'Re: Bittorrent blocking'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Bittorrent blocking
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2013-02-21 2:58:46
Message-ID: 20130221025846.GA26649 () cipherdyne ! org
[Download RAW message or body]

On Feb 20, 2013, Humberto Juc? wrote:

> Hi,
> 
> I usually set a policy "default drop" - It's what I prefer.
> Keeping the range of high ports (UDP) closed, many P2P clients will crash.
> 
> There are alternatives like "l7filter" or "opendpi-netfilter for nDPI"
> but the processing cost can be quite high in larger networks.
> Particularly, it is something that i avoid doing.
> https://github.com/ewildgoose/ndpi-netfilter
> 
> The snort can help too. You can use a signature like this (local.rules):
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"RST P2P BitTorrent
> transfer"; flow:to_server; content:"|13|BitTorrent protocol";
> depth:20; metadata:policy security-ips drop;
> classtype:policy-violation; sid:1000000; rev:4; resp:rst_all;)
> 
> In this example i set flexresp reaction, but the result is more
> efficient in "inline mode".

If you go the snort rule route, fwsnort can translates this to (after
removing the metadata keyword - need to update that):

-A FWSNORT_FORWARD -p tcp -m tcp -m string --hex-string
"|13426974546f7272656e742070726f746f636f6c|" --algo bm --to 84 -m
comment --comment "sid:1000000; msg:RST P2P BitTorrent transfer;
classtype:policy-violation; rev:4; FWS:1.6.3;" -j LOG --log-ip-options
--log-tcp-options --log-prefix "[1] REJ SID1000000 " 

-A FWSNORT_FORWARD -p tcp -m tcp -m string --hex-string
"|13426974546f7272656e742070726f746f636f6c|" --algo bm --to 84 -j REJECT
--reject-with tcp-reset 

The above rule is generated with the fwsnort --ipt-reject option if you
really want iptables to reset the connection.

--Mike


> 2013/2/20 Dmitry Korzhevin <dmitry.korzhevin@stidia.com>:
> > Hello,
> >
> > Guys, i understand, that this is too frequent question, and i'm already made
> > solid investigation in google, but.. mabe you already have good iptables
> > rules to block such type of traffic (Bittorrent), or maby you can give
> > advice.
> >
> > For now i use snort with bittorrent-related detection rules, but seems it is
> > not best solution.
> >
> >
> > Best Regards,
> > Dmitry
> >
> > ---
> > Dmitry KORZHEVIN
> > System Administrator
> > STIDIA S.A. - Luxembourg
> >
> > e: dmitry.korzhevin@stidia.com
> > m: +38 093 874 5453
> > w: http://www.stidia.com
> >
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic