Question
Updating Iptables to block torrent traffic
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×I’m getting more and more confused about blocking traffic and openvpn.
Isn’t it so that it doesn’t affect any openvpn traffic when you place rules in the OUTPUT chain regarding protocols/portnumbers?
I mean… the traffic is encapsulated in an encrypted tunnel and only on arriving at the client by decrypting it becomes clear for what application/port the traffic is destined.
Or am i crazy?
My guess would be that rules should be in the FORWARD chain where eth0 goes on the internet to fetch things.
Or is that what arrives at the tun interface transparent for the firewall/iptables?
Tested it and it works when you put them in the forward chain. Tested it over the openvpn and putting (for testing!) this rule at the top of the chain. All other networks can pass and only traffic coming from the 10.8.1.0/24 network is not getting any over 443 :
-A FORWARD -s 10.8.1.0/24 -p tcp –dport 443 -j DROP
-A FORWARD -i tun+ -j ACCEPT
Here is my rules, change the chain as your need.
iptables -A INPUT -m string --string "BitTorrent" --algo bm -j DROP
iptables -A INPUT -m string --string "BitTorrent protocol" --algo bm -j DROP
iptables -A INPUT -m string --string "peer_id=" --algo bm -j DROP
iptables -A INPUT -m string --string ".torrent" --algo bm -j DROP
iptables -A INPUT -m string --string "announce.php?passkey=" --algo bm -j DROP
iptables -A INPUT -m string --string "torrent" --algo bm -j DROP
iptables -A INPUT -m string --string "announce" --algo bm -j DROP
iptables -A INPUT -m string --string "info_hash" --algo bm -j DROP
iptables -A INPUT -m string --string "tracker" --algo bm -j DROP
iptables -A INPUT -m string --string "get_peers" --algo bm -j DROP
iptables -A INPUT -m string --string "announce_peer" --algo bm -j DROP
iptables -A INPUT -m string --string "find_node" --algo bm -j DROP
@hammer354 Sorry for my illiteracy in this area, but I thought the data between client and vpn server is encrypted. How can iptables read the strting “BitTorrent”?
I personally do have a native openVPN set up on a VPS. It got suspended (due to DMCA violation) soon after my pals torrented movies using his Samsung mobile.
I did copy paste your rules to my iptables (thanks here), but it seems not dropping torrent tracket.
HELP! PLEASE!
The data between client and VPN server is encrypted, but the data between server and server is not always encrypted. However, it is very hard to fully block the BitTorrent protocol. Maybe you can try to access a URL that contains above strings, and see the connection is blocked or not.
@hammer354 your reply is very much appreciated.
I am puzzled in that even though I use freshly downloaded utorrent app, it still works fine with your set of stringent iptables rules. Even downloading a xyz.torrent file via browser from torrent website went through iptables rules without any problem.
Am I missing something here?
Kindly share some guidance, please.
EDIT: just realised most torrent website use https. Is that the reason your set of rules not blocking the seeds from downloading?
If you are browsing website using https, it is not possible to block the connection, unless the URL contains the string. But in this case you just downloading a torrent file, it is not the BitTorrent protocol, the BitTorrent protocol is using BitTorrent software to start download task from torrent file.
@hammer354 Thanks again for your reply. Really appreciated.
In a typical user scenario, user browses a torrent website (assumably https) , chooses one torrent file or magnet, clicks ‘download’ then bittorrent/utorrent software pops up and start downloading.
Do above iptables rules can be effective in the user journey?
Thanks in advance for your guidance.
@aussie The above iptables rules may be effective when bittorrent software start downloading.