Filtering P2P network traffic with ipp2p
Posted by rak on Wed 14 Nov 2007 at 12:10
Large and medium size corporate institutional networks suffer now a days from "smart" users who try to get their latest Movie/soft/Music/TVShow downloaded in their office.
Beside the moral/legal dispute these activities present the network admins with some troubles. To begin with a considerable downgrade in the network performance, and the need to comply with local policy and legal restrictions, and of course the admins needs to have full band with for they own downloads.
ipp2p is a reasonable stable product, I 've use it for 2 years in a large network 4 class C networks in an university environment. Users were use to abuse the network for personal downloads, and after chasing and punishing them for some time we chose to block the traffic once and for all.
ipp2p works by recognizing patterns in the payload of packages, thus allowing the admin, to restrict, prioritize or even block, as we did, the traffic.
It has 2 components a kernel module ipt_ipp2p.o (for v2.4.x) or ipt_ipp2p.ko (for 2.6.x) and an iptables module libipt_ipp2p.so, both must be compiled from source package downloaded from the ipp2p site. (There are no packages for debian stable, testing or unstable.)
There are some thing you must take into consideration, when compiling this program under Debian since, there are some requirements involved..
The headers package for your kernel must be installed, and so must the source code of the kernel and the iptables package. (It should be able to compile with the iptables-dev package but I haven't tried that so far.)
apt-get intall linux-kernel-header apt-get install linux-source-(kernel version) apt-get source iptables
(Remember to add a source repository to your /etc/apt/source.list if you've not already got them present.)
For the kernel there is not much trouble if you are running the standard debian kernel. If you are not doing so, you will need to ensure that the headers are accessible to the Makefile. You can either make a symlink to the kernel source directory or edit the Makefile, with your favourite editor, I'll use joe, go to line 6 and set the appropriate path for it.
ln -s (path_to_iptables_source)/iptables-18.104.22.168debian1/iptables /usr/src/iptables-1.3.6
For the kernel
ln -s /usr/src/linux-source-(you_kernel_version) /usr/src/linux
With these links in place you should be able to compile the ipp2p without trouble, well almost.
The first time I install this package it took some work, the second was almost impossible. As I later discovered googling around to have the Makefile working you need to change line 67 from this:
ld -shared -o libipt_ipp2p.so libipt_ipp2p.o
$(CC) -shared -o libipt_ipp2p.so libipt_ipp2p.o
Yes it is almost the same line no I dont know why, but it works..
Now you only have to install the kernel module and the iptables lib in the corresponding way.
cp libipt_ipp2p.so /lib/iptables
iptables -m ipp2p --help
This should retune lots of info about ipp2p and and example ending line as follows:
iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01 iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP
For your kernel
insmod ipt_ipp2p.o insmod ipt_ipp2p.ko [ depending on version ] depmod -a
You can test the module by running:
lsmod | grep ipp2p
This should return:
ipt_ipp2p 6592 6 x_tables 12676 7 xt_mac,ipt_ipp2p,xt_tcpudp,ip_tables,ipt_owner,ipt_REJECT,ipt_LOG
Or something similar, depending on your kernel configuration, what matter is that the ipt_ipp2p module is present.
So now you are set to go, the only thing left is setting up your firewall rules a simple drop everything rule would be like this:
iptables -A FORWARD -m ipp2p --bit -j DROP
Taken from the README example, more complex rules may be necessary according the firewall setup.
An admin friendly rule would be like:
iptables -I FORWARD -d admin_ip -m ipp2p --ipp2p -j ACCEPT
but if your co workers find out you will be in trouble ;)