Updating Iptables to block torrent traffic

April 28, 2014 20.8k views
Hi Guys, I am running a VPN server but need to block illegal torrent downloads. The VPN plugin is provided by safesrv.net I have had updated Iptables prepared but I am interested in feedback from anyone who has experience with this. Our updated iptables are below: iptables -I INPUT -p udp --dport 1024:1193 -j DROP iptables -I INPUT -p udp --dport 1195:1644 -j DROP iptables -I INPUT -p udp --dport 1647:65534 -j ACCEPT ## Allowing all neede ports for OpenVPN L2TP PPTP and RADIUS iptables -I OUTPUT -p udp --dport 1812 -j ACCEPT iptables -I OUTPUT -p udp --dport 1813 -j ACCEPT iptables -I OUTPUT -p udp --dport 1701 -j ACCEPT iptables -I OUTPUT -p udp --dport 4500 -j ACCEPT iptables -I OUTPUT -p udp --dport 500 -j ACCEPT iptables -I OUTPUT -p udp --dport 443 -j ACCEPT iptables -I OUTPUT -p tcp --dport 1723 -j ACCEPT ## Drop torrents iptables -A OUTPUT -p tcp --dport 6881:6889 -j DROP iptables -A OUTPUT -p udp --dport 1024:65534 -j DROP ## Set more radius (alt) ports iptables -I OUTPUT -p udp --dport 1645 -j ACCEPT iptables -I OUTPUT -p udp --dport 1646 -j ACCEPT ## Try torrent name filters iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP ## Trying forward iptables -A FORWARD -p tcp --dport 6881:6889 -j DROP iptables -A FORWARD -p udp --dport 1024:65534 -j DROP ###### Found on web iptables -N LOGDROP > /dev/null 2> /dev/null iptables -F LOGDROP iptables -A LOGDROP -j DROP #Torrent iptables -D FORWARD -m string --algo bm --string "BitTorrent" -j LOGDROP iptables -D FORWARD -m string --algo bm --string "BitTorrent protocol" -j LOGDROP iptables -D FORWARD -m string --algo bm --string "peer_id=" -j LOGDROP iptables -D FORWARD -m string --algo bm --string ".torrent" -j LOGDROP iptables -D FORWARD -m string --algo bm --string "announce.php?passkey=" -j LOGDROP iptables -D FORWARD -m string --algo bm --string "torrent" -j LOGDROP iptables -D FORWARD -m string --algo bm --string "announce" -j LOGDROP iptables -D FORWARD -m string --algo bm --string "info_hash" -j LOGDROP # DHT keyword iptables -A FORWARD -m string --string "get_peers" --algo bm -j DROP iptables -A FORWARD -m string --string "announce_peer" --algo bm -j LOGDROP iptables -A FORWARD -m string --string "find_node" --algo bm -j LOGDROP ## Modified debia commands iptables -A FORWARD -p udp -m string --algo bm --string "BitTorrent" -j DROP iptables -A FORWARD -p udp -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -A FORWARD -p udp -m string --algo bm --string "peer_id=" -j DROP iptables -A FORWARD -p udp -m string --algo bm --string ".torrent" -j DROP iptables -A FORWARD -p udp -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -A FORWARD -p udp -m string --algo bm --string "torrent" -j DROP iptables -A FORWARD -p udp -m string --algo bm --string "announce" -j DROP iptables -A FORWARD -p udp -m string --algo bm --string "info_hash" -j DROP iptables -A FORWARD -p udp -m string --algo bm --string "tracker" -j DROP iptables -A INPUT -p udp -m string --algo bm --string "BitTorrent" -j DROP iptables -A INPUT -p udp -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -A INPUT -p udp -m string --algo bm --string "peer_id=" -j DROP iptables -A INPUT -p udp -m string --algo bm --string ".torrent" -j DROP iptables -A INPUT -p udp -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -A INPUT -p udp -m string --algo bm --string "torrent" -j DROP iptables -A INPUT -p udp -m string --algo bm --string "announce" -j DROP iptables -A INPUT -p udp -m string --algo bm --string "info_hash" -j DROP iptables -A INPUT -p udp -m string --algo bm --string "tracker" -j DROP iptables -I INPUT -p udp -m string --algo bm --string "BitTorrent" -j DROP iptables -I INPUT -p udp -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -I INPUT -p udp -m string --algo bm --string "peer_id=" -j DROP iptables -I INPUT -p udp -m string --algo bm --string ".torrent" -j DROP iptables -I INPUT -p udp -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -I INPUT -p udp -m string --algo bm --string "torrent" -j DROP iptables -I INPUT -p udp -m string --algo bm --string "announce" -j DROP iptables -I INPUT -p udp -m string --algo bm --string "info_hash" -j DROP iptables -I INPUT -p udp -m string --algo bm --string "tracker" -j DROP iptables -D INPUT -p udp -m string --algo bm --string "BitTorrent" -j DROP iptables -D INPUT -p udp -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -D INPUT -p udp -m string --algo bm --string "peer_id=" -j DROP iptables -D INPUT -p udp -m string --algo bm --string ".torrent" -j DROP iptables -D INPUT -p udp -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -D INPUT -p udp -m string --algo bm --string "torrent" -j DROP iptables -D INPUT -p udp -m string --algo bm --string "announce" -j DROP iptables -D INPUT -p udp -m string --algo bm --string "info_hash" -j DROP iptables -D INPUT -p udp -m string --algo bm --string "tracker" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string "BitTorrent" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string "peer_id=" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string ".torrent" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string "torrent" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string "announce" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string "info_hash" -j DROP iptables -I OUTPUT -p udp -m string --algo bm --string "tracker" -j DROP ## Delete iptables -D INPUT -m string --algo bm --string "BitTorrent" -j DROP iptables -D INPUT -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -D INPUT -m string --algo bm --string "peer_id=" -j DROP iptables -D INPUT -m string --algo bm --string ".torrent" -j DROP iptables -D INPUT -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -D INPUT -m string --algo bm --string "torrent" -j DROP iptables -D INPUT -m string --algo bm --string "announce" -j DROP iptables -D INPUT -m string --algo bm --string "info_hash" -j DROP iptables -D INPUT -m string --algo bm --string "tracker" -j DROP iptables -D OUTPUT -m string --algo bm --string "BitTorrent" -j DROP iptables -D OUTPUT -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -D OUTPUT -m string --algo bm --string "peer_id=" -j DROP iptables -D OUTPUT -m string --algo bm --string ".torrent" -j DROP iptables -D OUTPUT -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -D OUTPUT -m string --algo bm --string "torrent" -j DROP iptables -D OUTPUT -m string --algo bm --string "announce" -j DROP iptables -D OUTPUT -m string --algo bm --string "info_hash" -j DROP iptables -D OUTPUT -m string --algo bm --string "tracker" -j DROP iptables -D FORWARD -m string --algo bm --string "BitTorrent" -j DROP iptables -D FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -D FORWARD -m string --algo bm --string "peer_id=" -j DROP iptables -D FORWARD -m string --algo bm --string ".torrent" -j DROP iptables -D FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -D FORWARD -m string --algo bm --string "torrent" -j DROP iptables -D FORWARD -m string --algo bm --string "announce" -j DROP iptables -D FORWARD -m string --algo bm --string "info_hash" -j DROP iptables -D FORWARD -m string --algo bm --string "tracker" -j DROP
5 Answers
I don't think you can block torrent traffic, you might be able to make it more difficult even hard but if your trying to stop torrent traffic from going through your vpn torrenting can use any port so blocking ports doesn't help and the data can be intercepted so have fun trying to decrypt it and see what they are downloading to filter it... believe me governments have been trying to do it for years. with the internet and trying to censer things there are two options. let everything through or let nothing through.

This is one of the reasons DO is not the best for setting up public proxy's and VPN's anything they download can be linked to you. If its just for some friends I recommend asking them to stop but if its public its impossible to block torrents and still let other traffic through.
i am using port 80 for my torrent :)

Hi, do you need to block both INPUT, OUTPUT and FORWARD? is blocking the FORWARD chain sufficient? How well is it working?

Thanks!
Anson

I'm getting more and more confused about blocking traffic and openvpn.
Isn't it so that it doesn't affect any openvpn traffic when you place rules in the OUTPUT chain regarding protocols/portnumbers?
I mean... the traffic is encapsulated in an encrypted tunnel and only on arriving at the client by decrypting it becomes clear for what application/port the traffic is destined.

Or am i crazy?

My guess would be that rules should be in the FORWARD chain where eth0 goes on the internet to fetch things.
Or is that what arrives at the tun interface transparent for the firewall/iptables?

Tested it and it works when you put them in the forward chain. Tested it over the openvpn and putting (for testing!) this rule at the top of the chain. All other networks can pass and only traffic coming from the 10.8.1.0/24 network is not getting any over 443 :

-A FORWARD -s 10.8.1.0/24 -p tcp --dport 443 -j DROP
-A FORWARD -i tun+ -j ACCEPT

Have another answer? Share your knowledge.