How Do You Block Torrents By Using Squid Or Firewall? Is There A Better Way?
Hi, I've been all around the net and can't find a "simple" answer how to block our LAN users from downloading torrents. Is it really that difficult?
Here's our setup:
Internet ---> Router ---> eth0
_____
|eth0|
|eth1|---> Switch ---> Workstations
|____|
Karmic Koala Server
1. The Server's Configs:
sudo gedit /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.50
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.254
dns-nameservers 192.168.1.254
auto eth1
iface eth1 inet static
address 192.168.0.51
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
#gateway
dns-nameservers 192.168.1.254
2. sudo gedit /etc/squid/squid.conf
http_port 3128 transparent
acl goodsites dstdomain .google.com .yahoo.com .cnn.com
http_access allow goodsites
3. sudo gedit /etc/rc.local (to start Firewall rules on bootup)
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
sudo iptables --table nat --append POSTROUTING --jump MASQUERADE --source 192.168.0.0/24
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
4. Server NOT a DHCP Server
5. No other iptables rules are configured, just the above ones.
Before in a 1 NIC setup, I blocked Workstations MAC addresses in the Router + Squid Proxy Server (Not Transparent), it worked, but some Online Java Apps didn't work and users can't send/receive email so I abandoned the method.
Now, I installed transparent Squid Proxy with 2 NIC cards, it works, but workstations can still download torrents! I know Squid doesn't block ports, right? So the answer must lie in Iptables Firewall? I basically use Squid just to deny access to Facebook, Friendster, or other "unproductive sites".
Can you pls. help me how to block torrent downloading by using a Firewall? Or is there another "simple" way? Am I on the right path?
PS I've heard that it's better just to allow regular ports (80, 22, 465, etc...) then block all the rest, this way, you can prevent unnecessary ports. Is this the answer, so how do I do it? Thanks.
PPS I'm not an Iptables/Firewall expert so can you pls. explain it a bit more detailed if that's the case.
PPPS I'm also aware of just telling our users NOT to download torrents, but I just want to prohibit it entirely.
PPPPS I know I will be the most "uncool" employee in our office.
Thanks for reading.
Last edited by AlexanderDGreat; January 6th, 2010 at 04:37 PM.
It's OK, everything we know will become obsolete at some time.
Bookmarks