iptable p2p

meisw's blog

Trackbacks

发表评论

日志分类

日志归档

搜索文章

最新评论

博客信息

友情链接

Below is my iptables rules set. This works like a charm. I have created a https transparent intercept proxy and send all traffic through that proxy server.

Using this iptables rules, I can control the network.

2086, 2087, 2095 ports are open because we use WHM cpanel and cpanel web mail.

8080 for additional web server.

192.168.2.0 is the local network.

IPTables rule:

#Generated by iptables-save v1.4.8 on Tue Mar 10 15:03:01 2015

*nat

:PREROUTING ACCEPT [470:38063]

:POSTROUTING ACCEPT [9:651]

:OUTPUT ACCEPT [1456:91962]

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:3128

-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.1:3127

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127

-A POSTROUTING -o eth0 -j MASQUERADE

-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

COMMIT

# Completed on Tue Mar 10 15:03:01 2015

# Generated by iptables-save v1.4.8 on Tue Mar 10 15:03:01 2015

*filter

:INPUT ACCEPT [2106:729397]

:FORWARD ACCEPT [94:13475]

:OUTPUT ACCEPT [3252:998944]

-A INPUT -p tcp -m tcp --dport 3127 -j ACCEPT

-A FORWARD -m string --string "BitTorrent" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "BitTorrent protocol" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "peer_id=" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string ".torrent" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "announce.php?passkey=" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "torrent" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "announce" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "info_hash" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "get_peers" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "announce_peer" --algo bm --to 65535 -j DROP

-A FORWARD -m string --string "find_node" --algo bm --to 65535 -j DROP

-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 8080 -j ACCEPT

-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2086 -j ACCEPT

-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2087 -j ACCEPT

-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 2095 -j ACCEPT

-A FORWARD -s 192.168.2.0/24 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j REJECT --reject-with icmp-port-unreachable

-A FORWARD -s 192.168.2.0/24 -p udp -m udp --sport 1024:65535 --dport 1024:65535 -j REJECT --reject-with icmp-port-unreachable

COMMIT

# Completed on Tue Mar 10 15:03:01 2015

---------------------------------------------------

iptables -t mangle -I OUTPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP

iptables -t mangle -I OUTPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP

iptables -t mangle -I INPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP

iptables -t mangle -I INPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP

iptables -t mangle -L INPUT -nvx --line-numbers

curl -Lk https://mirrors.dwhd.org/kernel-ml-aufs/kernel-ml-auf.repo >/etc/yum.repos.d/kernel-ml-aufs.repo

yum -y remove kernel-headers

yum install gcc gcc-c++ make automake unzip zip xz kernel-devel iptables-devel perl-Text-CSV_XS -y

curl -Lk https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/2.11/xtables-addons-2.11.tar.xz|xz -d|tar x -C /usr/src/ && \

cd /usr/src/xtables-addons-2.11/

./configure && \

make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` && make install

-----------

wget http://mirrors.dwhd.org/Kernel/v4.x/linux-4.2.tar.xz

tar xf linux-4.2.tar.xz -C /usr/src/

cd /usr/src/linux-4.2/

cp /boot/config-`uname -r` .config

sh -c 'yes "" | make oldconfig'

make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` bzImage

make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` modules

make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` modules_install

make install

sed -ri 's/(default=).*/\10/' /boot/grub/grub.conf

reboot

安装ipp2p扩展

yum install -y http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

yum clean all && yum makecache

yum install gcc gcc-c++ make automake unzip zip xz kernel-devel iptables-devel perl-Text-CSV_XS -y

wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.10.tar.xz

tar xf xtables-addons-2.10.tar.xz

cd xtables-addons-2.10/

./configure

make -j `awk '/processor/{a++}END{print a}' /proc/cpuinfo` && make install && cd geoip/

./xt_geoip_dl

./xt_geoip_build GeoIPv6.csv

./xt_geoip_build GeoIPCountryWhois.csv

mkdir -p /usr/share/xt_geoip/

cp -a BE LE /usr/share/xt_geoip/

来看看ipp2p的用法格式

iptables -m ipp2p --help | sed -n -e '/ipp2p/,//p'

ipp2p v0.10 match options:

--edk [tcp,udp] All known eDonkey/eMule/Overnet packets

--dc [tcp] All known Direct Connect packets

--kazaa [tcp,udp] All known KaZaA packets

--gnu [tcp,udp] All known Gnutella packets

--bit [tcp,udp] All known BitTorrent packets

--apple [tcp] All known AppleJuice packets

--winmx [tcp] All known WinMX

--soul [tcp] All known SoulSeek

--ares [tcp] All known Ares

EXPERIMENTAL protocols:

--mute [tcp] All known Mute packets

--waste [tcp] All known Waste packets

--xdcc [tcp] All known XDCC packets (only xdcc login)

ipp2p扩展的具体用法演示

##下面的是封IPv4出本机的P2P

iptables -t mangle -I OUTPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP

iptables -t mangle -I OUTPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP

##下面是封进入本机的P2P

iptables -t mangle -I INPUT -m ipp2p --edk --kazaa --bit --gnu -j DROP

iptables -t mangle -I INPUT -p tcp -m ipp2p --ares --soul --winmx --apple --dc -j DROP

iptables -t mangle -L INPUT -nvx --line-numbers

http://www.52codes.net/article/1088.html

« 2025年05月 »