Hi, I usually set a policy "default drop" - It's what I prefer. Keeping the range of high ports (UDP) closed, many P2P clients will crash. There are alternatives like "l7filter" or "opendpi-netfilter for nDPI" but the processing cost can be quite high in larger networks. Particularly, it is something that i avoid doing. https://github.com/ewildgoose/ndpi-netfilter The snort can help too. You can use a signature like this (local.rules): alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"RST P2P BitTorrent transfer"; flow:to_server; content:"|13|BitTorrent protocol"; depth:20; metadata:policy security-ips drop; classtype:policy-violation; sid:1000000; rev:4; resp:rst_all;) In this example i set flexresp reaction, but the result is more efficient in "inline mode". 2013/2/20 Dmitry Korzhevin <dmitry.korzhevin@xxxxxxxxxx>: > Hello, > > Guys, i understand, that this is too frequent question, and i'm already made > solid investigation in google, but.. mabe you already have good iptables > rules to block such type of traffic (Bittorrent), or maby you can give > advice. > > For now i use snort with bittorrent-related detection rules, but seems it is > not best solution. > > > Best Regards, > Dmitry > > --- > Dmitry KORZHEVIN > System Administrator > STIDIA S.A. - Luxembourg > > e: dmitry.korzhevin@xxxxxxxxxx > m: +38 093 874 5453 > w: http://www.stidia.com > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
