How Do You Block Torrents By Using Squid Or Firewall? Is There A Better Way?

[bodhi.zazen]

Blocking torrents is not easy as basically the torrent clients are designed to evade such attempts on your part.

You have been given some good advice in your thread, I would point you at this thread.

http://serverfault.com/questions/270...-p2p-protocols

I believe the best solution is to use a proxy server for web access, ie something like squid.

So, if you are on a low budget, configure a hardware firewall (which is nothing but an inexpensive box with two network cards) and install a firewall specific distro + squid.

You would then configure the firewall to allow as much internal traffic as you wish, but restrict outbound traffic to http and https (ports 80 and 443) which would be proxied by squid.

Yes it can still be abused.

http://www.linuxhomenetworking.com/w...ess_with_Squid

http://www.linuxjunkies.org/html/Ban...ing-HOWTO.html

[Fatjoint]

Block torrents? As simple as managing network bandwidth. simultaneous downloads especially large files (mostly movies) from torrents can bring network to its knees.

Not if you install 10 MBit switches on the client side

Your core switches should always be a step above your client switches to prevent any single client from "bringing the network to its knees".

[iponeverything]

I have used connection limits to slow torrents to a crawl..

I had transparent bridge and the version of brctl control that it had on the box allowed for setting connection limits, both global and individual. I had a global limit of 100 per internal IP address, and this managed to throttle torrents quite effectively. (I don't think anyone was able to pull over 30k / second)

http://www.bandwidtharbitrator.com/m...=article&sid=4

BTW -- The neteq is a linux based transparent bridge device and it does an excellent job of providing very fine grained control over your network traffic.

[AlexanderDGreat]

@iponeverything:

http://www.bandwidtharbitrator.com/m...=article&sid=4

Your link above doesn't work.

[AlexanderDGreat]

Please take a look at my POST #10 here at: http://ubuntuforums.org/showthread.php?t=1576228

I can't block torrents but I can hamper their speeds.

It's the simplest way I know! Thanks UbuntuForums and all the good and patient people who helped me out.

[Vegan]

Those 2 DNS servers are public and anyone can use them.

I have them in my other DNS list in BIND9, along with a lot of other around the planet.

[shafi]

Please take a look at my POST #10 here at: http://ubuntuforums.org/showthread.php?t=1576228

I can't block torrents but I can hamper their speeds.

It's the simplest way I know! Thanks UbuntuForums and all the good and patient people who helped me out.

As bittorrents are very complex and they are using various ports. Thus the best way to block them out is to install squid on your server and only allow the http, https and IMAP ports and deny all other ports using the "http_access deny all".
Now the torrents should not be able to function more.

[SeijiSensei]

I know this post is old, but I thought I'd pass along a different solution.

Most torrent traffic occurs on so-called "high" ports, ones numbered from 1024-65535. Ports below this can only be opened by software running (at least initially) with root permissions like SMTP (port 25) and HTTP servers (80). Ordinary users can run software like torrent clients that listen on the high ports.

At one site I consult to, we've simply blocked all traffic originating on a client computers' high ports from connecting to any remote's high ports like this:

Code:

iptables -A FORWARD -p tcp -s 10.10.0.0/16 --sport 1024:65535 -d ! 10.10.0.0/16 --dport 1024:65535 -j REJECT
iptables -A FORWARD -p udp -s 10.10.0.0/16 --sport 1024:65535 -d ! 10.10.0.0/16 --dport 1024:65535 -j REJECT

These allow machines within our network (10.10.0.0/16) to carry out high-port communication with each other, but forbids them from connecting to high ports on remotes.

These rules will block most torrent traffic and other bandwidth gobblers like streaming radio and gaming. They may also block some legitimate traffic as well. We log all packets that match this rule (by adding two identical rules above these with "-j LOG" instead of "-j REJECT") just in case. Usually the IT department will hear complaints if a legitimate service (like, e.g. GoToMyPC) is blocked.

[adtf01]

I know this post is old, but I thought I'd pass along a different solution.

Most torrent traffic occurs on so-called "high" ports, ones numbered from 1024-65535. Ports below this can only be opened by software running (at least initially) with root permissions like SMTP (port 25) and HTTP servers (80). Ordinary users can run software like torrent clients that listen on the high ports.

At one site I consult to, we've simply blocked all traffic originating on a client computers' high ports from connecting to any remote's high ports like this:

Code:

iptables -A FORWARD -p tcp -s 10.10.0.0/16 --sport 1024:65535 -d ! 10.10.0.0/16 --dport 1024:65535 -j REJECT
iptables -A FORWARD -p udp -s 10.10.0.0/16 --sport 1024:65535 -d ! 10.10.0.0/16 --dport 1024:65535 -j REJECT

These allow machines within our network (10.10.0.0/16) to carry out high-port communication with each other, but forbids them from connecting to high ports on remotes.

These rules will block most torrent traffic and other bandwidth gobblers like streaming radio and gaming. They may also block some legitimate traffic as well. We log all packets that match this rule (by adding two identical rules above these with "-j LOG" instead of "-j REJECT") just in case. Usually the IT department will hear complaints if a legitimate service (like, e.g. GoToMyPC) is blocked.

Hi SeijiSensei

I am have a similar problem but am new to linux. Where would I put the code you recomend?

[bodhi.zazen]

Hi SeijiSensei

I am have a similar problem but am new to linux. Where would I put the code you recomend?

You will have to learn iptables for those commands to work.

http://bodhizazen.net/Tutorials/iptables