iptables firewall to block p2p traffic using ipp2p help pls

[Atari]

Hello,

I'm trying to get rid of kazaa and bittorrent traffic going through my box, and am having a crazy time trying to fix iptables.

I've downloaded and compiled this : http://rnvs.informatik.uni-leipzig.d.../index_en.html

Which is a p2p matching module for iptables ( ipp2p ).

I'm trying to set some basic rules:

iptables -F
iptables -A FORWARD -p tcp -m ipp2p --bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p --kazaa -j DROP
iptables -A FORWARD -p tcp -m ipp2p --dc -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCE
PT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The traffic however, still gets through. Even stranger, if I flush with iptables -F the nat still works?! Shouldn't it stop working?

Confused.
Help appreciated.
Alex

[Armage]

Rather than using FORWARD try INPUT for your DROP rules.

Armage

[Atari]

Shouldn't the NAT stop working though if I issue an:

iptables -F

[Armage]

The NAT is in a different table. Hence iptables -t. This maybe why the flush doesn't clear the NAT.

Hope this helps. Post back how you get on.

Armage

[Atari]

Ahh crap I see..thanks.

iptables -t nat -L

shows a separate list.

At which step should I insert the drop rules in this case? In which table also? I've changed the rules above to the INPUT chain as you suggest, and still no avail.

[Armage]

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCE
PT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Theses rules look like they are allowing established connections access through the firewall. I would test turning them off too.

The drops are ok where they are.

Armage[/quote]

[Atari]

Well after a slew of trial and error I have found where the calls are to be placed. Removing any of these results in p2p traffic going through.

iptables -F
iptables -A INPUT -p tcp -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -m ipp2p --ipp2p -j DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[Wolfmans Brother]

An alternative approach would be to use "ROPE" (http://www.lowth.com/rope) and/or Ftwall (http://www.lowth.com/p2pwall/ftwall).

[astrolhr]

Did you get any final result for block P2P traffic.
Aamir

Hello,

I'm trying to get rid of kazaa and bittorrent traffic going through my box, and am having a crazy time trying to fix iptables.

I've downloaded and compiled this : http://rnvs.informatik.uni-leipzig.d.../index_en.html

Which is a p2p matching module for iptables ( ipp2p ).

I'm trying to set some basic rules:



The traffic however, still gets through. Even stranger, if I flush with iptables -F the nat still works?! Shouldn't it stop working?

Confused.
Help appreciated.
Alex

[wouter]

Hello,

I'm trying to get rid of kazaa and bittorrent traffic going through my box, and am having a crazy time trying to fix iptables.

I've downloaded and compiled this : http://rnvs.informatik.uni-leipzig.d.../index_en.html

Which is a p2p matching module for iptables ( ipp2p ).

I'm trying to set some basic rules:



The traffic however, still gets through. Even stranger, if I flush with iptables -F the nat still works?! Shouldn't it stop working?

Confused.
Help appreciated.
Alex

Hello Alex,
I have a question; the link mentioned in your post is unaccessible,
but the question is, how have you installed your ipp2p to work correct? I have followed several tutorials, I can reach the helpfile via 'iptables -m ipp2p -h', but when I try any other iptables-command with ipp2p in, I get the error 'segmentation fault'.. Do you have any idea how that's possible, or where did you get your info on installing it?

Kind Regards