Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Blocking p2p

  • 22-05-2003 1:35pm
    #1
    Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭


    Hey guys,

    I'm trying to block p2p sites (specifically KaZaA). AFAIK, the server connection comes via port 24. whilst download/uploads are created via port 1214.


    I'm using iptables, and any attempts to block this port seem to mean squat :confused:

    I've tried INPUT, FORWARD, OUTPUT and blocking both tcp & udp traffic to and from this port.

    I've added the above rules to both the relevant internal and external interfaces.

    Any thoughts?


Comments

  • Closed Accounts Posts: 6,143 ✭✭✭spongebob


    block it on the router, have ya a cisco

    use access-table command

    deny ip any any eq 24

    or

    deny tcp any any eq 24
    deny udp any any eq 24

    if you want to be granular about it.

    keep adding ports as they become an issue.

    M


  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    so you're saying to block port 24 Muck?


  • Closed Accounts Posts: 6,143 ✭✭✭spongebob


    yep

    port 24 isnt used for anything common

    ftp 20 and 21
    Pc anywhere 20 or 22 I think (fallback)
    telnet 23
    smtp 25

    24 is safe enough...which is why kazaa selected it no doubt because it is in the "well known ports" range

    1214 is not in the "well known ports" list which are 1-1024

    that may be your problem with ipchains/iptables

    M


  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    Hmmm - ok. I lopped off all INPUT & FORWARD options for tcp & udp for ports 24 & 1214.

    But I think that KaZaA just 'intelligently' went looking at our proxy settings.


    GAHHHHHHHHHHHHHHH

    Time to mess with Squid now!


  • Registered Users, Registered Users 2 Posts: 1,038 ✭✭✭rob1891


    This is kinda interesting (from the downloaders perspective :D) so I searched about a bit on google groups.
    I suggest you read "Building Internet Firewalls" - it comes with
    some quite good answers to your questions.

    Port 80: http, easy thing. Allow web access only through an
    application level proxy server like squid.
    Port 53: dns, same game. Why do local machines need to query
    external name servers? Provide an internal name server that forwards
    all requests
    Port 22: ssh, not that easy, but doable. Provide a bastion host
    where anyone with the need to ssh to external machines gets an
    account. Allow connections to the ssh port only to one special
    group (no problem with netfilter) and make the ssh binary
    set-group-id to that group.

    Basic action, either make the sending host trusted such that no
    forbidden client accesses special ports, or make the taffic trusted
    by forcing it through a proxy server that understands the used
    protocol (socks is not an option, and forcing does not necessarily
    mean transparent proxying).

    There is another suggestion that's pretty cool, though probably a horrible waste of resources, the guys does a grep for kazaa packets and then changes the routing table to blackhole any IPs he finds :eek:
    Hey, it's a hack. But it's mine :=) (not knowing better :( )

    Daemonized ngrep:

    ngrep -l -q -t -d eth0 -i 'kazaa' >> <some log file>

    and added a cron job that parses the log file looking for UDP packets
    that include the string kazaa (caseless) in the first 16 bytes. Rip
    the ip-address and:

    route add -host <host-ip> reject

    or

    ip route add blackhole <host-ip>/32

    in a few words (the script is longer).

    You could look for the strings 'kazaa' and 'super.*server' on TCP
    packets, to catch a few more.

    Rob


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    Cheers for the feedback lads.

    Whilst googling, I came across veild and cryptic byblical references to "string" filtering.

    Lo and behold - iptables would appear to have the ability to filter by packet-string-matching.

    Goddamn I love this software. I never get tired of figuring out what it does :D

    So I'm gonna give this a lash and see what happens. I currently don't have access to our Cisco router (a 1700 model) and as intruiging as black-holing ip addresses on the fly is, it does seem like it would be a bit of a resource hog. More so, the fact that an external entity non-root user) can alter the security boundaries of the network simply by initiating a connection is unsettling to say the least.


  • Closed Accounts Posts: 1,509 ✭✭✭Tiesto


    ur gonna have to do more than blocking ports :cool:
    in kazaa there is an option " use port 80 for incoming connections"
    maybe u cud ban that port :)


  • Registered Users, Registered Users 2 Posts: 2,393 ✭✭✭Jaden


    Add an ACL to the squid.conf file like this:

    acl kazaa url_regex -i kazaa
    http_access deny kazaa

    It is case sensitive, so watch out.


  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    Originally posted by Tiesto
    ur gonna have to do more than blocking ports :cool:
    in kazaa there is an option " use port 80 for incoming connections"
    maybe u cud ban that port :)


    heh ... yeah. I'll block port 80 - and fulfill my life-long ambition of NOT living past the next 5 minutes when the rest of the company comes looking for me .... ;)

    I'm gonna try Jaden's suggestion before I go recompiling iptables and building the string match module (unfortunately, it's not created/installed bty default)

    I'll give ye's a shout later to let ye know how it went :)



    UPDATE
    Ok, I implemented Jaden's suggestion on squid and the kazaa site is being blocked.
    Lubbely Jubbely.

    But, the p2p app itself still works.
    Not so Lubbely Jubbely.


  • Registered Users, Registered Users 2 Posts: 443 ✭✭bricks


    And then setup a transparent proxy on the firewall (Squid). Make sure the 'CONNECT' method is disabled and I think this should noble Kazza for good. Unless they start trying to get it working through port 445.


  • Advertisement
Advertisement