On Feb 20, 2013, Humberto Juc? wrote: > Hi, > > I usually set a policy "default drop" - It's what I prefer. > Keeping the range of high ports (UDP) closed, many P2P clients will crash. > > There are alternatives like "l7filter" or "opendpi-netfilter for nDPI" > but the processing cost can be quite high in larger networks. > Particularly, it is something that i avoid doing. > https://github.com/ewildgoose/ndpi-netfilter > > The snort can help too. You can use a signature like this (local.rules): > alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"RST P2P BitTorrent > transfer"; flow:to_server; content:"|13|BitTorrent protocol"; > depth:20; metadata:policy security-ips drop; > classtype:policy-violation; sid:1000000; rev:4; resp:rst_all;) > > In this example i set flexresp reaction, but the result is more > efficient in "inline mode". If you go the snort rule route, fwsnort can translates this to (after removing the metadata keyword - need to update that): -A FWSNORT_FORWARD -p tcp -m tcp -m string --hex-string "|13426974546f7272656e742070726f746f636f6c|" --algo bm --to 84 -m comment --comment "sid:1000000; msg:RST P2P BitTorrent transfer; classtype:policy-violation; rev:4; FWS:1.6.3;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] REJ SID1000000 " -A FWSNORT_FORWARD -p tcp -m tcp -m string --hex-string "|13426974546f7272656e742070726f746f636f6c|" --algo bm --to 84 -j REJECT --reject-with tcp-reset The above rule is generated with the fwsnort --ipt-reject option if you really want iptables to reset the connection. --Mike > 2013/2/20 Dmitry Korzhevin <dmitry.korzhevin@xxxxxxxxxx>: > > Hello, > > > > Guys, i understand, that this is too frequent question, and i'm already made > > solid investigation in google, but.. mabe you already have good iptables > > rules to block such type of traffic (Bittorrent), or maby you can give > > advice. > > > > For now i use snort with bittorrent-related detection rules, but seems it is > > not best solution. > > > > > > Best Regards, > > Dmitry > > > > --- > > Dmitry KORZHEVIN > > System Administrator > > STIDIA S.A. - Luxembourg > > > > e: dmitry.korzhevin@xxxxxxxxxx > > m: +38 093 874 5453 > > w: http://www.stidia.com > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
