17

At our institution we had connected 300+ computers to different LAN's with Internet. Included here are Officies LAN, and Internet Laboratory for students. And we want to Control Torrents or any P2P Protocols. Previous solution to our problem is KerioWinRoute 6.5.x, which satisfies most.

The problem is, we have migrated to Ubuntu 8.04 LTS using Webmin Platform.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Nathaniel Varona
  • 748
  • 2
  • 8
  • 22

11 Answers11

14

Port based P2P blocking is hardly a 100% solution. What you might want to consider is called L7 filtering (Layer 7 filtering). Basically, linux has an implementation that does regex based matching on all packets to decide whats good and whats bad.

http://l7-filter.sourceforge.net/

This can help you block all sorts of stuff, including skype.

http://l7-filter.sourceforge.net/protocols

Please Note: Regex matching to inspect and filter packets is resource intensive making any system alot more vulnerable to DDOS attacks, the preferred method would be to target the protocol within iptables.

Community
  • 1
Karolis T.
  • 2,709
  • 7
  • 32
  • 45
11

The only proper technical solution is to have all traffic going through a proxy that will decrypt SSL traffic on the fly and then apply layer 7 filtering on the passing traffic.

Such products are pretty expensive as there is usually a big team of engineers behind them updating the rules needed to classify the packets.

You can help yourself somewhat with iptables modules sush as before mentioned ipp2p or l7-filter, but they will not catch encrypted traffic.

In any case, technology is very rarely the solution for social problems, and misuse od corporate/public/whatever networks for p2p is a social problem. Try talking to your users, get your organization to create appropriate policies and enforce them with sanctions. This in my experience works much better than a constant technology arms race with your users.

Hanzala
  • 103
  • 4
Aleksandar Ivanisevic
  • 3,327
  • 19
  • 24
1

There is a module named IPP2P that can detect & block P2P protocols: http://www.ipp2p.org/

radius
  • 9,545
  • 23
  • 45
1

The simple solution is to block all outgoing ports except the ones you want to allow.

Alternatively, you can find a list of the ports likely to be used for common P2P applications and block those. Bittorrent tends to only allow a very limited amount of downloading if you are not also uploading, so you should also make sure that you don't accept any incoming connections.

You might find it useful to set up some sort of IP accounting on your router based on the TCP port used, and then find out which port is the most heavily used. IPTraf is a useful tool for checking this.

I should warn you that you'll never stop everything; people are ingenious and will find a way around any restriction you put in place. Most firewalls will stop the casual user though, which may be enough.

David Pashley
  • 23,151
  • 2
  • 41
  • 71
1

You can't block P2P completely -- unless you only allow the "good" TCP ports 80, 443, 22... And even that is usually enough for the computer-minded types who have VPNs and similar things.

user1686
  • 8,717
  • 25
  • 38
  • p2p works using http and https ports without problem and much configuration – Kazimieras Aliulis Jun 17 '09 at 09:21
  • softly.lt called it squarely. Over the past few years more and more p2p apps are either moving towards port 80 (often encrypted), or will scan through ports looking for one that is open. Application layer snooping (a specific form of deep packet inspection) will catch the direct use, but not necessarily if the traffic is being tunneled. – Scott Pack Jun 17 '09 at 11:58
  • 1
    @packs: More and more BitTorrent clients offer full encryption and even camouflage as other protocols because of ISPs doing packet inspection. – Zan Lynx Jun 17 '09 at 14:36
  • @grawity - Exactly, but they would need to be a pretty advanced user, knowing how to VPN+proxy, and those types of people are probably smart enough not to Torrent at work. – djangofan Jun 09 '12 at 18:21
  • @packs - yeah, ISPs certainly have packet inpspection, but if they have uTorrent encryption enabled, you aren't going to be able to tell what the traffic is except that they have a large number of connections open. For all they know, you might be playing Diablo 3. – djangofan Jun 09 '12 at 18:22
1

bittorrent and most p2p now days is quite evasive. Instead of blocking traffic, use QOS rules to starve clients that are using a large amount of bandwidth, or slowly throttles p2p traffic to zero over amount of time. It won't block the protocol but it will deter p2p'ers that it's so slow it's not worth doing.

Remember not all torrent traffic is bad, some of it good! :-)

The Unix Janitor
  • 2,388
  • 14
  • 13
1

Use these iptables forwarding rules to drop bit torrent seeding and peer discovery. They worked for me. 

#Block Torrent
iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -A FORWARD -m string --algo bm --string "peer_id=" -j DROP
iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP

Rules in action, hit counter incrementing nicely.

# iptables -vL -n

Chain FORWARD (policy ACCEPT 16403 packets, 6709K bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   928 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "BitTorrent" ALGO name bm TO 65535
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "BitTorrent protocol" ALGO name bm TO 65535
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "peer_id=" ALGO name bm TO 65535
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  ".torrent" ALGO name bm TO 65535
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "announce.php?passkey=" ALGO name bm TO 65535
  582 52262 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "torrent" ALGO name bm TO 65535
   10  1370 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "announce" ALGO name bm TO 65535
   31  4150 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "info_hash" ALGO name bm TO 65535
Giancarlo D
  • 25
  • 7
  • 1
    Thanks for sharing. How does the filtering work? If the string `BitTorrent` is found in the URL, it will be dropped? This is just to prevent downloading the initial torrent file, but once the torrent file is already downloaded, this won't block the bittorrent traffic, correct? – Houman Oct 14 '19 at 15:08
0

Popular SSL tunneling programs like Ultrasurf can let users bypass your firewalls easily. To block encrypted bittornet traffic you would need a specialized UTM device that can inspect and block encrypted tunnels going over http(s). I know only about one that is able to do that - Astaro, but there should be more.

Taras Chuhay
  • 645
  • 3
  • 9
0

You can use ip2p, as earlier mentioned. It's not going to block things completely however. Ideally, you should be fire walling every port you don't specifically use, and using ip2p. Not a perfect solution, but the best you're likely to get.

Cian
  • 5,777
  • 1
  • 27
  • 40
0

You cannot use straight port blocking. There's a few alternatives. Layer7 filter is slow, unreliable, and to my knowledge no longer maintained.

IPP2P is ok but was superceded by OpenDPI, which has now been discontinued by sponsor ipoque (who sell PACE, a commercial equivalent) nDPI appears to be the logical conclusion of this little path: http://www.ntop.org/products/ndpi/

Easiest, and fairly effective is an extension of David Pashley's suggestion. Block all ports and only allow what you need - and extend this by proxying those services you need - eg with a web proxy, and perhaps an internal mailserver whichn is allowed port25, but clients only talk to the internal server. In this way you can have clients which need no open ports on the firewall at all. This should work but can start to fall to bits if you need to use any complex and/or badly written apps that need direct access.

Tom Newton
  • 4,021
  • 2
  • 23
  • 28
0

Below is my iptables rules set. This works like a charm. I have created a https transparent intercept proxy and send all traffic through that proxy server.

Using this iptables rules, I can control the network.

  • 2086, 2087, 2095 ports are open because we use WHM cpanel and cpanel web mail.
  • 8080 for additional web server.
  • 192.168.2.0 is the local network.

IPTables rule:

#Generated by iptables-save v1.4.8 on Tue Mar 10 15:03:01 2015
*nat
:PREROUTING ACCEPT [470:38063]
:POSTROUTING ACCEPT [9:651]
:OUTPUT ACCEPT [1456:91962]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.1:3127
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 10 15:03:01 2015
# Generated by iptables-save v1.4.8 on Tue Mar 10 15:03:01 2015
*filter
:INPUT ACCEPT [2106:729397]
:FORWARD ACCEPT [94:13475]
:OUTPUT ACCEPT [3252:998944]
-A INPUT -p tcp -m tcp --dport 3127 -j ACCEPT
-A FORWARD -m string --string "BitTorrent" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent protocol" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "peer_id=" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string ".torrent" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "announce.php?passkey=" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "torrent" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "announce" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "info_hash" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "get_peers" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "announce_peer" --algo bm --to 65535 -j DROP
-A FORWARD -m string --string "find_node" --algo bm --to 65535 -j DROP
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 8080 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2086 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2087 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2095 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.2.0/24 -p udp -m udp --sport 1024:65535 --dport 1024:65535 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Mar 10 15:03:01 2015
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Dinoosh
  • 1
  • 1