How to block P2P traffic
Judulnya versi English, tapi pembahasannya menggunakan bahasa Indonesia dengan tujuan sebagai berikut :
1. Mudah dipahami oleh linux user pemula
2. Mudah dimengerti jika menggunakan bahasa Indonesia
- Latar Belakang
Pembuatan tutorial ini dilatarbelakangi karena banyaknya permintaan dari penggemar masterpop3 ( 😀 ..huehue artis linux ), mengenai bagaimana cara memblok traffic p2p. Permintaan kebanyakan berasal dari pemilik/pengelola warnet, operator jaringan, admin jaringan , yang menginginkan di jaringan mereka tidak terganggu oleh program/traffic p2p yang diakibatkan oleh salah satu usernya yang bisa mengganggu traffic seluruh networknya.
- Pendahuluan
Setelah googling sana sini akhirnya dapet kaca kunci untuk solusi di atas yaitu menggunakan 'layer7' module iptables, selanjutnya kita L7-filter.
L7-filter adalah module untuk Linux Netfilter (iptables) yang mengidentifikasi paket yang berada di application layer data (lapisan data aplikasi). Paket data yang masuk dalam layer ini bisa berupa Kazza, HTTP, Jabber, Citrik, Bittorent, FTP, Gnutella, eDonkey, eMule, Limewire, dll, tanpa memperhatikan source/destination port. Ini bisa menjadi pelengkap yang sempurna yang bisa digabungkan dengan kesesuaian IP address , port number, dll.
- Feature L7-filter
* Patches for Linux 2.4 and 2.6
* Support for TCP, UDP and ICMP over IPv4
* Uses Netfilter's connection tracking of FTP, IRC, etc
* Examines data across multiple packets
* Number of packets examined tunable on the fly through /proc
* Number of bytes examined tunable at module load time
* Distinguishes between new connections (those still being tested) and old unidentified connections
* Gives access to both Netfilter and QoS (rate limiting) features
* With the Netfilter "helper" match, you can distinguish between parent and child connections (e.g. ftp command/data)
- Tujuan
Implementasi L7-filter saya buat dengan tujuan sebagai berikut :
1. cara memblok traffic p2p dengan iptables
2. membatasi penggunaan traffic p2p dengan QoS (seperti cbq/htb)
Catatan: tidak semua user yang ingin dibatasi oleh penggunaan L7-filter ini, jadi kembali kepada keputusan anda sebagai pemegang kekuasaan jaringan. Jika menginginkan seperti tujuan yang saya sebutkan, mari kita lanjutkan projek kita.
- Installasi
Saatnya kita obrak-abrik PC Linux kita. Pertama siapkan peralatan.
Peralatan yang dibutuhkan adalah :
1. source kernel 2.6 atau kernel 2.4 download dari kernel.org
2. source iptables dari netfilter.org
3. paket patch l7-filter kernel version (netfilter-layer7-vX.Y.tar.gz)
4. paket file Protocol definitions (l7-protocols-YYYY-MM-DD.tar.gz)
- Kernel Patch
Dalam ujicoba ini saya menggunakan kernel 2.6.18 di fedora-6. langkah-langkahnya sebagai berikut :
1. download kernel 2.6.18 dari kernel.org
root# mkdir /download
root# cd /download
root# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2
root# tar xjf linux-2.6.18.tar.bz2 -C /usr/src/
root# ln -s /usr/src/linux-2.6.18 /usr/src/linux
2. download l7-filter kernel version
root# cd /download
root# wget http://optusnet.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.7.tar.gz
root# tar xzf netfilter-layer7-v2.7.tar.gz
3. Patch kernel dengan Layer7 patch
root# cd /usr/src/linux
root# patch -p1 < /download/netfilter-layer7-v2.7/kernel-2.6.18-layer7-2.7.patch
patching file include/linux/netfilter_ipv4/ip_conntrack.h
patching file include/linux/netfilter_ipv4/ipt_layer7.h
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
patching file net/ipv4/netfilter/ip_conntrack_core.c
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
patching file net/ipv4/netfilter/ipt_layer7.c
patching file net/ipv4/netfilter/regexp/regexp.c
patching file net/ipv4/netfilter/regexp/regexp.h
patching file net/ipv4/netfilter/regexp/regmagic.h
patching file net/ipv4/netfilter/regexp/regsub.c
4. Saatnya Kompile dan Install Kernel
root# make menuconfig
* "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options")
* "Network packet filtering" (Networking ? Networking support ? Networking Options)
* "Netfilter Xtables support" (Network packet filtering ? Core Netfilter Configuration)
* "Connection tracking" (… ? Network packet filtering ? IP: Netfilter Configuration ? Connection tracking)
* "Connection tracking flow accounting" and "IP tables support" (on the same screen)
* And finally, "Layer 7 match support"
* Selanjutnya anda diberi kekuasaan untuk memilih mana yang diaktifkan sebagai module dan mana yang dimasukan dalam kernel (built-in)
Perhatian:
Beberapa user melaporkan terjadinya kernel crash ketika menggunakan SMP dengan l7-filter. Dan ada juga yang melaporkan SMP System mereka berjalan normal.
Jika anda punya Multi-CPU Machine, sebaiknya di test dulu sebelum digunakan di server produktif.
root# make
root# make modules_install install
- Iptables Patch
Download source iptables dari netfilter.org
Root# cd /download
Root# wget http://netfilter.org/projects/iptables/files/iptables-1.3.5.tar.bz2
Root# tar xjf iptables-1.3.5.tar.bz2
Root# cd iptables-1.3.5
Root# patch -p1 < /download/netfilter-layer7-v2.7/iptables-layer7-2.7.patch
patching file extensions/.layer7-test
patching file extensions/libipt_layer7.c
patching file extensions/libipt_layer7.man
root# chmod +x extensions/.layer7-test
Sebelum melakukan perintah ‘make’ , pastikan anda sudah memeriksa dan menyesuaikan PREFIX dir installasi iptables di file ‘Makefile’.
Root# vi Makefile
PREFIX:=/usr
LIBDIR:=/lib
BINDIR:=/sbin
MANDIR:=/usr/share/man
INCDIR:=$(PREFIX)/include
root# make KERNEL_DIR=/usr/src/linux
root# make install KERNEL_DIR=/usr/src/linux
Untuk melakukan patch iptables , anda harus sudah mengkompile dan menginstall kernel source.
- Protocol Definitions (Pattern Files)
Saatnya memasang file protocol definisi untuk layer7-filter module.
Download file Protocol definitions
Root# cd /download
Root# wget http://optusnet.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2006-12-12.tar.gz
Root# tar xzf l7-protocols-2006-12-12.tar.gz
Root# cd l7-protocols-2006-12-12
Root# make install
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols
‘make install’ di atas hanya mengkopi file paket protocol ke dir /etc/l7-protocols
Setelah semuanya sudah terinstall , reboot PC Linux anda.
- Setting iptables blok p2p
Himbauan dari situs resminya sih katanya disarankan jangan di blok, kita tanya kenapa ?
Saya Quote aja yah :
========================================
Blocking
Don't. Here's why:
* l7-filter matching isn't foolproof: there may be both false positives (one protocol can look like another) and false negatives (applications can do obscure things that we didn't count on). Patterns that are known to regularly generate false positives are marked "overmatching" on the protocols page, but others may also do so occasionally.
* Almost every type of Internet traffic has legitimate uses. For instance, P2P protocols, while widely used to violate copyright, are also an efficient way to distribute open source software and legally free music.
* Programs can respond to being blocked by port-hopping, switching between TCP and UDP, opening a new connection for every trivial operation, using encryption, or employing other evasion tactics. Trying to block such protocols has consequences on two levels:
1. In the case of port/protocol-hopping, you make it harder for yourself to identify protocols that already act this way.
2. You encourage programmers to include these "features" in new programs, making it harder for everyone in the future. For example: In early 2006, Bittorrent started moving towards end-to-end encryption because many networks were either blocking it or severely restricting its bandwidth.
* l7-filter patterns are not generally designed with blocking in mind. We consider a protocol to be well identified if the identification is useful for controlling its bandwidth. This means, for instance, that for P2P applications, we do not focus on catching connections that are not downloads.
* Blocking with l7-filter provides no security, since any reasonably determined person can easily circumvent it.
Instead of dropping packets you don't like, we recommend using Linux QoS to restrict their bandwidth usage. See the next section. If you insist on using l7-filter to drop packets, make sure you have investigated other options first, such as the features of your HTTP proxy (useful for worms).
========================================
Tapi karena anda bersikeras ngotot supaya traffic p2p di blok saja, mari kita lanjutkan projek kita.
- Cara Setting Iptables untuk Blok traffic p2p
Caranya kita cegat lewat table mangle di chain PREROUTING .
iptables -t mangle -A PREROUTING -m layer7 –l7proto 100bao –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto applejuice –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto ares –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto bittorrent –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto directconnect –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto edonkey –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto fasttrack –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto freenet –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto gnucleuslan –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto gnutella –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto goboogy –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto hotline –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto imesh –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto kugoo –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto mute –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto napster –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto openft –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto poco –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto soribada –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto soulseek –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto tesla –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto thecircle –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto xunlei –j DROP
Emule p2p termasuk ke dalam proto edonkey.
Kazaa p2p termasuk ke dalam proto fasttrack
LimeWire p2p termasuk ke dalam proto gnutella
Jika DAP (Download Accelerator Plus) ingin di blok juga :
iptables -t mangle -A PREROUTING -m layer7 –l7proto http-dap –j DROP
Blok Fresh Download :
iptables -t mangle -A PREROUTING -m layer7 –l7proto http-freshdownload –j DROP
Blok p2p AudioGalaxy :
iptables -t mangle -A PREROUTING -m layer7 –l7proto audiogalaxy –j DROP
Dan Jika anda ingin memblok file RPM (File paketnya Redhat/FC, Suse) :
iptables -t mangle -A PREROUTING -m layer7 –l7proto rpm –j DROP
Blok juga traffic sebangsa Malware :
iptables -t mangle -A PREROUTING -m layer7 –l7proto code_red –j DROP
iptables -t mangle -A PREROUTING -m layer7 –l7proto nimda –j DROP
Selengkapnya lihat di file protocol definition :
http://l7-filter.sourceforge.net/protocols
- Melihat statistik rule blok p2p
Ketik : root# watch iptables -t mangle -L -v
Every 2.0s: iptables -t mangle -L -v Thu Dec 14 21:29:46 2006
Chain PREROUTING (policy ACCEPT 83 packets, 5657 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all — any any anywhere anywhere LAYER7 l7proto 100bao
10 8091 DROP all — any any anywhere anywhere LAYER7 l7proto fasttrack
48 12091 DROP all — any any anywhere anywhere LAYER7 l7proto gnutella
- Pembatasan Bandwidth traffic p2p
Untuk membatasi bandwidth traffic p2p bisa digabung dengan QoS cbq atau htb , dengan cara di mangling (Rule MARK).
Contoh :
iptables -t mangle -A PREROUTING -m layer7 –l7proto edonkey -j MARK –set-mark 0x3
Selanjutnya pasang di file cbq atau htb dengan parameter MARK=3.
- FAQ :
Q : Kemana saya bertanya mengenai hal ini, karena saya masih belum mengerti ?
A : Lempar aja ke forum.linux.or.id (huehue…:D)
- Terimakasih to :
Tutorial versi English — http://l7-filter.sourceforge.net/
Beserta orang-orang hebat di dalamnya.
- Credits
The original coders were Justin Levandoski, Ethan Sommer, and Matthew Strait, with support from Sebastian Celis, Andy Exley and Lillie Kittredge.
The primary maintainers are now Ethan Sommer and Matthew Strait.
Thanks also to: The great team Layer7
{mosimage}