IPTABLES 是一个用户空间应用程序,它允许系统管理员配置 Linux 内核防火墙(以各种 Netfilter 模块的形式实现)提供的表及其存储的链和规则。.
设置 IPtables 规则
要使用 IPTABLES 阻止 BitTorrent 流量,您可以编辑 /etc/sysconfig/iptables(CentOS 7)并添加以下内容:
vim /etc/sysconfig/iptables.首先,你需要在第一条规则的正上方添加该链。
:RH-Firewall-1-INPUT - [0:0]
然后在 COMMIT 行上方添加以下内容。.
# Torrent ALGO Strings using Boyer-Moore
-A RH-Firewall-1-INPUT -m string --algo bm --string "BitTorrent" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "BitTorrent protocol" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "peer_id=" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string ".torrent" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "announce.php?passkey=" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "torrent" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "announce" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "info_hash" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string "/default.ida?" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string ".exe?/c+dir" -j DROP
-A RH-Firewall-1-INPUT -m string --algo bm --string ".exe?/c_tftp" -j DROP
# Torrent Keys
-A RH-Firewall-1-INPUT -m string --string "peer_id" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "BitTorrent" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "BitTorrent protocol" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "bittorrent-announce" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "announce.php?passkey=" --algo kmp -j DROP
# Distributed Hash Table (DHT) Keywords
-A RH-Firewall-1-INPUT -m string --string "find_node" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "info_hash" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "get_peers" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "announce" --algo kmp -j DROP
-A RH-Firewall-1-INPUT -m string --string "announce_peers" --algo kmp -j DROP
重启iptables
/etc/init.d/iptables restart查看 IPtables/验证规则
iptables -L示例输出
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
DROP all -- anywhere anywhere STRING match "BitTorrent" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "BitTorrent protocol" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "peer_id=" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match ".torrent" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "announce.php?passkey=" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "torrent" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "announce" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "info_hash" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "/default.ida?" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match ".exe?/c+dir" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match ".exe?/c_tftp" ALGO name bm TO 65535
DROP all -- anywhere anywhere STRING match "peer_id" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "BitTorrent" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "BitTorrent protocol" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "bittorrent-announce" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "announce.php?passkey=" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "find_node" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "info_hash" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "get_peers" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "announce" ALGO name kmp TO 65535
DROP all -- anywhere anywhere STRING match "announce_peers" ALGO name kmp TO 65535
