I block games and similar services in a workplace setting with iptables by denying communication between the clients' high ports (>1023) and remote high ports:
Code:
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j REJECT
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -p udp -m udp --sport 1024:65535 --dport 1024:65535 -j REJECT
This keeps the router from forwarding any traffic on the LAN (192.168.1.0/24) to remote high ports. Since these are the only ports to which ordinary users can bind services (ports < 1024 are limited to root), that's where torrents and games tend to accumulate.
You may need to exempt some specific ports. If you have people using things like PC Anywhere or other Citrix-based services on port 1494, add a line like this before the ones above:
Code:
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1494 -j ACCEPT
Bookmarks