Expert opinion on iptables/torrents

Hello all,

I want to deny any torrents passing thru linux box that are NOT encrypted. My ISP is doing packet inspection and gives warnings.

I'd like to allow torrents when client sets encryption.

Any thoughts?

iptables can do lots of fun things with sources, destinations, routes, types, and to a limited extent stateful things like simple detection of some protocols but I don't think it's good for this depth of packet content reading. It's just a firewall in the end.

1 Like

At level7 perhaps?
If I block via l7 all non-standard ports >1024 (ie. allow only 80, 53, 22 etc..) I read somewhere that l7 will not stop encrypted torrents... is that true? I'm guessing it makes sense since it cannot really peek into them to match pattern?

I use iptables daily.. know lot of tricks.. but this packet inspection is really fuss.

I'll make another thread now about paypal/iptables which is also giving me headache.. perhaps someone knows...

I really like that there are people here that I might actually talk to about networking and linux and stuff.. sometimes I feel like I'm alone.. not even google can give me answers I seek.

:b:

l7 is a do-anything addon for iptables which connects iptables to usermode software. It's this software which must do the packet analysis.

It's possible but difficult; bittorent is (intentionally) hard to tell apart from ordinary traffic. In response to throttling and censorship, it has become even more so.

That is what I had to do eventually. (You don't need l7 to block ports. Plain iptables can do that easily.) It cannot block all torrents but many. It was a sad moment, a final admission of defeat, that I couldn't simply let my customers have what they wanted at all times. :frowning:

Yes, very difficult. It probably negotiates over https, which customers obviously need to work unimpeded; which once connected can carry whatever it wants without letting you see the contents. This is also how tor hides itself.

You could also try traffic control, speed limiting instead of or in addition to block/don't block. Prioritize any obviously recognizable traffic.

I can.. and I do that already.. just .. it's not that throughput is bugging me.. -- ISP is bugging me.. they inspected some packet and they saw Movie.name.warez.torrent.bla.avi .... and they want it resolved or they'll unplug me... so that's my main concern..
I had firewall open on network from 00 to 08am ... and users could use whatever... but now I got to lock even that hours and as you said - give it up and surrender :confused: