configure iptables to block all(as much as possible) bittorrent traffic

1

good day all

This is my current iptables setup

Generated by iptables-save v1.4.7 on Wed Apr 9 13:50:31 2014

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOGDROP - [0:0]

-A INPUT -p tcp -m tcp --dport 5252 -m comment --comment "SSH_Secure Input" -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "SSH Input" -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -m comment --comment "HTTP Input" -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m comment --comment "HTTPS Input" -j ACCEPT

-A INPUT -i tun0 -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -o tun0 -j ACCEPT

-A FORWARD -o eth0 -j ACCEPT

-A FORWARD -m string --string "BitTorrent" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "BitTorrent protocol" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "peer_id=" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string ".torrent" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "announce.php?passkey=" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "torrent" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "announce" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "info_hash" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "get_peers" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "announce_peer" --algo bm --to 65535 -j LOGDROP

-A FORWARD -m string --string "find_node" --algo bm --to 65535 -j LOGDROP

-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m comment --comment "HTTPS Input" -j ACCEPT

-A OUTPUT -o tun0 -j ACCEPT

-A OUTPUT -o eth0 -j ACCEPT

-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A LOGDROP -j LOG --log-prefix "LOGDROP "

-A LOGDROP -j DROP COMMIT

Completed on Wed Apr 9 13:50:31 2014

Generated by iptables-save v1.4.7 on Wed Apr 9 13:50:31 2014

*nat :PREROUTING ACCEPT [2121:189137]

POSTROUTING ACCEPT [18:1030] :OUTPUT ACCEPT [18:1030]

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

Completed on Wed Apr 9 13:50:31 2014

I have a centos 6 server running openvpn,

reason for wanting to do this, I have clients connecting, and sine they do alot of downloading and never disconnect from the vpn when it is not needed, I et alot of bandwidth usage and thus stacks up onto a hefty bill

Where the iptables rules start with "-A FORWARD -m string" & all the "log/logdrops", I got these rules from a website (of whichthere are may websites refering to exactly the same rules to blocking torrent traffic), the only problem is that it doesnt block any traffic

I connected to the vpn, I started up a few torrents and they didnt slow down in downloading, it was as if I wasnt conneccted to the vpn...

Please help

user2699451

Posted 2014-04-09T19:41:06.143

Reputation: 49

Answers

0

its a different approach, but i successfully 'protected' my home network from p2p (and other stuff) by - allowing only 2 remote ports (tcp 443+80) and using opendns FamilyShield DNS (208.67.222.123,208.67.220.123) which blocks a lot of websites, so i have a local dns resolver/cache (dnsmasq) setup in my home network where i can add exceptions.

Florian Fida

Posted 2014-04-09T19:41:06.143

Reputation: 146

Asked: 2014-04-09T19:41:06.143

Viewed: 2 378 times

Active: 2019-11-10T17:02:30.350