iptable-block-torrent

#!/bin/sh
# block torrent traffic by iptable/firewall for VPN/Proxy server
# [email protected]

# Delete all existing rules
iptables -F

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow ALL incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# Allow All custom proxy ports
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 800:820 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 800:820 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

How is this blocking torrents?

I don't think that. You can try:

iptables -I OUTPUT -t filter -p tcp -m string --string "BitTorrent" --algo bm -j REJECT --reject-with tcp-reset

How is this blocking torrents?

yes. You can. with Ipset you can massively block the ports that Torrent uses

First of all blocking ports is not really the solution. You are just making it harder, but not impossible. The right way to use a DPI and block torrent packets, which isn't happening here.

And what do you mean with Ipset? Is this related to the Gist here or can you provide an example?
Thanks

After that Openvpn stopped working. How can we do this with openvpn support?

First of all blocking ports is not really the solution. You are just making it harder, but not impossible. The right way to use a DPI and block torrent packets, which isn't happening here.

And what do you mean with Ipset? Is this related to the Gist here or can you provide an example? Thanks

DPI generates many false positives and is not a solution for medium or small environments as it consumes a lot of hardware resources.
Is better block well-known torrent ports (like a bittorrent/p2p TCP/UDP 6881-6889 58251-58252,58687,6969,1337,2760,4662,4672,8104) using Ipset rules into iptables bash script. For more information check ipset netfilter https://ipset.netfilter.org/
You can also use an iptables string rule (example: -m string --hex-string "|$string|" --algo kmp) to block anything that can evade the Ipset rule.