Firewalling Peer to Peer protocols with Iptables

PeerToPeer applications have become increasingly popular for sharing data, media and other files over the internet. They are designed to allow users to find the files they want on other user's computers, and to download them using a variety of optimised techniques, sometimes without any dependancy on central servers.

For a network administrator, PeerToPeer (P2P) traffic generates a number of challenges. For some, the bandwidth consumption needs controlling. Depending on local policies, it may be to limit the network usage or to prioritise it. For some, concerns about the legal ramifications of the downloading of copyright material may drive them towards logging or (in exteme cases) blocking the protocols altogether.

If a Linux firewall is to enforce these policies effectively, it must be able to identify the P2P traffic with a high degree of certainty. Sadly, the use of simple rules (such as port-number matching) will not work for many of the existing protocols, and more complex mechanisms have to be employed. One or two P2P applications are designed to be difficult to identify, or to make use of multiple (sometimes; encrypted) protocols in order to bypass firewalling restrictions.

The P2PWall project is focused on providing information and open source software to enable P2P protocols to be identified using a Linux firewall and the Netfilter/Iptables infrastructure. The project currently provides mechanisms for identifying (and blocking) the following protocols..

  • Fast-track (used by Kazaa and it's clones).
  • BitTorrent
  • WinMX
  • Gnutella.
  • OpenNAP

There are three GPL software packages provided by P2PWall..

  • cutter - a command-line tool for cutting TCP/IP connections running over the firewall.
  • ftwall - a user-space deamon that allows Iptables to identify the Fast track protocol (Kazaa et al)
  • ftwall2 - an enhanced version of ftwall that can also identify WinMX and OpenNAP.
  • rope - an Iptables match module that allows packet matching rules to be developed quickly using a simple scripting language. Supplied with this module are scripts for: Blocking Bittorrent, Blocking Gnutella and Blocking large HTTP downloads.
The following authors of this page have not agreed to the WlugWikiLicense. As such copyright to all content on this page is retained by the original authors.
  • ChrisLowth
The following authors of this page have agreed to the WlugWikiLicense.

    lib/plugin/WlugLicense.php:99: Warning: Invalid argument supplied for foreach()

    lib/plugin/WlugLicense.php:111: Notice: Undefined variable: ignore_authors

    lib/plugin/WlugLicense.php:111: Warning: in_array() [<a href=''></a>]: Wrong datatype for second argument