configure iptables to block all(as much as possible) bittorrent traffic

By Posted on

Problem :

good day all

This is my current iptables setup

Generated by iptables-save v1.4.7 on Wed Apr 9 13:50:31 2014

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOGDROP – [0:0]

-A INPUT -p tcp -m tcp –dport 5252 -m comment –comment “SSH_Secure Input” -j ACCEPT

-A INPUT -p tcp -m tcp –dport 22 -m comment –comment “SSH Input” -j ACCEPT

-A INPUT -p tcp -m tcp –dport 80 -m comment –comment “HTTP Input” -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp –dport 443 -m comment –comment “HTTPS Input” -j ACCEPT

-A INPUT -i tun0 -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -p icmp -m icmp –icmp-type 8 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -o tun0 -j ACCEPT

-A FORWARD -o eth0 -j ACCEPT

-A FORWARD -m string –string “BitTorrent” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “BitTorrent protocol” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “peer_id=” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “.torrent” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “announce.php?passkey=” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “torrent” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “announce” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “info_hash” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “get_peers” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “announce_peer” –algo bm –to 65535 -j LOGDROP

-A FORWARD -m string –string “find_node” –algo bm –to 65535 -j LOGDROP

-A OUTPUT -o eth0 -p tcp -m tcp –dport 443 -m comment –comment “HTTPS Input” -j ACCEPT

-A OUTPUT -o tun0 -j ACCEPT

-A OUTPUT -o eth0 -j ACCEPT

-A OUTPUT -p icmp -m icmp –icmp-type 0 -m state –state RELATED,ESTABLISHED -j ACCEPT

-A LOGDROP -j LOG –log-prefix “LOGDROP “

-A LOGDROP -j DROP COMMIT

Completed on Wed Apr 9 13:50:31 2014

Generated by iptables-save v1.4.7 on Wed Apr 9 13:50:31 2014

*nat :PREROUTING ACCEPT [2121:189137]

POSTROUTING ACCEPT [18:1030] :OUTPUT ACCEPT [18:1030]

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

Completed on Wed Apr 9 13:50:31 2014

I have a centos 6 server running openvpn,

reason for wanting to do this, I have clients connecting, and sine they do alot of downloading and never disconnect from the vpn when it is not needed, I et alot of bandwidth usage and thus stacks up onto a hefty bill

Where the iptables rules start with “-A FORWARD -m string” & all the “log/logdrops”, I got these rules from a website (of whichthere are may websites refering to exactly the same rules to blocking torrent traffic), the only problem is that it doesnt block any traffic

I connected to the vpn, I started up a few torrents and they didnt slow down in downloading, it was as if I wasnt conneccted to the vpn…

Please help

Solution :

its a different approach, but i successfully ‘protected’ my home network from p2p (and other stuff) by – allowing only 2 remote ports (tcp 443+80) and using opendns FamilyShield DNS (208.67.222.123,208.67.220.123) which blocks a lot of websites, so i have a local dns resolver/cache (dnsmasq) setup in my home network where i can add exceptions.

With IPSET.

apt-get install ipset

include this rule in the header of your iptables script:

# Block bittorrent (6881-6889 58251-58252,58687,6969)
# Block others P2P (1337,2760,4662,4672,8104)
# etc., etc. (any, port you want to block)

# variables
ipset=/sbin/ipset
iptables=/sbin/iptables
pathlst=/path_to/portslist.txt # your port list

$ipset -F
$ipset -N -! blockp2p bitmap:port range 0-65535
for ports in $(cat $pathlst); do
    $ipset -A blockp2p $ports
done

# block rule (For TCP / UDP and for source or destination port)
for srcdst in `echo src dst`; do
    $iptables -t mangle -A PREROUTING -m set --match-set blockp2p $srcdst -j DROP
    $iptables -A INPUT -m set --match-set blockp2p $srcdst -j DROP
    $iptables -A FORWARD -m set --match-set blockp2p $srcdst -j DROP
done

# example content of portslist.txt
1337
2760
4662
4672
8104
6969
6881
6882
6883
6884
6885
6886
6887
6888
6889
58251
58252
58687

PD: If you want to see the rule in action you have to add rules to record the port blocks in syslog or nflog

enter image description here

PD: since torrent applications rotate ports, you can check which ports they are using with TCPView and include them in the block list. For example: Port 59018-59019 is not included in the image above (but bittorrent is unable to start the download)

source: blockports

Leave a Reply

Your email address will not be published. Required fields are marked *