need a iptable rule to disable BitTorrent

From this page, it looks like BitTorrent uses TCP ports 6881 through 6999 by default, with 6969 for outbound connections to trackers. However, these defaults are easily changeable by the user, so the best you can do with iptables is make it a little bit inconvenient to use BitTorrent.

You can look at filtering based on packet contents, which can sometimes detect signatures in non-encrypted sessions, but encryption is becoming more common and you won't be able to stop that. (See also this page).

So, if you absolutely must stop all BitTorrent traffic using iptables:

iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -i eth0 -j DROP

This may catch some false positives. -rt (if you actually try that, will be your friend)

I'd caution that you can't block BitTorrent with port blocks alone. You probably won't even make it inconvenient by blocking the "default" ports.

Most BitTorrent clients these days use random ports and UPnP to map them, the traditional default ports are rather uncommon. Trackers also have no restriction on what ports they use, so many use port 80 or whatever else they feel like using.

If you want to block BitTorrent, you'll need to resort to IPP2P (now OpenDPI) or l7-filter. Those won't be able to completely block BitTorrent (especially if it's using encrypted UDP), but it'll do a damned sight better than port blocks, which are useless.

@Guspaz:

I'd caution that you can't block BitTorrent with port blocks alone. You probably won't even make it inconvenient by blocking the "default" ports.

Most BitTorrent clients these days use random ports and UPnP to map them, the traditional default ports are rather uncommon. Trackers also have no restriction on what ports they use, so many use port 80 or whatever else they feel like using.

If you want to block BitTorrent, you'll need to resort to IPP2P (now OpenDPI) or l7-filter. Those won't be able to completely block BitTorrent (especially if it's using encrypted UDP), but it'll do a damned sight better than port blocks, which are useless.

I have tried to install IPP2P in my linode which I use ubuntu 10.4. But failed. It need to recompile the kernel, but I can't find a version of kernel which linode use.

@hoopycat:

So, if you absolutely must stop all BitTorrent traffic using iptables:

iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -i eth0 -j DROP

I lol'd.

@bjl:

@hoopycat:

So, if you absolutely must stop all BitTorrent traffic using iptables:

iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -i eth0 -j DROP

I lol'd.

It this stop all of input and output traffic?

@jeffkyjin:

It this stop all of input and output traffic?
Yes but only on eth0

@vonskippy:

@jeffkyjin:

It this stop all of input and output traffic?
Yes but only on eth0

I need a function to stop BitTorrent traffic only, keep other traffice.

Thanks.

@jeffkyjin:

I need a function to stop BitTorrent traffic only, keep other traffice.
As already explained in some of the posts above, the nature of BitTorrent traffic makes blocking it using port filtering impossible.

This reply's a bit late, but I just got this up and running myself and figured I'd share in case anyone else is interested:

This is the recipe I use for setting up ipp2p filtering to drop all bittorrent and edonkey traffic originating from our servers. The servers are running Ubuntu 10.04 with stock kernel 2.6.32.16-linode28

Note that it does not seem to stop encrypted bittorrent traffic, but something's better than nothing.

## Install the standard build tools ##
apt-get install build-essential

## For Linode - download the kernel & generate headers##
cd /usr/src
wget http://linode.com/src/$(uname -r).tar.bz2
tar xjvf $(uname -r).tar.bz2
ln -sf $(uname -r) linux
cd linux
make prepare

## Install xtables addons ##
apt-get install xtables-addons-common
apt-get install module-assistant
module-assistant auto-install xtables-addons-source
depmod -a

## Add rejection rules to iptables ##

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -m ipp2p --edk -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m ipp2p --bit -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m mark --mark 1 -j CONNMARK --save-mark
iptables -A FORWARD -m mark --mark 1 -j REJECT

## At this point, iptables-save it into our firewall file ##
## "pre-up iptables-restore < /etc/iptables.rules" is applied to eth0 ##
## in our /etc/network/interfaces file ##
iptables-save  > /etc/iptables.rules

@sliph:

Note that it does not seem to stop encrypted bittorrent traffic, but something's better than nothing.

That could be a problem since last I checked all decent bit torrent clients use encryption by default.

> That could be a problem since last I checked all decent bit torrent clients use encryption by default. Most of them support it, but not all of them enable it by default. For example, uTorrent - which is my favoritest client - doesn't ( http://www.utorrent.com/faq/features#faq1 ). And apparently, ipp2p can detect BitComet's encryption (or so it claims on http://www.ipp2p.org/news_en.html )…

I'm not sure if uTorrent enables encryption by default on outgoing connections, but it does enable it on incoming connections by default. In fact, as far as I know, there is no way to disable support for incoming encrypted connections.

If you're running a proxy, there are no incoming connections.

@sliph:

If you're running a proxy, there are no incoming connections.

… Then how are you doing anything?

Heh, well if you want to be pedantic, the proxy server allows incoming connections on a specific port to allow clients to connect. However, once connected, proxied clients cannot themselves accept incoming connections - they are only allowed to establish outgoing connections. Thus the issue of accepting incoming encrypted torrent connections never comes up.

Now theoretically, I guess you could allow upnp to open ports and listen for incoming connections on your proxy server, but that's just asking for trouble.

again.

I am running ssh proxy and pptp/l2tp vpn.

I still not fix this problem in my servers.

I have tried l7-filter, but failed in some error. post it here: http://forum.linode.com/viewtopic.php?t=8115

@sliph:

This reply's a bit late, but I just got this up and running myself and figured I'd share in case anyone else is interested:

This is the recipe I use for setting up ipp2p filtering to drop all bittorrent and edonkey traffic originating from our servers. The servers are running Ubuntu 10.04 with stock kernel 2.6.32.16-linode28

Note that it does not seem to stop encrypted bittorrent traffic, but something's better than nothing.

## Install the standard build tools ##
apt-get install build-essential

## For Linode - download the kernel & generate headers##
cd /usr/src
wget http://linode.com/src/$(uname -r).tar.bz2
tar xjvf $(uname -r).tar.bz2
ln -sf $(uname -r) linux
cd linux
make prepare

## Install xtables addons ##
apt-get install xtables-addons-common
apt-get install module-assistant
module-assistant auto-install xtables-addons-source
depmod -a

## Add rejection rules to iptables ##

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -m ipp2p --edk -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m ipp2p --bit -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m mark --mark 1 -j CONNMARK --save-mark
iptables -A FORWARD -m mark --mark 1 -j REJECT

## At this point, iptables-save it into our firewall file ##
## "pre-up iptables-restore < /etc/iptables.rules" is applied to eth0 ##
## in our /etc/network/interfaces file ##
iptables-save  > /etc/iptables.rules

Your method works. Thank you.

Wouldn't iptables be fairly successful in this if he'd only enable ports for the services that he needs?

For example, if he only uses HTTP and SSH, he could drop all traffic not coming from port 80 or 22.

I doubt all bittorrent traffic would use either of those two.

Some would still get through. There will be some clients listening on port 80 and 22. Trying to block P2P is pure folly; the best you can hope to do is throw up some roadblocks to make it annoying.