Nowadays, iptables support a so called Layer 7 filtering, which makes things signifficantly easier and more effective whem it comes to blocking torrent with a help of iptablesm or just filtering those packets and loging them.
I’ll suppose that you have a (CentOS) linux router. In that case you will be using the FORWARD chain in iptables to control which service/port can pass through the router, and which can not.
So, let’s put this in the forward chain:
iptables -A FORWARD -m string --string "BitTorrent" --algo bm --to 65535 -j DROP iptables -A FORWARD -m string --string "BitTorrent protocol" --algo bm --to 65535 -j DROP iptables -A FORWARD -m string --string "peer_id=" --algo bm --to 65535 -j DROP iptables -A FORWARD -m string --string ".torrent" --algo bm --to 65535 -j DROP iptables -A FORWARD -m string --string "announce.php?passkey=" --algo bm --to 65535 -j DROP iptables -A FORWARD -m string --string "torrent" --algo bm --to 65535 -j DROP iptables -A FORWARD -m string --string "announce" --algo bm --to 65535 -j DROP iptables -A FORWARD -m string --string "info_hash" --algo bm --to 65535 -j DROP
The point here is, you can’t really block random P2P traffic once it’s established, but you can block the announcement packets, rendering all P2P protocols unusable – in other words, you block establishing P2P communication. This is the trick how to block torrents.
One last word. As usual, I recommend logging when you do things like this – else you’ll never know why your packets are being dropped in some random situations. In the example above, I used the DROP action as destiny of the announcement packets. In a practical situation, I’d create a dedicated chain, and send the packets there. That chain would eventually filter out IP addresses that I want to allow P2P communication, and finally log and drop at the end.
nop dont’ work, the only way is:
iptables -I FORWARD -p tcp -m multiport –dports 1024:65535 -m iprange –src-range 192.168.0.1-192.168.0.100 -j DROP
iptables -I FORWARD -p udp -m multiport –dports 1024:65535 -m iprange –src-range 192.168.0.1-192.168.0.100 -j DROP
test in my centos 6.7 x64
It does work for most of it (at least it did when the article was written). Naturally, your box actually has to be the gateway for this to work (not a client), and the idea behind it is to catch and drop the .torrent propagation. Maybe it would be worth to log some traffic and see if the protocol has changed/updated lately, since this article is not new. I’ll do that these days and update the article if I find anything.
Your way – you’re blocking all traffic above port 1024. That’s not very effective (what if I put my torrent to work on port 443?)
Another hint – you do need the string module with iptables for this to work
Simply wish to say your article is as astounding. The clarity in your post is just nice and i can assume you are an expert on this subject. Well with your permission let me to grab your feed to keep updated with forthcoming post. Thanks a million and please keep up the rewarding work.
Hi there! I just wish to give an enormous thumbs up for the nice information you might have here on this post. I will probably be coming again to your weblog for extra soon.
Great web site you have here.. It’s hard
to find quality writing like yours nowadays. I truly appreciate people like
you! Take care!!
Thanks for the support, it does mean a lot. Have a happy New Year and you take care too!