Blocking p2p

Lemming

Hey guys,

I'm trying to block p2p sites (specifically KaZaA). AFAIK, the server connection comes via port 24. whilst download/uploads are created via port 1214.


I'm using iptables, and any attempts to block this port seem to mean squat

I've tried INPUT, FORWARD, OUTPUT and blocking both tcp & udp traffic to and from this port.

I've added the above rules to both the relevant internal and external interfaces.

Any thoughts?

spongebob

block it on the router, have ya a cisco

use access-table command

deny ip any any eq 24

or

deny tcp any any eq 24
deny udp any any eq 24

if you want to be granular about it.

keep adding ports as they become an issue.

M

Lemming

so you're saying to block port 24 Muck?

spongebob

yep

port 24 isnt used for anything common

ftp 20 and 21
Pc anywhere 20 or 22 I think (fallback)
telnet 23
smtp 25

24 is safe enough...which is why kazaa selected it no doubt because it is in the "well known ports" range

1214 is not in the "well known ports" list which are 1-1024

that may be your problem with ipchains/iptables

M

Lemming

Hmmm - ok. I lopped off all INPUT & FORWARD options for tcp & udp for ports 24 & 1214.

But I think that KaZaA just 'intelligently' went looking at our proxy settings.


GAHHHHHHHHHHHHHHH

Time to mess with Squid now!

rob1891

This is kinda interesting (from the downloaders perspective ) so I searched about a bit on google groups.

I suggest you read "Building Internet Firewalls" - it comes with
some quite good answers to your questions.

Port 80: http, easy thing. Allow web access only through an
application level proxy server like squid.
Port 53: dns, same game. Why do local machines need to query
external name servers? Provide an internal name server that forwards
all requests
Port 22: ssh, not that easy, but doable. Provide a bastion host
where anyone with the need to ssh to external machines gets an
account. Allow connections to the ssh port only to one special
group (no problem with netfilter) and make the ssh binary
set-group-id to that group.

Basic action, either make the sending host trusted such that no
forbidden client accesses special ports, or make the taffic trusted
by forcing it through a proxy server that understands the used
protocol (socks is not an option, and forcing does not necessarily
mean transparent proxying).

There is another suggestion that's pretty cool, though probably a horrible waste of resources, the guys does a grep for kazaa packets and then changes the routing table to blackhole any IPs he finds :eek:

Hey, it's a hack. But it's mine :=) (not knowing better )

Daemonized ngrep:

ngrep -l -q -t -d eth0 -i 'kazaa' >> <some log file>

and added a cron job that parses the log file looking for UDP packets
that include the string kazaa (caseless) in the first 16 bytes. Rip
the ip-address and:

route add -host <host-ip> reject

or

ip route add blackhole <host-ip>/32

in a few words (the script is longer).

You could look for the strings 'kazaa' and 'super.*server' on TCP
packets, to catch a few more.

Rob

Lemming

Cheers for the feedback lads.

Whilst googling, I came across veild and cryptic byblical references to "string" filtering.

Lo and behold - iptables would appear to have the ability to filter by packet-string-matching.

Goddamn I love this software. I never get tired of figuring out what it does

So I'm gonna give this a lash and see what happens. I currently don't have access to our Cisco router (a 1700 model) and as intruiging as black-holing ip addresses on the fly is, it does seem like it would be a bit of a resource hog. More so, the fact that an external entity non-root user) can alter the security boundaries of the network simply by initiating a connection is unsettling to say the least.

Tiesto

ur gonna have to do more than blocking ports :cool:
in kazaa there is an option " use port 80 for incoming connections"
maybe u cud ban that port

Jaden

Add an ACL to the squid.conf file like this:

acl kazaa url_regex -i kazaa
http_access deny kazaa

It is case sensitive, so watch out.

Lemming

Originally posted by Tiesto
ur gonna have to do more than blocking ports :cool:
in kazaa there is an option " use port 80 for incoming connections"
maybe u cud ban that port

heh ... yeah. I'll block port 80 - and fulfill my life-long ambition of NOT living past the next 5 minutes when the rest of the company comes looking for me ....

I'm gonna try Jaden's suggestion before I go recompiling iptables and building the string match module (unfortunately, it's not created/installed bty default)

I'll give ye's a shout later to let ye know how it went



UPDATE
Ok, I implemented Jaden's suggestion on squid and the kazaa site is being blocked.
Lubbely Jubbely.

But, the p2p app itself still works.
Not so Lubbely Jubbely.

bricks

And then setup a transparent proxy on the firewall (Squid). Make sure the 'CONNECT' method is disabled and I think this should noble Kazza for good. Unless they start trying to get it working through port 445.