How Do You Block Torrents By Using Squid Or Firewall? Is There A Better Way?

[AlexanderDGreat]

Hi, I've been all around the net and can't find a "simple" answer how to block our LAN users from downloading torrents. Is it really that difficult?

Here's our setup:

Internet ---> Router ---> eth0
_____
|eth0|
|eth1|---> Switch ---> Workstations
|____|
Karmic Koala Server

1. The Server's Configs:

sudo gedit /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.1.50
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.254
dns-nameservers 192.168.1.254

auto eth1
iface eth1 inet static
address 192.168.0.51
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
#gateway
dns-nameservers 192.168.1.254

2. sudo gedit /etc/squid/squid.conf

http_port 3128 transparent
acl goodsites dstdomain .google.com .yahoo.com .cnn.com
http_access allow goodsites

3. sudo gedit /etc/rc.local (to start Firewall rules on bootup)

sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

sudo iptables --table nat --append POSTROUTING --jump MASQUERADE --source 192.168.0.0/24

sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

4. Server NOT a DHCP Server

5. No other iptables rules are configured, just the above ones.

Before in a 1 NIC setup, I blocked Workstations MAC addresses in the Router + Squid Proxy Server (Not Transparent), it worked, but some Online Java Apps didn't work and users can't send/receive email so I abandoned the method.

Now, I installed transparent Squid Proxy with 2 NIC cards, it works, but workstations can still download torrents! I know Squid doesn't block ports, right? So the answer must lie in Iptables Firewall? I basically use Squid just to deny access to Facebook, Friendster, or other "unproductive sites".

Can you pls. help me how to block torrent downloading by using a Firewall? Or is there another "simple" way? Am I on the right path?

PS I've heard that it's better just to allow regular ports (80, 22, 465, etc...) then block all the rest, this way, you can prevent unnecessary ports. Is this the answer, so how do I do it? Thanks.

PPS I'm not an Iptables/Firewall expert so can you pls. explain it a bit more detailed if that's the case.

PPPS I'm also aware of just telling our users NOT to download torrents, but I just want to prohibit it entirely.

PPPPS I know I will be the most "uncool" employee in our office.

Thanks for reading.

[BkkBonanza]

There is no simple sure fire way to do this. I've heard that some ISPs spend a lot on fancy routers that can filter packets dependent on content but even that isn't foolproof because most torrent clients support encryption to prevent packet snooping.

Torrents can be run on any port. Peer-to-peer traffic can be between any ports. Even if you only leave open only certain known ports competent users can find ways around this.

You can take some steps to mitigate the effects though. You can setup limits on open connections, which torrents tend to use voraciously. You could also set quotas on transfer so that people cannot use more than you set (suitable for normal work usage). You could probably set up some logging to track people who have high use and/or large numbers of open connections. 100+ connections open to high port numbers is somewhat telling. Most other apps will only have a few connections open at once.

Some routers have QoS functions built in that allow you to prioritize traffic based on source/destination ports. That's no guarantee but it can help stop it from affecting more important traffic.

[AlexanderDGreat]

@BkkBonaza thanks for replying.

You can setup limits on open connections, which torrents tend to use voraciously. You could also set quotas on transfer so that people cannot use more than you set (suitable for normal work usage). You could probably set up some logging to track people who have high use and/or large numbers of open connections. 100+ connections open to high port numbers is somewhat telling.

So can you point me to the right direction how to achieve these? Thanks for the help.

Are there any other suggestions?

[Vegan]

Good luck trying to block torrents. By design they are made to evade being blocked. Most protocols are using strong encryption, making it impossible for an ISP who is snooping to see what is in the packet.

In Canada P2P is legal thanks to a friendly Judge who gave it back after taxing cds, dvds etc heavily. So its legal for to share iTunes, not that I do that, but its legal.

I have over 1000 CDs so what do I care.

So here is the deal, want to block anything, someone will find a way around it.

[BkkBonanza]

I would start with checking what functions your router has. If that isn't useful then
you can use iptables to manually set up connection limits. You would have to make sure it integrates with whatever you already have in place.

The relevant module is "connlimit" and it prevents more than some number being open under given circumstances. So you would want to configure a limit on outgoing connections in the "high port" range for any given source ip address. I don't have a specific command for this as I haven't had to solve the problem.

My initial googling turned up this as a starting point, (for use on a gateway/firewall doing forwarding using 192.168.1.34 as an example IP),

iptables -A FORWARD -p tcp ––syn -s 192.168.1.34 ––dport ! 80 -m connlimit ––connlimit-above 5 -j DROP

You may want to change this as follows,

- you would need to use a script to add rules for each src ip address
- instead of --dport !80 you may want a different range
- you may want to allow more than 5 concurrent connections
- you may want to log as well as drop the packets so you can see who is repeatedly hitting limits

Another google turned up some info on the quotas module, so you may add something to above like,

iptables -A FORWARD -p tcp -s 192.168.1.34 ––dport ! 80 -m quota ––quota 1024000 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.34 ––dport ! 80 -j DROP

This will allow about 1MB through under these conditions but after that limit will drop the packets.

Edit: Also found info on iplimit module - better for your use as it tracks the src ip automatically. Similar to above but no need for src ip,

iptables -A FORWARD -p tcp ––syn ––dport ! 80 -m iplimit ––iplimit-above 5 -j DROP


Here is a rather old page with this last info and other useful info,

http://linuxgazette.net/108/odonovan.html

Hope this all helps.

[hardev]

Blocking certain traffic (Torrent - in this case) on the Router is your best bet. If this a home network, I would suggest picking up a Linksys WRT54GL and flash it w/ DD-WRT. DD-WRT does a good job blocking P2P traffic.

[HermanAB]

Hmm, bandwidth limiting using Squid and bucket filters is one way to control things. Hopefully most of your users are not computer savvy. If however you have 500 computer scientists or engineers on staff, then about the only thing can do is keep the staff internet connection separated from the mail server using VLANs or such.

[AlexanderDGreat]

@vegan -

So here is the deal, want to block anything, someone will find a way around it.

Well, our users aren't that tech-savvy "yet" I guess so no harm in trying.

@BkkBonaza - Appreciate all those search for me mate. You're a kind fellow, God bless you. I will put those things in action.

@hardev -

I would suggest picking up a Linksys WRT54GL and flash it w/ DD-WRT. DD-WRT does a good job blocking P2P traffic.

Thanks for your help, although if I can do it first by software, I'll try it, if not, I'll try to use that Linksys hardware. Yes we're only SOHO.

@HermanAB -

Hmm, bandwidth limiting using Squid and bucket filters is one way to control things.

can you show me how to do this?

Thank you vegan, BkkBonaza, hardev, HermanAB for the answers!

[Thirtysixway]

I would suggest taking a look at something like OpenDNS.com Perhaps there's a way to integrate the services with your current setup, but you can pick and choose which content types to block including things like malware, adware, adult content, p2p traffic, and phishing. I use it on my network to block adware/phishing and it's wonderful.

http://www.opendns.com

[AlexanderDGreat]

@Thirtysixway - Hi, thanks for the idea.

I would suggest taking a look at something like OpenDNS.com Perhaps there's a way to integrate the services with your current setup, but you can pick and choose which content types to block including things like malware, adware, adult content, p2p traffic, and phishing. I use it on my network to block adware/phishing and it's wonderful.

Can Google DNS also do this 8.8.8.8 or 8.8.4.4? Is OpenDNS free? I'm a little out of cash right now, Christmas season just passed.