-
-
Save samuraee/872a0db39fa017dceee0 to your computer and use it in GitHub Desktop.
#!/bin/sh | |
# block torrent traffic by iptable/firewall for VPN/Proxy server | |
# [email protected] | |
# Delete all existing rules | |
iptables -F | |
# Set default chain policies | |
iptables -P INPUT DROP | |
iptables -P FORWARD DROP | |
iptables -P OUTPUT DROP | |
# Allow ALL incoming SSH | |
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
# MultiPorts (Allow incoming SSH, HTTP, and HTTPS) | |
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT | |
# Allow All custom proxy ports | |
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 800:820 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 800:820 -m state --state ESTABLISHED -j ACCEPT | |
# Allow outgoing SSH | |
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
# Allow outgoing HTTPS | |
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
# Ping from inside to outside | |
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
# Ping from outside to inside | |
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
# Allow loopback access | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
# Allow outbound DNS | |
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT | |
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT | |
# Prevent DoS attack | |
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | |
# Log dropped packets | |
iptables -N LOGGING | |
iptables -A INPUT -j LOGGING | |
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 | |
iptables -A LOGGING -j DROP |
I don't think that. You can try:
iptables -I OUTPUT -t filter -p tcp -m string --string "BitTorrent" --algo bm -j REJECT --reject-with tcp-reset
How is this blocking torrents?
yes. You can. with Ipset you can massively block the ports that Torrent uses
First of all blocking ports is not really the solution. You are just making it harder, but not impossible. The right way to use a DPI and block torrent packets, which isn't happening here.
And what do you mean with Ipset? Is this related to the Gist here or can you provide an example?
Thanks
After that Openvpn stopped working. How can we do this with openvpn support?
First of all blocking ports is not really the solution. You are just making it harder, but not impossible. The right way to use a DPI and block torrent packets, which isn't happening here.
And what do you mean with Ipset? Is this related to the Gist here or can you provide an example? Thanks
DPI generates many false positives and is not a solution for medium or small environments as it consumes a lot of hardware resources.
Is better block well-known torrent ports (like a bittorrent/p2p TCP/UDP 6881-6889 58251-58252,58687,6969,1337,2760,4662,4672,8104) using Ipset rules into iptables bash script. For more information check ipset netfilter https://ipset.netfilter.org/
You can also use an iptables string rule (example: -m string --hex-string "|$string|" --algo kmp) to block anything that can evade the Ipset rule.
How is this blocking torrents?