The linux kernel claims to support basic packet inspection in order to detect p2p traffic. One interesting application is that you can split your traffic signature, so that this traffic, which US providers commonly use as a signal for traffic shaping can be encapsulated to a data center, or other intermediary destination. Sadly, while the detection is possible, the routing setup is non trivial.
In my attempt to set this up, I used an ubuntu linux box running shorewall and openvpn sitting just behind a cable modem. (this computer also provides dhcp for the rest of my network.) Since it took several hours to get the shorewall configuration working properly, I figured it wouldn’t hurt to make a record of it.
Zones
fw firewall loc ipv4 net ipv4
Interfaces
loc eth0 detect dhcp,sourceroute net eth1 detect dhcp net tun0 - dhcp,optional
Policy
loc all ACCEPT fw all ACCEPT net all DROP info all all REJECT info
Rules
ACCEPT net $FW udp 1194 ACCEPT $FW net:udp 1194 ACCEPT $FW net all
Providers
isp 1 1 main eth1 detect balance=1 eth0 vpn 2 2 main tun0 detect balance=2,loose eth0
TC Rules
1:P 0.0.0.0/0 0.0.0.0/0 all 2:P 0.0.0.0/0 - ipp2p:all # specific domains or other desired encapsulation is specified here as well. 1 $FW 0.0.0.0/0 all
Route Rules
lo - isp 1000
Masq
tun0 eth0 detect - - - 2 eth1 eth0 detect
