)

    download this version here

    Open Bugs:
  • no detection for KaZaa 3.0, they have changed their protocol completely
  • got a report that BitComet can pass the filter


    >> Contact
    16.06.2005 New test version and maintainer changed
    A new test version has been released (ipp2p-0.8.0_rc1).
    download this version here

    New Features:
    many filter improvements, many thanks to ipoque
    to offer us their filter improvements. Nice job :-)
    Here as list:
  • Soulseek bug removed: longer ssh conncetions matched this rule
  • DC, Bit, edk filter improved
  • DC udp matches added

  • The old maintainer was a little bit overworked, with this release the ipp2p
    project has a new maintainer.

    If you think, application XYZ gets recognized by this p2p filter,
    but it is no p2p, please run ipp2p with: --debug
    Then there will be a kernel dmesg like:

    IPP2P.debug:UDP-match: 102452 from: XXX.XXX.XXX.XXX:6881
        to: XXX.XXX.XXX.XXX:6881 Length: 65

    Submit this line to me and I will recheck this rule!
    If possible, add tracefile with tcpdump , snort or ethereal.
    17.03.2005 Help with BitTorrent needed!
    Receiving various reports saying that --bit does not work reliable
    anymore I need someone who can do a traffic dump capturing the packets
    IPP2P 0.7.4 misses. I have no idea why and tried to reproduce this with
    no success.
    So if you're using IPP2P to drop BitTorrent packets and observe that some
    packets still come through please do a binary tcpdump or snort. Contact me
    for further information or if you can provide such a traffic capture.

    >> Contact
    05.02.2005 IPP2P 0.7.4 released
  • BUGFIX: --kazaa and --gnu should work again - please send comments on this!
  • Thanks at Paul Cunanne for the information!
  • Makefile has been modified, Modversions shall work again
  • Thanks at Michael Renzmann for the patches!
  • Support for iptables 1.3.0 series added

  • Get 0.7.4 from the snapshots section. For 0.7.4 being a possible candidate for a
    stable release it is very important that you send bugreports immediately to me.

    >> Downloads
    04.01.2005 IPP2P 0.7.2 released
  • --udp and --tcp have been removed

  • Being a duplicat of netfilters protocol match both options have been removed. If
    one needs to match TCP packets only use -p tcp, for UDP only use -p udp and
    for both protocols omit -p.
    There are no other changes in 0.7.2 compared to 0.7.1 - get it from snapshots
    section. I will update the documentation to fit this as soon as possible.

    >> Downloads
    30.12.2004 IPP2P 0.7.1 released
  • check for skb_is_nonlinear to make sure pattern matching works
  • statement movements due to compile problems on some 2.4x machines
  • Thanks at Chris for support!

    >> Downloads
    23.12.2004 IPP2P 0.7 released
  • UDP support for eDonkey, KaZaA, Gnutella and BitTorrent
  • new option: --ares for Ares and AresLite network
  • new option: --debug prints matchinfo to kernel logfile
  • SoulSeek filter improved - should work now together with CONNMARK
  • no need for "-p tcp" anymore - use buildin options instead
  • bugfix in libipt_ipp2p.c to work with new debug flag

  • Consult the documentation for more information about the new features. The
    homepage and the README are updated as well to cover all changes and new
    features. Any feedback on IPP2P 0.7 is highly appreciated!

    >> Downloads
    18.12.2004 Updates
    I've decided to set the english version of as default page
    because we've got many visitors not speaking german. You still can reach the
    german version through the menu. Furthermore some decisions were made:

  • IPP2P version 0.7 will support UDP matching on some P2P networks
  • I will offer latest source tarballs here again
  • I will publish sporadic snapshots and hope to get some feedback about them

  • >> Downloads
    18.11.2004 IPP2P homepage has moved
    You can reach our project through so update your
    bookmarks. Many thanks at ipoque for supporting us!
    10.09.2004 IPP2P 0.6.1 released
      -new option: --winmx for WinMX packets
    01.08.2004 IPP2P development
    Future releases of IPP2P will be delveloped for netfilter patch-o-matic-ng only.
    Patches and sourcecode-tarball will not be published here anymore.
    24.06.2004 IPP2P 0.6 released
      -extension: --gnu for better matching of Shareaza
      -extension: --edk new eMule and Kademlia patterns
      -cleanup: match function of kernel module (thanks at Joerg Hoh)
      -merge: sources & Makefile for kernel 2.4 and 2.6
    >> Downloads
    14.03.2004 IPP2P 0.5c released
      -new option: --soul for SoulSeek (DROP only)
      -extension: --kazaa also matches iMesh packets now

     Note that SoulSeek opens a new TCP connection for every download. We
     can not recognize this connection so marking does not work. But we can
     detect CONNECT and TRANSFER REQUEST packets so a DROP rule will
     make Soulseek stop working.
    >> Downloads
    05.03.2004 IPP2P 0.5b sources for 2.6
     Since pom-ng seems to reach a stable state I decided to modify IPP2P sources
     for use together with kernel series 2.6. Changes affect the Makefile and the
     kernel module. Grab the tarball from the downloads section.
    >> Downloads
    06.02.2004 IPP2P 0.5b released
      -BUGFIX: corrected output for iptables-save
      -BUGFIX: missing includes in iptables patch fixed
    Thanks at Pawel Trepka for the information!
    >> Downloads
    18.01.2004 More scripts
      -QoS shellscript to automatically start a HTB setup
      -IPP2P shellscript to load a set of rules (traffic shaping with IPP2P)
    >> Downloads
    17.01.2004 Bridge script
      Today I rewrote a small shell script to control a bridge interface.
      Mainly intended to start a bridge in a certain runlevel automatically.
    >> Downloads
    17.01.2004 Patch updates
      -Since the old patch stoped working against 2.4.24 here is a new one
      -Found and removed a bug in iptables patch
    >> Downloads
    06.01.2004 Kernel 2.6.0 and IPP2P
     The structure changes in new 2.6.x Kernel series demand for some changes
     in netfilter (for example new POM). Until these changes do not reach
     a more or less stable state I will not port IPP2P to 2.6. If someone
     nevertheless wants to use IPP2P and 2.6. go to this page and find there
     unofficial (and untested) IPP2P and CONNMARK patches for Kernel 2.6.
     Thanks for the work Alex!
    >> Unofficial 2.6 patches
    17.12.2003 Latency investigation released
      -Results of an (udp) investigation on a firewalling bridge (english)
    >> Links
    05.12.2003 IPP2P 0.5a patches
      -IPP2P kernel patch released (against kernel 2.4.22)
      -IPP2P userspace patch released (against iptables 1.2.9)
      -IPP2P patches for POM released
    Any feedback on this patches is more than welcome!
    >> Downloads
    29.11.2003 Homepage update
      Documentation section finished and uploaded.
    >> Documentation
    28.11.2003 IPP2P 0.5a released
      -BUGFIX: --kazaa working again (bug was introduced in 0.5.rc1)
    >> Downloads
    13.11.2003 IPP2P 0.5 released
      -only packets that can contain payload are beeing searched now
      -improved matches for eMule and eDonkey
      -turned off debug output
    >> Downloads
    06.11.2003 IPP2P 0.5.rc2 finished and testing phase started
      -new options: --bit (BitTorrent) and --apple (appleJuice)
      -extended support for eMule commands (c5)
    >> Downloads
    23.10.2003 Release of the IPP2P homepage (but still under construction)
    22.10.2003 IPP2P 0.5.rc1 finished and testing phase started
      -renamed options: --gnu became --gnu-data and --kazaa became --kazaa-data
      -splitted --dec into --gnu and --kazaa
      -some minor bugfixes and sourcecode improvements
      -extended documentation (README; save, help, print)
    >> Downloads
    16.10.2003 Started work at IPP2P version 0.5