i have problem like this:
i have a router (simple ADSL modem connected to ethernet card, lets say eth0, and other, eth1, connected with LAN) with firewall set by iptables rules (generally, by blocking ports and protocols of e-mule, Kazaa, Torrent etc.) like this:

iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP
and
iptables -i eth0 -A FORWARD -p tcp --dport 4600:4700 -j DROP

this one connection is divided by this router to LAN behind masquerade with addresses of class from lets say 100.200.30.*
the connection gives me also several (lets say 13 - my lucky number ) global IPs

my question is:
how to set firewall to allow only one user (or several users) from behind the masquerade use p2p programs
and
how to set it to allow only user with global IP use this programs, is it the same rule, or something different?
thanks
Jabol

my question is: how to set firewall to allow only one user (or several users) from behind the masquerade use p2p programs]
If you're trying to limit the number of simultaneous p2p users then the netfilter CONNLIMIT extension would likely work. If you are trying to only allow a specific set of users to use p2p (e.g. like users joe and bob, but nobody else), then you can use the owner match to restrict access to only those user IDs. That would need to be done locally on the system that the p2p is being run on, as netfilter has no way to know which user is executing the app. Depending on your linux distro you may need to use patch-o-matic to add support for those netfilter extensions.

how to set it to allow only user with global IP use this programs, is it the same rule, or something different?
thanks
Don't know what you mean here. Could you explain a bit more?

ok, lets say i have something like this:


iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p TCP -m string --string "GET /announce" -j REJECT --reject-with tcp-reset

iptables -i eth0 -t nat -A PREROUTING -p tcp --dport 445 -j DROP
iptables -i eth0 -A FORWARD -p tcp --dport 135 -j DROP
iptables -i eth0 -A FORWARD -p tcp --dport 445 -j DROP
iptables -i eth0 -A FORWARD -p tcp --dport 4600:4700 -j DROP
iptables -i eth0 -A FORWARD -p tcp --dport 6800:8000 -j DROP
iptables -i eth0 -A FORWARD -p igmp -j DROP


and i want to change it in that nasty way to let one external IP (like 100.200.30.40) and one internal (like 192.168.1.100) to ignore these rules and give them free use through this ports.
is it clear? it may be still a bit confusing because my english isn`t good enough
thanks anyway.

In that case, you could just put a rule earlier in the firewall to allow p2p traffic to those IP addresses, all other IP addresses would then have p2p traffic dropped.

Where XXXX is what ever port or ports you want to open to those IP addresses. Hope that helps. If that's not what you meant, then let me know.

ok, this is more-less what i wanted... i think...
and what about the string identification rule:

iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP

isn`t this any problem for the ip`s (100.200.30.40 and 192.168.1.100) to disobey the p2p lock

this is my idea:
small LAN with one (or maybe two) computers used to download things by e-mule, bittorrent etc. in case not to overload whole network with p2p traffic from every host in the network (because we have only one, shared connection). i want to lock p2p programs for other users and allow them to download from this one PC things which they requested on the local server.
i`ll be gratefull
Jabol

EDIT:
ok, never mind, I think I just discovered it:
iptables -A FORWARD -s 100.200.30.40 -p tcp -m ipp2p --ipp2p -j ACCEPT
iptables -A FORWARD -d 100.200.30.40 -p tcp -m ipp2p --ipp2p -j ACCEPT

why two of them? well, source and destination to have traffic in both directions

nevertheless
thanks for everything

P.s. if you know better way to do it, tell me

and what about the string identification rule...isn`t this any problem for the ip`s (100.200.30.40 and 192.168.1.100) to disobey the p2p lock
No. Iptables tries to match incoming traffic to each of the firewall rules, one after another. Once a packet is matched to a rule with a DROP/REJECT/ACCEPT target, the packet is no longer checked against any other rules in the firewall. So rule order is very important in iptables. For your firewall, packets to or from 100.200.30.40 or 192.168.1.100 would match one of thr first 2 rules and would never get checked against your p2p rule. All other IPs would not match one of the first 2 rules and *would* get checked against your p2p rules.

this is my idea:
small LAN with one (or maybe two) computers used to download things by e-mule, bittorrent etc. in case not to overload whole network with p2p traffic from every host in the network (because we have only one, shared connection). i want to lock p2p programs for other users and allow them to download from this one PC things which they requested on the local server.
That should work. If you wanted to something a little more advanced, you could use traffic throttling/shaping to limit the amount of traffic that any one host is allowed. The linux advanced routing and traffic control project has some detailed info on setting that up. It is a bit more advanced and would take a bit more work, but you would be able to have more granular control.