Scribd Logo
Upload

Welcome to Scribd!

  • Howto Block P2P Traffic - Linux

    Uploaded by

    Goenkthea
    12 views6 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views6 pages

    Howto Block P2P Traffic - Linux

    Uploaded by

    Goenkthea

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    HOWTO BLOCK P2P TRAFFIC

    (Thursday, 14 December 2006) - Contributed by wawan bahtiar - Last Updated (Tuesday, 19 December 2006)

    Judulnya versi English, tapi pembahasannya menggunakan bahasa Indonesia dengan tujuan sebagai berikut : 1. Mudah dipahami oleh linux user pemula 2. Mudah dimengerti jika menggunakan bahasa Indonesia - Latar Belakang Pembuatan tutorial ini dilatarbelakangi karena banyaknya permintaan dari penggemar masterpop3 ( :D ..huehue artis linux ), mengenai bagaimana cara memblok traffic p2p. Permintaan kebanyakan berasal dari pemilik/pengelola warnet, operator jaringan, admin jaringan , yang menginginkan di jaringan mereka tidak terganggu oleh program/traffic p2p yang diakibatkan oleh salah satu usernya yang bisa mengganggu traffic seluruh networknya.

    - PendahuluanSetelah googling sana sini akhirnya dapet kata kunci untuk solusi di atas yaitu menggunakan 'layer7' module iptables, selanjutnya kita sebut L7-filter. L7-filter adalah module untuk Linux Netfilter (iptables) yang mengidentifikasi paket yang berada di application layer data (lapisan data aplikasi). Paket data yang masuk dalam layer ini bisa berupa Kazza, HTTP, Jabber, Citrik, Bittorent, FTP, Gnutella, eDonkey, eMule, Limewire, dll, tanpa memperhatikan source/destination port. Ini bisa menjadi pelengkap yang sempurna yang bisa digabungkan dengan kesesuaian IP address , port number, dll.

    - Feature L7-filter* Patches for Linux 2.4 and 2.6 * Support for TCP, UDP and ICMP over IPv4 * Uses Netfilter's connection tracking of FTP, IRC, etc * Examines data across multiple packets * Number of packets examined tunable on the fly through /proc * Number of bytes examined tunable at module load time * Distinguishes between new connections (those still being tested) and old unidentified connections * Gives access to both Netfilter and QoS (rate limiting) features * With the Netfilter "helper" match, you can distinguish between parent and child connections (e.g. ftp command/data)

    - TujuanImplementasi L7-filter saya buat dengan tujuan sebagai berikut : 1. cara memblok traffic p2p dengan iptables 2. membatasi penggunaan traffic p2p dengan QoS (seperti cbq/htb) Catatan: tidak semua user yang ingin dibatasi oleh penggunaan L7-filter ini, jadi kembali kepada keputusan anda sebagai pemegang kekuasaan jaringan. Jika menginginkan seperti tujuan yang saya sebutkan, mari kita lanjutkan projek kita.

    - Installasi Saatnya kita obrak-abrik PC Linux kita. Pertama siapkan peralatan. Peralatan yang dibutuhkan adalah : 1. source kernel 2.6 atau kernel 2.4 download dari kernel.org 2. source iptables dari netfilter.org 3. paket patch l7-filter kernel version (netfilter-layer7-vX.Y.tar.gz) 4. paket file Protocol definitions (l7-protocols-YYYY-MM-DD.tar.gz)

    - Kernel Patch Dalam ujicoba ini saya menggunakan kernel 2.6.18 di fedora-6. langkah-langkahnya sebagai berikut : 1. download kernel 2.6.18 dari kernel.org root# mkdir /download root# cd /download root# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2 root# tar xjf linux-2.6.18.tar.bz2 -C /usr/src/ root# ln -s /usr/src/linux-2.6.18 /usr/src/linux 2. download l7-filter kernel version root# cd /download root# wget http://optusnet.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.7.tar.gz root# tar xzf netfilter-layer7-v2.7.tar.gz
    http://aa.cakralintas.net.id - masterpop3 :: Linux Documents Powered by Mambo Generated: 4 October, 2007, 20:54

    3. Patch kernel dengan Layer7 patch root# cd /usr/src/linux root# patch -p1 < /download/netfilter-layer7-v2.7/kernel-2.6.18-layer7-2.7.patch patching file include/linux/netfilter_ipv4/ip_conntrack.h patching file include/linux/netfilter_ipv4/ipt_layer7.h patching file net/ipv4/netfilter/Kconfig patching file net/ipv4/netfilter/Makefile patching file net/ipv4/netfilter/ip_conntrack_core.c patching file net/ipv4/netfilter/ip_conntrack_standalone.c patching file net/ipv4/netfilter/ipt_layer7.c patching file net/ipv4/netfilter/regexp/regexp.c patching file net/ipv4/netfilter/regexp/regexp.h patching file net/ipv4/netfilter/regexp/regmagic.h patching file net/ipv4/netfilter/regexp/regsub.c 4. Saatnya Kompile dan Install Kernel root# make menuconfig * "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options") * "Network packet filtering" (Networking ? Networking support ? Networking Options) * "Netfilter Xtables support" (Network packet filtering ? Core Netfilter Configuration) * "Connection tracking" (... ? Network packet filtering ? IP: Netfilter Configuration ? Connection tracking) * "Connection tracking flow accounting" and "IP tables support" (on the same screen) * And finally, "Layer 7 match support" * Selanjutnya anda diberi kekuasaan untuk memilih mana yang diaktifkan sebagai module dan mana yang dimasukan dalam kernel (built-in)

    Perhatian: Beberapa user melaporkan terjadinya kernel crash ketika menggunakan SMP dengan l7-filter. Dan ada juga yang melaporkan SMP System mereka berjalan normal. Jika anda punya Multi-CPU Machine, sebaiknya di test dulu sebelum digunakan di server produktif. root# make root# make modules_install install

    - Iptables Patch Download source iptables dari netfilter.org Root# cd /download Root# wget http://netfilter.org/projects/iptables/files/iptables-1.3.5.tar.bz2 Root# tar xjf iptables-1.3.5.tar.bz2 Root# cd iptables-1.3.5 Root# patch -p1 < /download/netfilter-layer7-v2.7/iptables-layer7-2.7.patch patching file extensions/.layer7-test patching file extensions/libipt_layer7.c patching file extensions/libipt_layer7.man root# chmod +x extensions/.layer7-test Sebelum melakukan perintah &lsquo;make&rsquo; , pastikan anda sudah memeriksa dan menyesuaikan PREFIX dir installasi iptables di file &lsquo;Makefile&rsquo;. Root# vi Makefile PREFIX:=/usr LIBDIR:=/lib
    http://aa.cakralintas.net.id - masterpop3 :: Linux Documents Powered by Mambo Generated: 4 October, 2007, 20:54

    BINDIR:=/sbin MANDIR:=/usr/share/man INCDIR:=$(PREFIX)/include root# make KERNEL_DIR=/usr/src/linux root# make install KERNEL_DIR=/usr/src/linux Untuk melakukan patch iptables , anda harus sudah mengkompile dan menginstall kernel source.

    - Protocol Definitions (Pattern Files) Saatnya memasang file protocol definisi untuk layer7-filter module. Download file Protocol definitions Root# cd /download Root# wget http://optusnet.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2006-12-12.tar.gz Root# tar xzf l7-protocols-2006-12-12.tar.gz Root# cd l7-protocols-2006-12-12 Root# make install mkdir -p /etc/l7-protocols cp -R * /etc/l7-protocols &lsquo;make install&rsquo; di atas hanya mengkopi file paket protocol ke dir /etc/l7-protocols Setelah semuanya sudah terinstall , reboot PC Linux anda.

    - Setting iptables blok p2p Himbauan dari situs resminya sih katanya disarankan jangan di blok, kita tanya kenapa ? Saya Quote aja yah : ======================================== Blocking Don't. Here's why: * l7-filter matching isn't foolproof: there may be both false positives (one protocol can look like another) and false negatives (applications can do obscure things that we didn't count on). Patterns that are known to regularly generate false positives are marked "overmatching" on the protocols page, but others may also do so occasionally. * Almost every type of Internet traffic has legitimate uses. For instance, P2P protocols, while widely used to violate copyright, are also an efficient way to distribute open source software and legally free music. * Programs can respond to being blocked by port-hopping, switching between TCP and UDP, opening a new connection for every trivial operation, using encryption, or employing other evasion tactics. Trying to block such protocols has consequences on two levels: 1. In the case of port/protocol-hopping, you make it harder for yourself to identify protocols that already act this way. 2. You encourage programmers to include these "features" in new programs, making it harder for everyone in the future. For example: In early 2006, Bittorrent started moving towards end-to-end encryption because many networks were either blocking it or severely restricting its bandwidth. * l7-filter patterns are not generally designed with blocking in mind. We consider a protocol to be well identified if the identification is useful for controlling its bandwidth. This means, for instance, that for P2P applications, we do not focus on catching connections that are not downloads. * Blocking with l7-filter provides no security, since any reasonably determined person can easily circumvent it. Instead of dropping packets you don't like, we recommend using Linux QoS to restrict their bandwidth usage. See the next section. If you insist on using l7-filter to drop packets, make sure you have investigated other options first, such as the features of your HTTP proxy (useful for worms). ======================================== Tapi karena anda bersikeras ngotot supaya traffic p2p di blok saja, mari kita lanjutkan projek kita.

    - Cara Setting Iptables untuk Blok traffic p2p Caranya kita cegat lewat table mangle di chain PREROUTING . iptables -t mangle -A PREROUTING -m layer7 --l7proto 100bao &ndash;j DROP
    http://aa.cakralintas.net.id - masterpop3 :: Linux Documents Powered by Mambo Generated: 4 October, 2007, 20:54

    iptables -t mangle -A PREROUTING -m layer7 --l7proto applejuice &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto ares &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto bittorrent &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto directconnect &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto edonkey &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto fasttrack &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto freenet &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto gnucleuslan &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto gnutella &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto goboogy &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto hotline &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto imesh &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto kugoo &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto mute &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto napster &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto openft &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto poco &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto soribada &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto soulseek &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto tesla &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto thecircle &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto xunlei &ndash;j DROP Emule p2p termasuk ke dalam proto edonkey. Kazaa p2p termasuk ke dalam proto fasttrack LimeWire p2p termasuk ke dalam proto gnutella

    Jika DAP (Download Accelerator Plus) ingin di blok juga : iptables -t mangle -A PREROUTING -m layer7 --l7proto http-dap &ndash;j DROP Blok Fresh Download : iptables -t mangle -A PREROUTING -m layer7 --l7proto http-freshdownload &ndash;j DROP Blok p2p AudioGalaxy : iptables -t mangle -A PREROUTING -m layer7 --l7proto audiogalaxy &ndash;j DROP

    Dan Jika anda ingin memblok file RPM (File paketnya Redhat/FC, Suse) : iptables -t mangle -A PREROUTING -m layer7 --l7proto rpm &ndash;j DROP Blok juga traffic sebangsa Malware : iptables -t mangle -A PREROUTING -m layer7 --l7proto code_red &ndash;j DROP iptables -t mangle -A PREROUTING -m layer7 --l7proto nimda &ndash;j DROP Selengkapnya lihat di file protocol definition : http://l7-filter.sourceforge.net/protocols

    - Melihat statistik rule blok p2p Ketik : root# watch iptables -t mangle -L -v Every 2.0s: iptables -t mangle -L -v Thu Dec 14 21:29:46 2006

    Chain PREROUTING (policy ACCEPT 83 packets, 5657 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere 10 8091 DROP all -- any any anywhere anywhere 48 12091 DROP all -- any any anywhere anywhere
    http://aa.cakralintas.net.id - masterpop3 :: Linux Documents Powered by Mambo

    LAYER7 l7proto 100bao LAYER7 l7proto fasttrack LAYER7 l7proto gnutella


    Generated: 4 October, 2007, 20:54

    - Pembatasan Bandwidth traffic p2p Untuk membatasi bandwidth traffic p2p bisa digabung dengan QoS cbq atau htb , dengan cara di mangling (Rule MARK). Contoh : iptables -t mangle -A PREROUTING -m layer7 --l7proto edonkey -j MARK --set-mark 0x3 Selanjutnya pasang di file cbq atau htb dengan parameter MARK=3.

    - FAQ :Q : Kemana saya bertanya mengenai hal ini, karena saya masih belum mengerti ? A : Lempar aja ke forum.linux.or.id (huehue&hellip;:D)

    - Terimakasih to : *Source asli dari --- http://l7-filter.sourceforge.net/ *Beserta orang-orang hebat di dalamnya. *Duddi Assaduddin, yang telah membantu mengedit dokument ini. *Fajar (Putra Belmondo-Lampung), yang telah memberiku masalah ini. *Ahmad Imron, yang telah belum membuat tutorial seperti ini...huehuehe :D

    - CreditsThe original coders were Justin Levandoski, Ethan Sommer, and Matthew Strait, with support from Sebastian Celis, Andy Exley and Lillie Kittredge. The primary maintainers are now Ethan Sommer and Matthew Strait. Thanks also to: * Anonymous (3) ($) * Antid0t (bug reporting) * Mike Auty (bug reporting) * Amin Azez a.k.a. Sam (kernel update) * Josh Ballard (patterns) * bartman007 ($) * Sebastien Bechet (patterns) * Laurens Blankers (patterns, bug reporting) * Gabriel Borkowski (bug reporting) * Franck Bouffard (patterns, bug reporting) * Alain Dellon Brito (incompatibility reporting) * Dez Cadena (documentation) * Matteo Croce (patterns) * Vincent Deffontaines (translation) * Ankit Desai (patterns) * Ben Efros (patterns) * Brandon Enright (patterns) * Fabien (bug reporting) * Deti Fliegl (bug fixing) * Eicke Friedrich (IPP2P) * David Varela Garrido (bug reporting) * Joerg Hoh (Netfilter 2.4 backport) * Kegan Holtzhausen (forward porting) * Jan Judec (patterns) * Michael Leong (patterns) * David Maciejak (typo reporting) * Krzysztof Maciejewski (patterns) * Clayton Macleod (patterns) * Mike Mestnik (bug reporting) * Richard Moore (patterns) * Michael Moyse (doc bug reporting) * Stefano Papaleo (translation) * Trevor Paskett (patterns) * fuzz_bunny/Paul (bug reporting) * Carlo Perassi (bug reporting)
    http://aa.cakralintas.net.id - masterpop3 :: Linux Documents Powered by Mambo Generated: 4 October, 2007, 20:54

    * Tomas Potok (translation) * Art Reisman (bandwidtharbitrator) * Filip Sneppe (kernel feature) * Goli SriSairam (patterns) * Falstaf/Magnus Ternstrm ($) * Aaron Thomas (bug reporting) * Myles Uyema (patterns) * VeNoMouS (patterns) * Daniel Weatherford (patterns) * Beat Weisskopf (patterns, metadata) * lonely wolf (translation) * wsgtrsys (patterns) * Anyone I've forgotten! {moscomment}

    http://aa.cakralintas.net.id - masterpop3 :: Linux Documents

    Powered by Mambo

    Generated: 4 October, 2007, 20:54

    You might also like