From: Michael Rash <mbr@cipherdyne.org>
To: netfilter@vger.kernel.org
Subject: Re: Bittorrent blocking
Date: Wed, 20 Feb 2013 21:58:46 -0500 [thread overview]
Message-ID: <20130221025846.GA26649@cipherdyne.org> (raw)
In-Reply-To: <CACuyg2506HY+FudxuN4yaPKrOdetJ6M6ejv-bdL87916gtZgiQ@mail.gmail.com>
On Feb 20, 2013, Humberto Juc? wrote:
> Hi,
>
> I usually set a policy "default drop" - It's what I prefer.
> Keeping the range of high ports (UDP) closed, many P2P clients will crash.
>
> There are alternatives like "l7filter" or "opendpi-netfilter for nDPI"
> but the processing cost can be quite high in larger networks.
> Particularly, it is something that i avoid doing.
> https://github.com/ewildgoose/ndpi-netfilter
>
> The snort can help too. You can use a signature like this (local.rules):
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"RST P2P BitTorrent
> transfer"; flow:to_server; content:"|13|BitTorrent protocol";
> depth:20; metadata:policy security-ips drop;
> classtype:policy-violation; sid:1000000; rev:4; resp:rst_all;)
>
> In this example i set flexresp reaction, but the result is more
> efficient in "inline mode".
If you go the snort rule route, fwsnort can translates this to (after
removing the metadata keyword - need to update that):
-A FWSNORT_FORWARD -p tcp -m tcp -m string --hex-string
"|13426974546f7272656e742070726f746f636f6c|" --algo bm --to 84 -m
comment --comment "sid:1000000; msg:RST P2P BitTorrent transfer;
classtype:policy-violation; rev:4; FWS:1.6.3;" -j LOG --log-ip-options
--log-tcp-options --log-prefix "[1] REJ SID1000000 "
-A FWSNORT_FORWARD -p tcp -m tcp -m string --hex-string
"|13426974546f7272656e742070726f746f636f6c|" --algo bm --to 84 -j REJECT
--reject-with tcp-reset
The above rule is generated with the fwsnort --ipt-reject option if you
really want iptables to reset the connection.
--Mike
> 2013/2/20 Dmitry Korzhevin <dmitry.korzhevin@stidia.com>:
> > Hello,
> >
> > Guys, i understand, that this is too frequent question, and i'm already made
> > solid investigation in google, but.. mabe you already have good iptables
> > rules to block such type of traffic (Bittorrent), or maby you can give
> > advice.
> >
> > For now i use snort with bittorrent-related detection rules, but seems it is
> > not best solution.
> >
> >
> > Best Regards,
> > Dmitry
> >
> > ---
> > Dmitry KORZHEVIN
> > System Administrator
> > STIDIA S.A. - Luxembourg
> >
> > e: dmitry.korzhevin@stidia.com
> > m: +38 093 874 5453
> > w: http://www.stidia.com
> >
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-02-21 2:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <51249E58.1080307@stidia.com>
2013-02-20 11:22 ` Bittorrent blocking Humberto Jucá
2013-02-21 2:58 ` Michael Rash [this message]
2013-02-20 17:45 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130221025846.GA26649@cipherdyne.org \
--to=mbr@cipherdyne.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox