Filtering P2P network traffic with ipp2p

Posted by rak on Wed 14 Nov 2007 at 12:10

Large and medium size corporate institutional networks suffer now a days from "smart" users who try to get their latest Movie/soft/Music/TVShow downloaded in their office.

Beside the moral/legal dispute these activities present the network admins with some troubles. To begin with a considerable downgrade in the network performance, and the need to comply with local policy and legal restrictions, and of course the admins needs to have full band with for they own downloads.

ipp2p is a reasonable stable product, I 've use it for 2 years in a large network 4 class C networks in an university environment. Users were use to abuse the network for personal downloads, and after chasing and punishing them for some time we chose to block the traffic once and for all.

ipp2p works by recognizing patterns in the payload of packages, thus allowing the admin, to restrict, prioritize or even block, as we did, the traffic.

It has 2 components a kernel module ipt_ipp2p.o (for v2.4.x) or ipt_ipp2p.ko (for 2.6.x) and an iptables module libipt_ipp2p.so, both must be compiled from source package downloaded from the ipp2p site. (There are no packages for debian stable, testing or unstable.)

There are some thing you must take into consideration, when compiling this program under Debian since, there are some requirements involved..

The headers package for your kernel must be installed, and so must the source code of the kernel and the iptables package. (It should be able to compile with the iptables-dev package but I haven't tried that so far.)

apt-get intall linux-kernel-header
apt-get install linux-source-(kernel version)
apt-get source iptables

(Remember to add a source repository to your /etc/apt/source.list if you've not already got them present.)

For the kernel there is not much trouble if you are running the standard debian kernel. If you are not doing so, you will need to ensure that the headers are accessible to the Makefile. You can either make a symlink to the kernel source directory or edit the Makefile, with your favourite editor, I'll use joe, go to line 6 and set the appropriate path for it.

For iptables

ln -s (path_to_iptables_source)/iptables-1.3.6.0debian1/iptables /usr/src/iptables-1.3.6

For the kernel

ln -s /usr/src/linux-source-(you_kernel_version) /usr/src/linux

With these links in place you should be able to compile the ipp2p without trouble, well almost.

The first time I install this package it took some work, the second was almost impossible. As I later discovered googling around to have the Makefile working you need to change line 67 from this:

ld -shared -o libipt_ipp2p.so libipt_ipp2p.o

to this:

$(CC) -shared -o libipt_ipp2p.so libipt_ipp2p.o

Yes it is almost the same line no I dont know why, but it works..

Now you only have to install the kernel module and the iptables lib in the corresponding way.

For iptables]

cp libipt_ipp2p.so /lib/iptables

Test iptables

iptables -m ipp2p --help

This should retune lots of info about ipp2p and and example ending line as follows:

 iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01
 iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP
 iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP

For your kernel

insmod ipt_ipp2p.o 
insmod ipt_ipp2p.ko  [ depending on version ]
depmod -a

You can test the module by running:

lsmod | grep ipp2p

This should return:

ipt_ipp2p               6592  6 
x_tables               12676  7  xt_mac,ipt_ipp2p,xt_tcpudp,ip_tables,ipt_owner,ipt_REJECT,ipt_LOG

Or something similar, depending on your kernel configuration, what matter is that the ipt_ipp2p module is present.

So now you are set to go, the only thing left is setting up your firewall rules a simple drop everything rule would be like this:

iptables -A FORWARD -m ipp2p --bit -j DROP

Taken from the README example, more complex rules may be necessary according the firewall setup.

An admin friendly rule would be like:

iptables  -I FORWARD -d admin_ip -m ipp2p --ipp2p -j ACCEPT

but if your co workers find out you will be in trouble ;)

Ejoy,

 

 


Posted by Anonymous (88.2.xx.xx) on Wed 14 Nov 2007 at 13:08
Thanks, cool ;-)

[ Parent | Reply to this comment ]

Posted by Anonymous (132.79.xx.xx) on Wed 14 Nov 2007 at 15:00
I have got ipp2p to install on a MEPIS system but I had to use an older version of the kernel as the MEPIS 7 beta 6 kernel (2.6.22.12) will not work. I found googleing that ipp2p has problems with the 2.6.22.x version.

It also looks like the ipp2p project is not being maintained so I don't think the .22 version will get supported.

What are you thoughts?

thanks

[ Parent | Reply to this comment ]

Posted by Anonymous (203.144.xx.xx) on Sat 17 Nov 2007 at 09:58
and modification of Makefile:

suply: ld -shared -o libipt_ipp2p.so libipt_ipp2p.o
by: $(CC) -shared -o libipt_ipp2p.so libipt_ipp2p.o

[ Parent | Reply to this comment ]

Posted by Anonymous (80.53.xx.xx) on Wed 14 Nov 2007 at 15:26
Try l7-filter (http://l7-filter.sourceforge.net/). It's compatible with the newest kernels and has more protocols rules than ipp2p.

[ Parent | Reply to this comment ]

Posted by rak (164.73.xx.xx) on Wed 14 Nov 2007 at 16:05
[ View Weblogs ]
I'll check it to see how it works, thx for the imput.

Cya

[ Parent | Reply to this comment ]

Posted by kayo (194.150.xx.xx) on Thu 15 Nov 2007 at 06:19
Not working for me:
# iptables -A FORWARD -m ipp2p --bit -j DROP
iptables: Invalid argument

[ Parent | Reply to this comment ]

Posted by Anonymous (132.79.xx.xx) on Thu 15 Nov 2007 at 13:06
kayo,

Did you try this command to test the install?

iptables -m ipp2p --help

If you have it configured correctly you should get some ipp2p output.

[ Parent | Reply to this comment ]

Posted by kayo (194.150.xx.xx) on Thu 15 Nov 2007 at 13:25
Yes, I try this test and everything is OK.

[ Parent | Reply to this comment ]

Posted by kayo (194.150.xx.xx) on Fri 16 Nov 2007 at 06:23
Test passed but still with error as above

[ Parent | Reply to this comment ]

Posted by Anonymous (122.167.xx.xx) on Thu 15 Nov 2007 at 08:53
This is good, what if user used:
SSL
SSH Port forwarding
Bittorent header encryption

I guess it won't work, nevertheless article is still useful.

Cheers,

[ Parent | Reply to this comment ]

Posted by rak (190.64.xx.xx) on Thu 15 Nov 2007 at 11:53
[ View Weblogs ]
I haven't test it but for what I know the block wouldn't work. Thought that would need more than the average user. In any case the traffic meter mrtg would show up the show there is a p2p running in your network, and with ipfm, iptraf and nmap it would be easy to find out which IP/MAC is offending. Then with a iptable rule of the type iptables -I FORWARD -m mac --mac-source "offending MAC" -j DROP you can block that machine, unless the user change the NIC, not really simple, but he could.

[ Parent | Reply to this comment ]

Posted by Anonymous (83.4.xx.xx) on Sat 17 Nov 2007 at 19:11
I wouldn't advise blocking traffic with modules like ipp2p or layer7, they produce some amount of false positives / false negatives. so they are not 100% reliable. These modules were developed with stats / QoS in mind.

[ Parent | Reply to this comment ]

Posted by schorpp (91.89.xx.xx) on Wed 5 Dec 2007 at 17:57
I would second that. This is trivial nonsense, useless against upcoming secure p2p apps and will lead to unacceptable false postive drops and (against the reasoning of the article creator) RIAA/MPAA will take it as ammunition for their lawyers to harden their charges against so called "content rights violation" accused systems administrators refusing to install such stuff. Tracking and catching in such reason "offending" network users is not systems administrators task cause it is no technical nor a IT-security task, If RIAA/MPAA wants us to do so, then they must pay us and the internet industry for such work for them as usual in business and civil law. I cannot be held responsible for what users do with their crap content or what they've got in mind.
Never try to solve social problems with technology. This has always failed in history.

[ Parent | Reply to this comment ]

Posted by Anonymous (200.40.xx.xx) on Thu 27 Dec 2007 at 18:47
Well here the problem isn't copyright law and RIA/MPAA hounds, the problem is more basic, like, there are 3 or 4 sobs, that are sucking out all the bandwidth of the network to download movies/games/soft/porn and not letting people work. So as you cant oblige them not to do it, for other reasons, I'm compel to find other solutions.
This was the best I could came with for now. Any better idea is always well came.

[ Parent | Reply to this comment ]

Posted by Anonymous (160.114.xx.xx) on Thu 27 Dec 2007 at 10:26
iptables -m ipp2p --help
this test is OK!

This problem:

iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables: Invalid argument

and
kernel: ip_tables: ipp2p match: invalid size 16 != 8

[ Parent | Reply to this comment ]

Posted by rak (200.40.xx.xx) on Thu 27 Dec 2007 at 18:50
[ View Weblogs ]
Ermmm, may be there was something wrong in the kernel module compile, guess so much for your second comment. Try to compile it again and see if any error message pops. Or whats happend when run lsmod | grep ipp2p. Post that out put for more help.

[ Parent | Reply to this comment ]

Posted by Anonymous (81.19.xx.xx) on Fri 11 Jan 2008 at 08:55
Hi,
I'm in the same situation (the command line error and messages log record are the same).
Both, the ipp2p compilation and ipp2p kernel module loading performed without error. Trying the lsmod I obtained:

[root@srv ~]# lsmod | grep ipp2p
ipt_ipp2p 16128 0
x_tables 29257 7

Any idea?
Thanks
Andrew

[ Parent | Reply to this comment ]

Posted by Anonymous (87.11.xx.xx) on Sun 10 Feb 2008 at 21:37
Same errors here:

# iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables: Invalid argument

from /var/log/syslog:
kernel: ip_tables: ipp2p match: invalid size 16 != 8

# uname -r
2.6.18-6-amd64

[ Parent | Reply to this comment ]

Posted by Anonymous (89.140.xx.xx) on Thu 14 Feb 2008 at 12:40

[ Parent | Reply to this comment ]

Posted by Anonymous (202.162.xx.xx) on Tue 12 Feb 2008 at 05:51
I have error :

Router:/usr/src/ipp2p-0.8.2# make
make -C /usr/src/linux SUBDIRS=/usr/src/ipp2p-0.8.2 modules
make[1]: Entering directory `/usr/src/linux-source-2.6.18'

WARNING: Symbol version dump /usr/src/linux-source-2.6.18/Module.symvers
is missing; modules will have no dependencies and modversions.

Building modules, stage 2.
MODPOST
/bin/sh: scripts/mod/modpost: No such file or directory
make[2]: *** [__modpost] Error 127
make[1]: *** [modules] Error 2
make[1]: Leaving directory `/usr/src/linux-source-2.6.18'
make: *** [ipt_ipp2p.ko] Error 2

why ? Please help me !

[ Parent | Reply to this comment ]

Posted by rak (190.64.xx.xx) on Mon 18 Feb 2008 at 01:38
[ View Weblogs ]
You seem to have a missing module "symvers" try to add it to your kernel config. If you are using a debian standard kernel, and you have this problem then there was probably and error while you install the kernel or you delete some modules after install, try reinstalling the kernel.

[ Parent | Reply to this comment ]

Posted by Anonymous (200.84.xx.xx) on Thu 13 Mar 2008 at 14:11
do you have build-essential and linux-headers-`uname -r` installed?

code

aptitude build-essential linux-headers-`uname -r`

[ Parent | Reply to this comment ]

Posted by jorgeisaac (165.98.xx.xx) on Fri 9 May 2008 at 16:45
Hello all,

Good article! Thanks.

I faced some problem in order to be able to block the p2p traffic.

Here are my additional tasks:

apt-get install libncurses5
apt-get install libncurses5-dev
apt-get install gcc-3.3

make CC=gcc-3.3 menuconfig && make CC=gcc-3.3 prepare \
&& make CC=gcc-3.3 modules_prepare

Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com

[ Parent | Reply to this comment ]

Posted by Anonymous (85.235.xx.xx) on Wed 8 Oct 2008 at 22:00
On my Debian 4.0r3 i486 kernel I had to install this also
apt-get install linux-headers-2.6.18-6-486

insmod ipt_ipp2p.ko (kernel 2.6.x)
insmod ipt_ipp2p.o (kernel 2.4.x)

[ Parent | Reply to this comment ]

Posted by Anonymous (194.206.xx.xx) on Tue 10 Feb 2009 at 15:36
it seems to not work, not inoff information ... grrr

[ Parent | Reply to this comment ]

Posted by rak (190.134.xx.xx) on Tue 10 Feb 2009 at 21:44
[ View Weblogs ]
Huummm, dont you get any error message back, like, cant load kernel modules or do you have some other type of error.

[ Parent | Reply to this comment ]

Posted by justanotheruser (2a01:0xx:0xx:0xxx:0xxx:0xxx:xx) on Wed 26 Aug 2009 at 19:59
The ipp2p module (including fixes) is bundled with Xtables-addons.

[ Parent | Reply to this comment ]

Posted by Anonymous (41.100.xx.xx) on Fri 11 Jun 2010 at 00:43
what if i want block only downloading or uploading traffic ,is this possible ?

[ Parent | Reply to this comment ]

Posted by rak (164.73.xx.xx) on Fri 11 Jun 2010 at 13:32
[ View Weblogs ]
You can block incoming or outgoing connections, but not shure you can block
uploading or downloading, since to upload or download you first need to
stablish a connection, you could try to block incoming connections and allow
outgoing connections.
But that wil trash P2P program performance, or wont do a thing depending on
the firewall avoiding capability of the software your using.
For a long time IPP2P has receive no maintenance, and is officially out of support.
Plus the most common P2P programs has proven capable to avoid it.
I would recommend to use Layer7 L7 http://l7-filter.sourceforge.net which seems to be working really fine, I'm working in a how to to install it under Lenny, but it still cooking, and will take some time.

Sincerely
Carlos

[ Parent | Reply to this comment ]

Posted by Anonymous (116.71.xx.xx) on Tue 31 Aug 2010 at 10:58
Have you managed to prep? installation ?

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 674 votes ~ 10 comments )