Block P2P traffic on a Linksys router WRT54G with Tomato firmware

Question

I'm running a small wireless network (6 to 10 users) on a Linksys WRT54G with Tomato firmware sharing an Internet connection. I don't want the users to download files with BitTorrent (mainly used) and other P2P apps.

I've also found some solutions about lowering P2P traffic priority using QoS. I really need to ban P2P traffic.

Does anyone know how to setup some rules to deny that kind of traffic?

I've tried to setup an Access Restriction Rule:

Screenshot

However it's not working at all.

score 3 · Answer 1 · answered Feb 15 '10 at 15:15

3

Generally it's not possible. Any bittorrent client can be set up to use any port. Almost any bittorrent client can be set up to encrypt bittorrent traffic, this way it gets harder to detect it. You might still succeed with a default DENY policy, allowing only legit traffic (like HTTP and HTTPS - connections to ports 80,443), but that's another story.

answered Feb 15 '10 at 15:15

geek

9,746
3
21
16

I'd generally agree with this - a determined user can get around almost anything (I directed all my traffic over DNS while at uni to get around a block)... But techniques mentioned in other answers will certainly deter casual users, or in fact anyone without a significant determination to do it. You probably don't have many of them on a 12 user network – Jon Story Sep 26 '14 at 22:40

score 3 · Answer 2 · answered Jan 16 '11 at 23:59

The best way I could come up with until now is a combination of things:

Use the OpenDNS DNS servers and use their p2p category to block access to p2p sites. In Tomato, tick the box "Intercept DNS port (UDP 53)" under Advanced > DHCP / DNS to prevent user from being able to use own DNS servers.
In Tomato, create an Access Restriction rule, set Port / Application to "TCP/UDP, IPP2P: All IPP2P Filters" (this will block unencrypted p2p traffic)
In the HTTP Request field I entered some common bittorrent/emule keywords used in URLs. This prevents users from downloading .torrent files, connect to trackers that are commenly using addresses like tracker.xxx.com or domain.com/scrape, etc. My list at this moment:

announce
torrent
tracker
scrape
peerates
peerbooter
gruk.org
emule-security.net
server.met

In Tomato, under Administration > Scripts > Firewall I've added a couple iptables rules to prevent any user from opening way too many connections. I've also blocked some commonly used bittorrent ports:

iptables -I FORWARD -p tcp -s 192.168.1.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.1.0/24 -m connlimit --connlimit-above 25 -j DROP

iptables -I FORWARD -p tcp --dport 6881:6999 -j REJECT
iptables -I FORWARD -p udp --dport 6881:6999 -j REJECT

+1 for pointing out "Intercept DNS port (UDP 53)" – jao Aug 18 '12 at 19:37 — jao, Aug 18 '12 at 19:37

score 2 · Accepted Answer · answered Nov 18 '09 at 15:50

One way to do this in an indirect way is by using OpenDNS.

Set the DNS server in your router settings to the OpenDNS servers (208.67.222.222 and 208.67.220.220)
Create an account on the OpenDNS web site (that's free), and follow the instructions on their web site how to configure it
Then in your account settings choose a custom filtering level and select to block "P2P/File sharing". If you want you can block other categories, I'd definitely block "Phishing", and depending on your needs you can add specific sites as exceptions or to be blocked.

It is an indirect way of achiving your goal and probably not what you were originally looking for, but it will work and has a number of additional advantages (e.g. blocking some other web sites you probably want to block).

This will just block access to the websites that P2P software and torrent files are available. It won't do anything to stop actual P2P traffic. — paradroid, Oct 05 '10 at 07:36

score 1 · Answer 4 · answered Nov 18 '11 at 08:37

A dedicated user can bypass any restrictions, but you can make it difficult. First, you can disable plug n play for port forwarding and only forward the ports you want through, however however if it was me and i was dedicated to get through, I would just set my file sharing to use port 80 or 443 and this would just totally F you up. You cannot block those ports and it would be even worse hell 4 everyone.

Another way you can go is allow plug n play, look in the log and see what ports they connect with then set up qos on those ports allow them some bandwidth but set it the lowest priority and highest for other traffic, that way when someone uses the internet they get priority and the file sharer will have some some file sharing, but not hog the bandwidth. They will be less motivated to bypass your restrictions. Also enable ipp2p and layer7 for their sharing this is for qos for sharing applications. Some people use this to block p2p but it has some negatives as well effecting regular traffic and p2p has ways of getting around this as well.

The problem with banning access is that if they encrypt their sharing, filtering has little effect. A user with a little knowledge can set up an encrypted vpn and there is no way to block it or limit it in any way. Once this happens no keyword banning, no filtering and no port blocking will work, no blocking keyword searches either. The traffic is all encrypted, secure and private. As an example of how effective this is, China has the most advanced and effective internet restrictions in the world set up by the government and people use vpns to get around them.

Another fair way to go is to divide up the band width and only allow each user a set amount.

This is a big issue for the big service providers as well.

There is no perfect solution.

Best luck with your network

score 1 · Answer 5 · edited Aug 17 '11 at 08:56

1

For blocking P2P, look into Tomato's Access Restriction. It will help you block applications by ports and you can even filter by data contained in the HTTP request. You can even block things like Active X and Java applets.

enter image description here

edited Aug 17 '11 at 08:56

Gaff

18,569
15
57
68

answered Nov 10 '09 at 16:08

John T

163,373
27
341
348

That's what I've done so far, but it's not working at all ! I've made the following Access Restriction : --------------------------------- Schedule: All Day, Everyday Type: Normal Access Restriction Applies To: All Computers/Devices Port / Application : TCP/UDP - Src or Dst - 6881-6999 IPP2P (disabled) - Layer 7 (disabled) -------------------------------------- I'm not sure about the protocol and I've found that port range on a website ... – Kami Nov 10 '09 at 16:21
Remember, there is more than one p2p application, that is just Bittorrent. You can find ports used by other apps here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers . Leaving the setting on TCP & UDP will be fine. – John T Nov 10 '09 at 16:41

score 0 · Answer 6 · answered Oct 05 '10 at 07:03

As others explain, you will most probably not be able to prevent P2P traffic. But you can just forbid it, explaining to the users (1) why you want to ban P2P and that (2) you can monitor what's going on, and may lock down offenders (if e.g. each user has it's own IP)...

More generally, this seems to be the kind of problem that's better solved with education than technology...

Block P2P traffic on a Linksys router WRT54G with Tomato firmware

6 Answers6