OpenWrt Forum Archive

Topic: How to block bittorrent traffic? QOS

The content of this topic has been archived on 23 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all,

I've been trying to block any P2P traffic on our WiFi networks, because we're a public space.

Using IPP2P I could succefully disable any eDonkey communication - regardless of the port being used.

But IPP2P is not succesful in blocking bittorrent traffic sad ...

Do you know of a way to block bittorrent?

I've been using Google to find that there's a tool named ROPE which is claimed to block any bittorrent traffic.
http://www.lowth.com/rope/BlockingBittorrent

But I've found no information about ROPE being available for OpenWrt.

So - what should I do?

Is there an alternative to successfully block bittorrent traffic?

Thanks and cheers, Max!

I suppose the layer7 iptables module should do the job.

I'm using it for QoS purposes currently and the bittorrent regex plugin works great for me.

http://wiki.openwrt.org/MiniHowtos/QoSH … 8480c06fb3

So, instead of:
iptables -t mangle -A POSTROUTING -o $WAN -m layer7 --l7proto bittorrent -j MARK --set-mark 4

I guess you should use:
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP

But really, in addition to downloading illegal material, bittorrent is also commonly used for legal purposes so I'm not sure if dropping all BT traffic is the correct thing to do.

Hi,

I am exactly using

iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP

to completely shut down bittorrent but it doesn't seem to be influenced by it at all and keeps down and uploading happily. Same thing for limewire/gnutella.

I hope I am not missing anything... The module 'ipt_layer7' is loaded and I get this:

# iptables -L | grep LAYER7
REJECT     all  --  anywhere             anywhere            LAYER7 l7proto gnutella reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            LAYER7 l7proto bittorrent reject-with icmp-port-unreachable

As you can see, I used

iptables blabla REJECT

instead of

iptables blabla DROP

but unfortunately it didn't help either.

Any help is greatly appreciated!

Thanks, R!tman

You will have MUCH better luck with using L7-filters to *THROTTLE* BitTorrent traffic.

If you cut it off entirely, either the smarts in the software, or the user will find ways around your blocks.

If you recognize it and throttle it, you will avoid this back-and-forth.

How about QoS it down to fairly low bandwidth? That works for most people.

Thanks for the tip. I did that and it works very well so far. I used this tutorial.

Bittorrent use dynamic ports from 6881 to 6889 . It also can turn to use port 80 if 6881-6889 is all blocked.
Here is bittorrent protocol description and a wonderful tool to block bittorrent and other p2p programs:
http://www.imfirewall.com/en/protocols/bt.htm

But if the torrent clients uses encryption? My understanding of the l7 rule is that it won't catch it.

@gengw2000:
Most (illegal) trackers disallow ports 6881 to 6889, so a lot of BT clients don't run on the standard ports anyway. Also - the program you're linking to is for Windows and not much of a help for OpenWrt smile ...

@Floppe:
You're right, it will only be catched when the protocol is not encrypted.

Bittorrent can run on any port, not just the ranges provided.  If I remember, the encryption support was added to counter commercial ISPs that were throttling bittorrent connections of their paying customers due to them having oversold their bandwith.  I doubt you can get around the encryption effectively.  You might be best off throttling everything at tier only above the known filesharing programs and then elevating QOS for a list of known protocols (web, ntp, ldap, imap, pop, xmpp, legacy IM clients, etc).  It's hacky, but if you have determined abusive bittorrent users, it might be your only choice since the filetraders will kill the usibility of the network otherwise.

The discussion might have continued from here.