How to block P2P traffic

Judulnya versi English, tapi pembahasannya menggunakan bahasa Indonesia dengan tujuan sebagai berikut :

1. Mudah dipahami oleh linux user pemula

2. Mudah dimengerti jika menggunakan bahasa Indonesia

• Latar Belakang

Pembuatan tutorial ini dilatarbelakangi karena banyaknya permintaan dari penggemar masterpop3 ( 😀 ..huehue artis linux ), mengenai bagaimana cara memblok traffic p2p.  Permintaan kebanyakan berasal dari pemilik/pengelola warnet, operator jaringan, admin jaringan , yang menginginkan di jaringan mereka tidak terganggu oleh program/traffic p2p yang diakibatkan oleh salah satu usernya yang bisa mengganggu traffic seluruh networknya.

• Pendahuluan

Setelah googling sana sini akhirnya dapet kaca kunci untuk solusi di atas yaitu menggunakan 'layer7' module iptables, selanjutnya kita L7-filter.
L7-filter adalah module untuk Linux Netfilter (iptables) yang mengidentifikasi paket yang berada di application layer data (lapisan data aplikasi). Paket data yang masuk dalam layer ini bisa berupa Kazza, HTTP, Jabber, Citrik, Bittorent, FTP, Gnutella, eDonkey, eMule, Limewire, dll, tanpa memperhatikan source/destination port. Ini bisa menjadi pelengkap yang sempurna yang bisa digabungkan dengan kesesuaian IP address , port number, dll.

• Feature L7-filter

* Patches for Linux 2.4 and 2.6
* Support for TCP, UDP and ICMP over IPv4
* Uses Netfilter's connection tracking of FTP, IRC, etc
* Examines data across multiple packets
* Number of packets examined tunable on the fly through /proc
* Number of bytes examined tunable at module load time
* Distinguishes between new connections (those still being tested) and old unidentified connections
* Gives access to both Netfilter and QoS (rate limiting) features
* With the Netfilter "helper" match, you can distinguish between parent and child connections (e.g. ftp command/data)
 

• Tujuan

Implementasi L7-filter saya buat dengan tujuan sebagai berikut :
1. cara memblok traffic p2p dengan iptables
2. membatasi penggunaan traffic p2p dengan QoS (seperti cbq/htb)

Catatan: tidak semua user yang ingin dibatasi oleh penggunaan L7-filter ini, jadi kembali kepada keputusan anda sebagai pemegang kekuasaan jaringan. Jika menginginkan seperti tujuan yang saya sebutkan, mari kita lanjutkan projek kita.

• Installasi

Saatnya kita obrak-abrik PC Linux kita. Pertama siapkan peralatan.
Peralatan yang dibutuhkan adalah :
1. source kernel 2.6 atau kernel 2.4 download dari kernel.org
2. source iptables dari netfilter.org
3. paket patch l7-filter kernel version (netfilter-layer7-vX.Y.tar.gz)
4. paket file Protocol definitions  (l7-protocols-YYYY-MM-DD.tar.gz)

• Kernel Patch

Dalam ujicoba ini saya menggunakan kernel 2.6.18 di fedora-6. langkah-langkahnya sebagai berikut :

1. download kernel 2.6.18 dari kernel.org
root# mkdir /download
root# cd /download
root# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2
root# tar xjf linux-2.6.18.tar.bz2 -C /usr/src/
root# ln -s /usr/src/linux-2.6.18 /usr/src/linux

2. download l7-filter kernel version 
root# cd /download
root# wget http://optusnet.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.7.tar.gz
root# tar xzf netfilter-layer7-v2.7.tar.gz

3. Patch kernel dengan Layer7 patch 
root# cd /usr/src/linux
root# patch -p1 < /download/netfilter-layer7-v2.7/kernel-2.6.18-layer7-2.7.patch
patching file include/linux/netfilter_ipv4/ip_conntrack.h
patching file include/linux/netfilter_ipv4/ipt_layer7.h
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
patching file net/ipv4/netfilter/ip_conntrack_core.c
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
patching file net/ipv4/netfilter/ipt_layer7.c
patching file net/ipv4/netfilter/regexp/regexp.c
patching file net/ipv4/netfilter/regexp/regexp.h
patching file net/ipv4/netfilter/regexp/regmagic.h
patching file net/ipv4/netfilter/regexp/regsub.c

4. Saatnya Kompile dan Install Kernel

root# make menuconfig

* "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options")
* "Network packet filtering" (Networking ? Networking support ? Networking Options)
* "Netfilter Xtables support" (Network packet filtering ? Core Netfilter Configuration)
* "Connection tracking" (… ? Network packet filtering ? IP: Netfilter Configuration ? Connection tracking)
* "Connection tracking flow accounting" and "IP tables support" (on the same screen)
* And finally, "Layer 7 match support"
* Selanjutnya anda diberi kekuasaan untuk memilih mana yang diaktifkan sebagai module dan mana yang dimasukan dalam kernel (built-in)

Perhatian:
Beberapa user melaporkan terjadinya kernel crash ketika menggunakan SMP dengan l7-filter. Dan ada juga yang melaporkan SMP System mereka berjalan normal.
Jika anda punya Multi-CPU Machine, sebaiknya di test dulu sebelum digunakan di server produktif.

root# make
root# make modules_install install

• Iptables Patch
  

Download source iptables dari netfilter.org

Root# cd /download
Root# wget http://netfilter.org/projects/iptables/files/iptables-1.3.5.tar.bz2
Root# tar xjf iptables-1.3.5.tar.bz2
Root# cd iptables-1.3.5
Root# patch -p1 < /download/netfilter-layer7-v2.7/iptables-layer7-2.7.patch
patching file extensions/.layer7-test
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man

root# chmod +x extensions/.layer7-test

Sebelum melakukan perintah ‘make’ , pastikan anda sudah memeriksa dan menyesuaikan PREFIX dir installasi iptables di file ‘Makefile’.

Root# vi Makefile

PREFIX:=/usr
LIBDIR:=/lib
BINDIR:=/sbin
MANDIR:=/usr/share/man
INCDIR:=$(PREFIX)/include

root# make KERNEL_DIR=/usr/src/linux
root# make install KERNEL_DIR=/usr/src/linux

Untuk melakukan patch iptables , anda harus sudah mengkompile dan menginstall kernel source.

• Protocol Definitions (Pattern Files)

Saatnya memasang file protocol definisi untuk layer7-filter module.

Download file Protocol definitions 

Root# cd /download
Root# wget http://optusnet.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2006-12-12.tar.gz
Root# tar xzf l7-protocols-2006-12-12.tar.gz
Root# cd l7-protocols-2006-12-12
Root# make install
  mkdir -p /etc/l7-protocols
  cp -R * /etc/l7-protocols

‘make install’ di atas hanya mengkopi file paket protocol ke dir /etc/l7-protocols 

Setelah semuanya sudah terinstall , reboot PC Linux anda.

• Setting iptables blok p2p

Himbauan dari situs resminya sih katanya disarankan jangan di blok, kita tanya kenapa ?
Saya Quote aja yah :

========================================
Blocking
Don't. Here's why:
* l7-filter matching isn't foolproof: there may be both false positives (one protocol can look like another) and false negatives (applications can do obscure things that we didn't count on). Patterns that are known to regularly generate false positives are marked "overmatching" on the protocols page, but others may also do so occasionally.
* Almost every type of Internet traffic has legitimate uses. For instance, P2P protocols, while widely used to violate copyright, are also an efficient way to distribute open source software and legally free music.
* Programs can respond to being blocked by port-hopping, switching between TCP and UDP, opening a new connection for every trivial operation, using encryption, or employing other evasion tactics. Trying to block such protocols has consequences on two levels:
1. In the case of port/protocol-hopping, you make it harder for yourself to identify protocols that already act this way.
2. You encourage programmers to include these "features" in new programs, making it harder for everyone in the future. For example: In early 2006, Bittorrent started moving towards end-to-end encryption because many networks were either blocking it or severely restricting its bandwidth.
* l7-filter patterns are not generally designed with blocking in mind. We consider a protocol to be well identified if the identification is useful for controlling its bandwidth. This means, for instance, that for P2P applications, we do not focus on catching connections that are not downloads.
* Blocking with l7-filter provides no security, since any reasonably determined person can easily circumvent it.
Instead of dropping packets you don't like, we recommend using Linux QoS to restrict their bandwidth usage. See the next section. If you insist on using l7-filter to drop packets, make sure you have investigated other options first, such as the features of your HTTP proxy (useful for worms).
========================================

Tapi karena anda bersikeras ngotot supaya traffic p2p di blok saja, mari kita lanjutkan projek kita.

• Cara Setting Iptables untuk Blok traffic p2p

Caranya kita cegat lewat table mangle di chain PREROUTING .

iptables -t mangle -A PREROUTING -m layer7 –l7proto 100bao –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto applejuice –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto ares –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto bittorrent –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto directconnect –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto edonkey –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto fasttrack –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto freenet –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto gnucleuslan –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto gnutella –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto goboogy –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto hotline –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto imesh –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto kugoo –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto mute –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto napster –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto openft –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto poco –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto soribada –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto soulseek –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto tesla –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto thecircle –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto xunlei –j DROP

Emule p2p termasuk ke dalam proto edonkey.
Kazaa p2p termasuk ke dalam proto fasttrack
LimeWire p2p termasuk ke dalam proto gnutella

Jika DAP (Download Accelerator Plus) ingin di blok juga :

iptables -t mangle -A PREROUTING -m layer7 –l7proto http-dap –j DROP

Blok Fresh Download :

iptables -t mangle -A PREROUTING -m layer7 –l7proto http-freshdownload –j DROP

Blok p2p AudioGalaxy :

iptables -t mangle -A PREROUTING -m layer7 –l7proto audiogalaxy –j DROP

Dan Jika anda ingin memblok file RPM (File paketnya Redhat/FC, Suse) :

iptables -t mangle -A PREROUTING -m layer7 –l7proto rpm –j DROP

Blok juga traffic sebangsa Malware :

iptables -t mangle -A PREROUTING -m layer7 –l7proto code_red –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto nimda –j DROP

Selengkapnya lihat di file protocol definition :
http://l7-filter.sourceforge.net/protocols

• Melihat statistik rule blok p2p

Ketik : root# watch iptables -t mangle -L -v

Every 2.0s: iptables -t mangle -L -v                                                     Thu Dec 14 21:29:46 2006

Chain PREROUTING (policy ACCEPT 83 packets, 5657 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  —  any    any     anywhere             anywhere            LAYER7 l7proto 100bao
   10  8091 DROP       all  —  any    any     anywhere             anywhere            LAYER7 l7proto fasttrack
   48 12091 DROP       all  —  any    any     anywhere             anywhere            LAYER7 l7proto gnutella

• Pembatasan Bandwidth traffic p2p

Untuk membatasi bandwidth traffic p2p bisa digabung dengan QoS cbq atau htb , dengan cara di mangling (Rule MARK).

Contoh :

iptables -t mangle -A PREROUTING -m layer7 –l7proto edonkey -j MARK –set-mark 0x3

Selanjutnya pasang di file cbq atau htb dengan parameter MARK=3.

• FAQ :

Q : Kemana saya bertanya mengenai hal ini, karena saya masih belum mengerti ?
A : Lempar aja ke forum.linux.or.id   (huehue…:D)

• Terimakasih to :

Tutorial versi English — http://l7-filter.sourceforge.net/
Beserta orang-orang hebat di dalamnya.

• Credits

The original coders were Justin Levandoski, Ethan Sommer, and Matthew Strait, with support from Sebastian Celis, Andy Exley and Lillie Kittredge.
The primary maintainers are now Ethan Sommer and Matthew Strait.
Thanks also to: The great team Layer7
{mosimage}