1

Well, I'm not sure how ethical this is, but I already posted this question to superuser and a poster suggested I move it over here. Very sorry if I'm breaking anybody's heart.

Anyway, here's the question:

I work in an education office in a third world country. We pay for internet by the megabyte (no other choice) and have lately been using an incredible amount of bandwidth. This is because the office staff have found out about p2p sharing. As far as I know, Limewire is the only program they're using, but I'm sure it's just a matter of time before they discover the more general world of bittorrent.

Using only a linksys router (that I could flash), is there any way for me prevent the office from destroying our bandwidth cap by downloading personal items (against policy).

Even semi-fixes would be better than nothing.

A few notes that became relevant after getting some answers on superuser:
1) I don't have access to everyone's computer.
2) Welcome to bureaucracy! Nobody can be fired. Realistic threats can't be made. This goes much deeper than stopping p2p, but hey. What can you do? Also, nobody has internet at home (expensive!) so they're fairly bloodthirsty.
3) Any solution has to be more-or-less automated. In about 8 months, I will leave and the office will still want to stop downloads.
4) One solution that seemed really appealing (on the suggestion of user skuzzy-delta) was using Tomato firmware to severly de-prioritize downloads. Unfortunately, my linksys wrt54g is too new for the firmware... but could pfsense or ddwrt do something similar? Would this be a good tactic?

For what it's worth, here's the link to my question on superuser: https://superuser.com/questions/66027/block-p2p-downloading-in-my-office

UPDATE:
1) Can't buy anything. That means I cannot set up a dedicated server.

2) My linksys is wrt54g cdfe.... v7... can't run ddwrt :-(

9 Answers9

5

First, I don't think you are going to be able to do a good job of this on a broadband router. You probably need to look at setting up a Linux box to act as a proxy firewall router. Plus, if you do this on a computer you can run a cache which will save you bandwidth since pages visited by many users will only need to be downloaded once.

Blocking P2P tends to get very difficult. Most protocols these days tend to be very good at getting around the firewall.

  • Setup a firewall that by default denies any outgoing requests. Yes, this is very harsh, but if you really want block things this is a cheap way to start
    • you will need to probably explicitly add rules for any servers that are hosted within your network.
  • Setup an HTTP proxy (e.g. squid), and all the browsers to use the proxy server.
  • Subscribe to a blacklist (e.g. 1, 2) service and make sure you prohibit any proxies.
  • Setup something like srg or sarg to produce reports per user/computer about who is visiting what, and how much bandwidth they are using. Give the administration the ability to view this information.
  • Use the controls inside your proxy server to throttle computers (squid delay_pools)
  • Setup a procedure for trusted users to get around the default deny firewall policy. (But still keep logs)

I know the above is very heavy-handed, but it will block almost all P2P traffic, and isn't particularly difficult to implement.

Please see these related questions:

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 1
    this is a very comprehensive solution. I would really recommend finding a computer to use. a Linux server doesnt require very much power, any CPU and 256MB of RAM should do. you can probably salvage something like that out of the garbage. – neoice Nov 06 '09 at 11:09
5

I would recommend OpenDNS. You can prevent people from bypassing OpenDNS by blocking TCP and UDP requests on port 53.
We use it here and it's very good at stopping P2P, social networking and other "Forbidden" sites.
As a plus, it won't require any changes to your router's firmware.

Scott Lundberg
  • 2,364
  • 2
  • 14
  • 22
2

DD-WRT will work on newer versions of Linksys routers that Tomato doesn't support. A quick search of the DD-WRT router database will tell you if your router is compatible or not. There is an option on the access restrictions page of DD-WRT to block known p2p protocols, it's as simple as clicking a check box.

2

If you can get your hands on an older PC with two network cards I'd suggest a look at Untangle. I've found it to work great for issues like yours.

If you can't get a PC to use but have a windows machine on the network you could look at Untangle for Windows. I've never tried it but it seems like it could work for you.

Chris_K
  • 3,434
  • 6
  • 41
  • 45
1

As bizarre as it sounds, you probably won't want to block it, you want to give it a severely restricted bandwidth. Most P2P apps are pretty clever at avoiding blocks, so if all you do is slap a block on the standard ports, it'll poke around until it finds unblocked ports and use those.

But providing a suitablu narrow channel (32 kbps, 64 kbps, whatever), the evasion mechanisms do not kick in while still restricting the damage P2P downloading can do.

Vatine
  • 5,390
  • 23
  • 24
1

I think the stock firmware should have enough port blocking protection to only allow the needed ports.

Jim Deville
  • 304
  • 2
  • 5
1

This is a challenge...

It's really a shame you cannot use Tomato as it already has ipp2p iptables module nicely integrated.

My suggestions:

  • (if you can get a computer with 2 network cards) setup a Linux (or Windows as some people already suggested) box with iptables and ipp2p module to deprioritize or block P2P traffic completely;
  • talk to your internet provider - maybe they can help you block P2P traffic;
  • Use wireshark to monitor P2P connections and send RST packets to router/computer :)
blank3
  • 2,157
  • 1
  • 15
  • 14
0

This might be a bit overkill, but you could put a Squid proxy in front of your router. Then configure a white list of allowed protocols - Http, Https, SSL etc.. A side affect is you may be able to reduce some of your bandwidth by having the Squid serve up cached content.

The most restrictive is to place a non-transparent internet proxy in front of your users. This requires them to point their browsers to your internal proxy server. The advantage of this is most authenticated proxy servers happily report usage by user and the top sites they visit. Just posting the names of the people who use the most internet may be enough to police people from downloading things against policy.

brianegge
  • 1,054
  • 2
  • 14
  • 23
0

Can you try somehow and justify the cost of buying a small amount of cheap hardware to fix this problem properly, considering there will then be a considerable saving in bandwidth costs?

And those bandwidth cost savings will be continual per month/year, with only a one-off hardware cost.

ohit
  • 29
  • 1