Re: Blocking p2p traffic

[Horst Graffy <horst.graffy@xxxxxxxxxxxxxxxxxxxx>]

Am Dienstag, 8. Juni 2004 21:15 schrieb Walter Wickersham:
> Greetings, I've searched, found ftwall, and some other commercial
> solutions, but am wondering if anyone on this list has any solutions using
> a linux firewall to block p2p traffic, more specifically Kazaa.
>
Hi,

I've integrated ipp2p 
(http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html) in my 
shorewall-firewall (http://www.shorewall.net/) setup:

in /etc/shorewall/start (create the file if not there)
#######
# ipp2p
#######
echo -n "    starting ipp2p   "

# ip2pp for appleJuice
echo -n "(appleJuice) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --apple  -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --apple  -j LOG --log-level 6 \
	--log-prefix "ipp2p: appleJuice-traffic "

# ip2pp for dc
echo -n "(DC) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --dc    -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --dc    -j LOG --log-level 6 \
	--log-prefix "ipp2p: dc-traffic "

# ip2pp for gnutella
echo -n "(gnutella) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --gnu   -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --gnu   -j LOG --log-level 6 \
	--log-prefix "ipp2p: gnutella-traffic "

# ip2pp for eDonkey
echo -n "(eDonkey) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --edk   -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --edk   -j LOG --log-level 6 \
	--log-prefix "ipp2p: eDonkey-traffic "

# ip2pp for kazaa
echo -n "(kazaa) "
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --kazaa -j DROP
/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --kazaa -j LOG --log-level 6 \
	--log-prefix "ipp2p: kazaa-traffic "

# ip2pp for BitTorrent (allowed ;)
echo -n "(BitTorrent) "
#/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j DROP
#/usr/sbin/iptables -I FORWARD -p tcp -m ipp2p --bit    -j LOG --log-level 6 \
	--log-prefix "ipp2p: BitTorrent-traffic "

echo ""
echo "    ipp2p started"

and in /etc/shorewall/modules

# ipp2p (p2p Traffic)
    loadmodule ipp2p

work's like a charm ;))

I don't use the connmark stuff at the moment, because I have not found the 
time to recompile my kernel

hope this helps
Toni
> Walter Wickersham
> _______________________________________________
> LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/