Skip to main content

Using Linux IPTables, How to block torrents or any P2P protocols? [Resolved]

At our institution we had connected 300+ computers to different LAN's with Internet. Included here are Officies LAN, and Internet Laboratory for students. And we want to Control Torrents or any P2P Protocols. Previous solution to our problem is KerioWinRoute 6.5.x, which satisfies most.

The problem is, we have migrated to Ubuntu 8.04 LTS using Webmin Platform.


Question Credit: Nathaniel Varona
Question Reference
Asked June 14, 2019
Posted Under: Network
58 views
12 Answers

Port based P2P blocking is hardly a 100% solution. What you might want to consider is called L7 filtering (Layer 7 filtering). Basically, linux has an implementation that does regex based matching on all packets to decide whats good and whats bad.

http://l7-filter.sourceforge.net/

This can help you block all sorts of stuff, including skype.

http://l7-filter.sourceforge.net/protocols

Please Note: Regex matching to inspect and filter packets is resource intensive making any system alot more vulnerable to DDOS attacks, the preferred method would be to target the protocol within iptables.


credit: Community
Answered June 14, 2019

There is a module named IPP2P that can detect & block P2P protocols: http://www.ipp2p.org/


credit: radius
Answered June 14, 2019

The simple solution is to block all outgoing ports except the ones you want to allow.

Alternatively, you can find a list of the ports likely to be used for common P2P applications and block those. Bittorrent tends to only allow a very limited amount of downloading if you are not also uploading, so you should also make sure that you don't accept any incoming connections.

You might find it useful to set up some sort of IP accounting on your router based on the TCP port used, and then find out which port is the most heavily used. IPTraf is a useful tool for checking this.

I should warn you that you'll never stop everything; people are ingenious and will find a way around any restriction you put in place. Most firewalls will stop the casual user though, which may be enough.


credit: David Pashley
Answered June 14, 2019

You can't block P2P completely -- unless you only allow the "good" TCP ports 80, 443, 22... And even that is usually enough for the computer-minded types who have VPNs and similar things.


credit: grawity
Answered June 14, 2019

bittorrent and most p2p now days is quite evasive. Instead of blocking traffic, use QOS rules to starve clients that are using a large amount of bandwidth, or slowly throttles p2p traffic to zero over amount of time. It won't block the protocol but it will deter p2p'ers that it's so slow it's not worth doing.

Remember not all torrent traffic is bad, some of it good! :-)


credit: The Unix Janitor
Answered June 14, 2019

Use these iptables forwarding rules to drop bit torrent seeding and peer discovery. They worked for me.

#Block Torrent
iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -A FORWARD -m string --algo bm --string "peer_id=" -j DROP
iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP

Rules in action, hit counter incrementing nicely.

# iptables -vL -n

Chain FORWARD (policy ACCEPT 16403 packets, 6709K bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   928 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "BitTorrent" ALGO name bm TO 65535
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "BitTorrent protocol" ALGO name bm TO 65535
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "peer_id=" ALGO name bm TO 65535
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  ".torrent" ALGO name bm TO 65535
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "announce.php?passkey=" ALGO name bm TO 65535
  582 52262 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "torrent" ALGO name bm TO 65535
   10  1370 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "announce" ALGO name bm TO 65535
   31  4150 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "info_hash" ALGO name bm TO 65535

credit: Giancarlo D
Answered June 14, 2019

You can use ip2p, as earlier mentioned. It's not going to block things completely however. Ideally, you should be fire walling every port you don't specifically use, and using ip2p. Not a perfect solution, but the best you're likely to get.


credit: Cian
Answered June 14, 2019

You cannot use straight port blocking. There's a few alternatives. Layer7 filter is slow, unreliable, and to my knowledge no longer maintained.

IPP2P is ok but was superceded by OpenDPI, which has now been discontinued by sponsor ipoque (who sell PACE, a commercial equivalent) nDPI appears to be the logical conclusion of this little path: http://www.ntop.org/products/ndpi/

Easiest, and fairly effective is an extension of David Pashley's suggestion. Block all ports and only allow what you need - and extend this by proxying those services you need - eg with a web proxy, and perhaps an internal mailserver whichn is allowed port25, but clients only talk to the internal server. In this way you can have clients which need no open ports on the firewall at all. This should work but can start to fall to bits if you need to use any complex and/or badly written apps that need direct access.


credit: Tom Newton
Answered June 14, 2019

Below is my iptables rules set. This works like a charm. I have created a https transparent intercept proxy and send all traffic through that proxy server.

Using this iptables rules, I can control the network.

  • 2086, 2087, 2095 ports are open because we use WHM cpanel and cpanel web mail.
  • 8080 for additional web server.
  • 192.168.2.0 is the local network.

IPTables rule:

#Generated by iptables-save v1.4.8 on Tue Mar 10 15:03:01 2015
*nat
:PREROUTING ACCEPT [470:38063]
:POSTROUTING ACCEPT [9:651]
:OUTPUT ACCEPT [1456:91962]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.1:3127
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 10 15:03:01 2015
# Generated by iptables-save v1.4.8 on Tue Mar 10 15:03:01 2015
*filter
:INPUT ACCEPT [2106:729397]
:FORWARD ACCEPT [94:13475]
:OUTPUT ACCEPT [3252:998944]
-A INPUT -p tcp -m tcp --dport 3127 -j ACCEPT
-A FORWARD -m string --string "BitTorrent" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent protocol" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "peer_id=" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string ".torrent" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "announce.php?passkey=" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "torrent" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "announce" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "info_hash" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "get_peers" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "announce_peer" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "find_node" --algo bm --to 65535 -j DROP
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 8080 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2086 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2087 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2095 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.2.0/24 -p udp -m udp --sport 1024:65535 --dport 1024:65535 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Mar 10 15:03:01 2015

credit: masegaloeh
Answered June 14, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA