How to restrict torrent download ?

How to restrict torrent download ?

[J. Bakshi]

Hello list,

What is the technique to prevent torrent download with iptable ?

I have found these old links


http://www.dslreports.com/forum/r22229964-Help-blocking-torrents
http://www.cyberciti.biz/tips/linux-iptables-open-bittorrent-tcp-ports-6881-to-6889.html
http://www.adminsehow.com/2011/04/block-bittorrent-traffic-on-your-linux-firewall-using-iptables/

Any latest configuration to block torrents ?

Thanks

Re: How to restrict torrent download ?

[Rob Sterenborg (lists)]

On Thu, 2012-02-16 at 16:09 +0530, J. Bakshi wrote:
> Hello list,
> 
> What is the technique to prevent torrent download with iptable ?
> 
> I have found these old links
> 
> 
> http://www.dslreports.com/forum/r22229964-Help-blocking-torrents
> http://www.cyberciti.biz/tips/linux-iptables-open-bittorrent-tcp-ports-6881-to-6889.html
> http://www.adminsehow.com/2011/04/block-bittorrent-traffic-on-your-linux-firewall-using-iptables/
> 
> Any latest configuration to block torrents ?

This might help too:

http://l7-filter.sourceforge.net/HOWTO
http://l7-filter.sourceforge.net/protocols


--
Rob

Re: How to restrict torrent download ?

[Azfar Hashmi]

I use xtables to restrict p2p bandwidth.

On 2/16/2012 3:55 PM, Rob Sterenborg (lists) wrote:
> On Thu, 2012-02-16 at 16:09 +0530, J. Bakshi wrote:
>> Hello list,
>>
>> What is the technique to prevent torrent download with iptable ?
>>
>> I have found these old links
>>
>>
>> http://www.dslreports.com/forum/r22229964-Help-blocking-torrents
>> http://www.cyberciti.biz/tips/linux-iptables-open-bittorrent-tcp-ports-6881-to-6889.html
>> http://www.adminsehow.com/2011/04/block-bittorrent-traffic-on-your-linux-firewall-using-iptables/
>>
>> Any latest configuration to block torrents ?
> This might help too:
>
> http://l7-filter.sourceforge.net/HOWTO
> http://l7-filter.sourceforge.net/protocols
>
>
> --
> Rob
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to restrict torrent download ?

[Rob Sterenborg (lists)]

On Thu, 2012-02-16 at 17:19 +0530, J. Bakshi wrote:
> 
> Ok, there is xtables-addons-common in my debian box.
> Could you please share your config to block p2p bandwidth ?

I think

# man xtables-addons, Section ipp2p
and/or
# iptables -m ipp2p --help

will help you.

You have to specify at least one ipp2p protocol to match:

$ipt -A FORWARD -m ipp2p --bit [...etc...]


--
Rob

Re: How to restrict torrent download ?

[Azfar Hashmi]

Hi,

I use shorewall as iptables frontend hence my configurations are totally
different.

On 2/16/2012 5:01 PM, Rob Sterenborg (lists) wrote:
> On Thu, 2012-02-16 at 17:19 +0530, J. Bakshi wrote:
>> Ok, there is xtables-addons-common in my debian box.
>> Could you please share your config to block p2p bandwidth ?
> I think
>
> # man xtables-addons, Section ipp2p
> and/or
> # iptables -m ipp2p --help
>
> will help you.
>
> You have to specify at least one ipp2p protocol to match:
>
> $ipt -A FORWARD -m ipp2p --bit [...etc...]
>
>
> --
> Rob
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to restrict torrent download ?

[Tom Eastep]

On 2/16/12 8:07 AM, Azfar Hashmi wrote:
> Hi,
>
> I use shorewall as iptables frontend hence my configurations are totally
> different.
>
Then please read http://www.shorewall.net/IPP2P.html

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Re: How to restrict torrent download ?

[Andrew Beverley]

On Thu, 2012-02-16 at 13:01 +0100, Rob Sterenborg (lists) wrote:
> I think
> 
> # man xtables-addons, Section ipp2p

I believe that ipp2p is no longer maintained; their website recommends
openDPI instead. I've never tried it myself, but it looks promising.

Personally I use the rather brutal technique of looking for several
connections to high port numbers from a single client. I dare say there
are false positives, but it works for me.

The details for that are here:

http://andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux

Andy

Re: How to restrict torrent download ?

[Rob Sterenborg (Lists)]

On Thu, 2012-02-16 at 17:03 +0000, Andrew Beverley wrote:
> On Thu, 2012-02-16 at 13:01 +0100, Rob Sterenborg (lists) wrote:
> > I think
> > 
> > # man xtables-addons, Section ipp2p
> 
> I believe that ipp2p is no longer maintained; their website recommends
> openDPI instead. I've never tried it myself, but it looks promising.
> 
> Personally I use the rather brutal technique of looking for several
> connections to high port numbers from a single client. I dare say there
> are false positives, but it works for me.
> 
> The details for that are here:
> 
> http://andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux

Yes, I read it too.
However, I wasn't referring to the ipp2p project that is no longer
maintained. I was referring to how to use the ipp2p match that comes
with xtables-addons, and that is what man xtables-addons is writing
about. (Correct me if I'm wrong..)


--
Rob

Re: How to restrict torrent download ?

[Lloyd Standish]

On Thu, 16 Feb 2012 11:03:04 -0600, Andrew Beverley <andy@andybev.com> wrote:

> Personally I use the rather brutal technique of looking for several
> connections to high port numbers from a single client. I dare say there
> are false positives, but it works for me.
>The details for that are here:
>http://andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux
>Andy
>

Andy, your setup looks very good.  I am interested in using a similar system to limit bittorrent.  However, I cannot use rate-limiting, since each user (LAN host) is already rate-limited in his or her router, and the rates of each user vary somewhat.  It's possible to move the rate-limiting from the radios to the router, but I want to avoid maintaining a class and filters for each user.

To clarify, all users of our small ISP (including me) are members of a wireless LAN.  We have radios in our houses which connect us to the ISP's radio located on a distant radio tower.  The radios in our homes do rate-limiting.  The wireless signal from these home radios is transmitted via a wireless bridge to a single Linux router about 40 miles away.  I administer that router.  It has several small uplinks, and the router code does load-balancing over them.  Effectively, all this is equivalent to a simple LAN directly connected to a netfilter load-balancing router.

It seems to me that instead of rate-limiting in order to control bittorrent, I could instead simply prioritize via the QOS marker.  Any traffic detected as bittorent would get the lowest priority.  Do you think this would give satisfactory results?

Regards,
-- 
Lloyd

Re: How to restrict torrent download ?

[Andrew Beverley]

On Thu, 2012-02-16 at 19:00 +0100, Rob Sterenborg (Lists) wrote:
> On Thu, 2012-02-16 at 17:03 +0000, Andrew Beverley wrote:
> > On Thu, 2012-02-16 at 13:01 +0100, Rob Sterenborg (lists) wrote:
> > > I think
> > > 
> > > # man xtables-addons, Section ipp2p
> > 
> > I believe that ipp2p is no longer maintained; their website recommends
> > openDPI instead. I've never tried it myself, but it looks promising.
> > 
> Yes, I read it too.
> However, I wasn't referring to the ipp2p project that is no longer
> maintained. I was referring to how to use the ipp2p match that comes
> with xtables-addons, and that is what man xtables-addons is writing
> about. (Correct me if I'm wrong..)

Fair point: you will at least get a version that's maintained. However,
I don't think the module is updated regularly for changes (or additions)
to protocols. It's a constant battle keeping up with current
definitions, as they change all the time, hence the reason I just used
connlimit instead.

Andy

Re: How to restrict torrent download ?

[J Webster]

Will this work on CentOS 5?
How important are the kernal and iptables versions to implement it?

On 02/16/2012 05:03 PM, Andrew Beverley wrote:
> On Thu, 2012-02-16 at 13:01 +0100, Rob Sterenborg (lists) wrote:
>> I think
>>
>> # man xtables-addons, Section ipp2p
> I believe that ipp2p is no longer maintained; their website recommends
> openDPI instead. I've never tried it myself, but it looks promising.
>
> Personally I use the rather brutal technique of looking for several
> connections to high port numbers from a single client. I dare say there
> are false positives, but it works for me.
>
> The details for that are here:
>
> http://andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux
>
> Andy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to restrict torrent download ?

[Andrew Beverley]

On Fri, 2012-02-17 at 10:22 +0530, J. Bakshi wrote:
> So within an office environment what should be the value of connlimit for clients ?
> The clients must be allowed to open multiple websites to do their development work.
> What is the value which still allow to do their jobs and still block torrent ?

You keep the port number above 1024, as per the details on the website.

Please note: I don't use this to *block* torrents, just traffic shape
them accordingly. It's generally not recommended to block, because
people will just find other ways around it.

Andy

Re: How to restrict torrent download ?

[Rob Sterenborg (lists)]

On Fri, 2012-02-17 at 17:13 +0530, J. Bakshi wrote:
> I have installed xtables-addons-common in debian squeeze box.
> Then tried ti execute
> 
> #iptables -A FORWARD -m ipp2p --bit -j DROP
> 
> and it throws error
> 
> ``````````````
> iptables: No chain/target/match by that name.
> ```````````
> 
> Could anyone suggest what is wrong where ?

Does xt_ipp2p.ko exist?

# locate xt_ipp2p|grep modules
/lib/modules/2.6.39.1/extra/xt_ipp2p.ko


If it does: what does lsmod say?

# lsmod|grep "^xt_ipp2p"
xt_ipp2p                5611  0 


--
Rob

Re: How to restrict torrent download ?

[Andrew Beverley]

On Thu, 2012-02-16 at 12:28 -0600, Lloyd Standish wrote:
> Andy, your setup looks very good.  I am interested in using a similar
> system to limit bittorrent.  However, I cannot use rate-limiting, since
> each user (LAN host) is already rate-limited in his or her router, and
> the rates of each user vary somewhat.  It's possible to move the
> rate-limiting from the radios to the router, but I want to avoid
> maintaining a class and filters for each user.
> 
> To clarify, all users of our small ISP (including me) are members of a
> wireless LAN.  We have radios in our houses which connect us to the
> ISP's radio located on a distant radio tower.  The radios in our homes
> do rate-limiting.  The wireless signal from these home radios is
> transmitted via a wireless bridge to a single Linux router about 40
> miles away.  I administer that router.  It has several small uplinks,
> and the router code does load-balancing over them.  Effectively, all
> this is equivalent to a simple LAN directly connected to a netfilter
> load-balancing router.
> 
> It seems to me that instead of rate-limiting in order to control
> bittorrent, I could instead simply prioritize via the QOS marker.  Any
> traffic detected as bittorent would get the lowest priority.  Do you
> think this would give satisfactory results?

Interesting use-case. There's 2 different aspects to this:

1. Using PRIO to prioritise. I don't see why that wouldn't work, using 1
class for bittorrent and 1 class for everything else. In general though,
it's recommended to use something slightly less brutal. I've had very
good results doing similar things with HTB. The bonus is that you get a
lot more flexibility.

2. Doing the prioritisation elsewhere to the rate limiting. This doesn't
work, as you can only prioritise when you have too much traffic,
otherwise all the packets just pass straight through. So, if you were to
do this, you'd have to force a queue at your router, probably by
rate-limiting (maybe with HTB as above). This is the same as when you
traffic shape inbound traffic - you have to rate-limit to a slower speed
than the uplink to force a queue. I'm struggling to get my head around
this properly, so am not sure whether that could also work somehow with
rate-limiting at the user's radio.

Andy

Re: How to restrict torrent download ?

[Andrew Beverley]

On Thu, 2012-02-16 at 20:01 +0000, J Webster wrote:
> > Personally I use the rather brutal technique of looking for several
> > connections to high port numbers from a single client. I dare say there
> > are false positives, but it works for me.
> >
> > The details for that are here:
> >
> > http://andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux

[Top-posting fixed]

> Will this work on CentOS 5?
>

No, according to this post:

http://lists.centos.org/pipermail/centos/2008-June/059656.html

> How important are the kernal and iptables versions to implement it?
> 

You'll need connlimit and ipset. Connlimit became part of the stable
kernel in 2.6.23 (thanks Jan). I can't remember whether ipset has made
it into the stable kernel yet, but it certainly won't be in the kernel
of CentOS 5 (unless it's available as a separate package).

Andy

Re: How to restrict torrent download ?

[Lloyd Standish]

On Fri, 17 Feb 2012 12:20:16 -0600, Andrew Beverley <andy@andybev.com> wrote:

> 2. Doing the prioritisation elsewhere to the rate limiting. This doesn't
> work, as you can only prioritise when you have too much traffic,
> otherwise all the packets just pass straight through. So, if you were to
> do this, you'd have to force a queue at your router, probably by
> rate-limiting (maybe with HTB as above). This is the same as when you
> traffic shape inbound traffic - you have to rate-limit to a slower speed
> than the uplink to force a queue. I'm struggling to get my head around
> this properly, so am not sure whether that could also work somehow with
> rate-limiting at the user's radio.

Hi Andy,

I may be wrong, but I thing prioritization at the load-balancing router will work, even though there is rate-limiting at the users' radios.  I'll call the load-balancing Linux router the "central router," to distinguish it from the routers in each user's radio.

The central router gets traffic from, say, 75 users and distributes it over the 5 uplinks.  I'm using connmark to mark the NEW packets from the LAN at random (with statistics module in probability mode).

(As an aside, this gives great load-balancing but breaks sessions.  That's because sites such as yahoo.com can't cope with a constantly-changing IP.  I'd rather use a load-balancing method that uses route-caching, such as that given by "ip route add default ... nexthop via ... nexthop via...", but that has resulted in mysteriously breaking connections.  I think I'll have to post here for help on that, in a separate post of course.)

So the central router establishes lots of simultaneous connections balanced over its 5 uplinks.  Each uplink is only 600 kbit, limited to maximum 500 kbit by an HTB qdisc on each uplink, to avoid queuing at the ISP.  Even though each individual user is rate-limited, the combined egress traffic can easily exceed the uplink bandwidth, and would start getting queued in the central router.

With the PRIO qdisc, if bittorrent traffic is put in the lowest priority band, bittorrent upload packets would only be dequeued when there are no packets waiting in the 1st and 2nd PRIO bands.  If all traffic except bittorent is in 1st and 2nd bands, it seems to me that no bittorrent would get out if there is any other kind of traffic waiting (queued).

As far as bittorrent download goes, I understand that bittorent will not allow a user to download (much) more than he or she uploads.  So I think it should not be necessary to prioritize the incoming traffic.  In fact I am using only a policing qdisc on ingress (again, to avoid queuing at the ISP.)

Does this plan sound reasonable to you, or am I overlooking or misunderstanding something?

Regards,
Lloyd

Re: How to restrict torrent download ?

[Andrew Beverley]

On Fri, 2012-02-17 at 14:31 -0600, Lloyd Standish wrote:
> On Fri, 17 Feb 2012 12:20:16 -0600, Andrew Beverley <andy@andybev.com> wrote:
> 
> > 2. Doing the prioritisation elsewhere to the rate limiting. This doesn't
> > work, as you can only prioritise when you have too much traffic,
> > otherwise all the packets just pass straight through.

> I may be wrong, but I thing prioritization at the load-balancing router
> will work, even though there is rate-limiting at the users' radios. 

[...]

> So the central router establishes lots of simultaneous connections
> balanced over its 5 uplinks.  Each uplink is only 600 kbit, limited to
> maximum 500 kbit by an HTB qdisc on each uplink, to avoid queuing at
> the ISP.  Even though each individual user is rate-limited, the
> combined egress traffic can easily exceed the uplink bandwidth, and
> would start getting queued in the central router.

Yes, that will work, because you've got a queue at the user's radio and
in the main router. My point was that prioritisation will only work if
you're also doing some sort of shaping/policing.

> As far as bittorrent download goes, I understand that bittorent will
> not allow a user to download (much) more than he or she uploads.

That's not something I've seen, but my use of bittorrents is pretty
minimal so I wouldn't like to say for certain.

> In fact I am using only a policing qdisc on ingress.
> Does this plan
> sound reasonable to you, or am I overlooking or misunderstanding
> something?

Sounds reasonable, yes. Personally I've always done both egress and
ingress (as egress on the LAN), but that's not based on any experience
that only doing egress does not work.

Andy

Re: How to restrict torrent download ?

[Rob Sterenborg (Lists)]

On Sat, 2012-02-18 at 21:06 +0530, J. Bakshi wrote:
> On Fri, 17 Feb 2012 12:53:28 +0100
> "Rob Sterenborg (lists)" <lists@sterenborg.info> wrote:
> 
> > On Fri, 2012-02-17 at 17:13 +0530, J. Bakshi wrote:
> > > I have installed xtables-addons-common in debian squeeze box.
> > > Then tried ti execute
> > > 
> > > #iptables -A FORWARD -m ipp2p --bit -j DROP
> > > 
> > > and it throws error
> > > 
> > > ``````````````
> > > iptables: No chain/target/match by that name.
> > > ```````````
> > > 
> > > Could anyone suggest what is wrong where ?
> > 
> > Does xt_ipp2p.ko exist?
> > 
> > # locate xt_ipp2p|grep modules
> > /lib/modules/2.6.39.1/extra/xt_ipp2p.ko
> > 
> > 
> > If it does: what does lsmod say?
> > 
> > # lsmod|grep "^xt_ipp2p"
> > xt_ipp2p                5611  0 
> > 
> 
> I have /lib/xtables/libxt_ipp2p.so
> 
> but
> 
> # lsmod|grep "ipp2p" gives nothing !!!

That means the ipp2p module is not loaded so you likely can't use the
ipp2p match. Execute 'modprobe ipp2p' and try again.


--
Rob

Re: How to restrict torrent download ?

[Rob Sterenborg (Lists)]

On Fri, 2012-02-24 at 10:39 +0530, J. Bakshi wrote:
> On Sat, 18 Feb 2012 21:06:30 +0530
> "J. Bakshi" <joydeep@infoservices.in> wrote:
> 
> > On Fri, 17 Feb 2012 12:53:28 +0100
> > "Rob Sterenborg (lists)" <lists@sterenborg.info> wrote:
> > 
> > > On Fri, 2012-02-17 at 17:13 +0530, J. Bakshi wrote:
> > > > I have installed xtables-addons-common in debian squeeze box.
> > > > Then tried ti execute
> > > > 
> > > > #iptables -A FORWARD -m ipp2p --bit -j DROP
> > > > 
> > > > and it throws error
> > > > 
> > > > ``````````````
> > > > iptables: No chain/target/match by that name.
> > > > ```````````
> > > > 
> > > > Could anyone suggest what is wrong where ?
> > > 
> > > Does xt_ipp2p.ko exist?
> > > 
> > > # locate xt_ipp2p|grep modules
> > > /lib/modules/2.6.39.1/extra/xt_ipp2p.ko
> > > 
> > > 
> > > If it does: what does lsmod say?
> > > 
> > > # lsmod|grep "^xt_ipp2p"
> > > xt_ipp2p                5611  0 
> > > 
> > 
> > I have /lib/xtables/libxt_ipp2p.so
> > 
> > but
> > 
> > # lsmod|grep "ipp2p" gives nothing !!!
> 
> Any clue please ?

I already did in a previous post:

> That means the ipp2p module is not loaded so you likely can't use
> the ipp2p match. Execute 'modprobe ipp2p' and try again.


--
Rob