Solved

List based IP blocking

Posted on 2004-09-16
16
557 Views
Last Modified: 2013-11-15
Right guys, i've got smoothwall as our router here. For those not in the know, Smoothwall (V2 Express) is a linux distro stripped down and armed to the teeth with firewall applications and router software...

It's very good at the moment but we've just had a warning from our ISP that the RIAA caught somebody on our network downloading something over bittorrent...

So my plan is, because I use bittorrent for downloading ISOs for linux that instead of just blocking the port, just block all govt/riaa/other people... So that they cannot do their evil scans on our network.

I have a list (from peerguardian) which i should be able to beat into any format containing all the IPs I want to block... i just need to know how I'm going to do this in Smoothwall...


Just some more info about smoothwall...
Uses kernel 2.4.27
Does not have compiling functions like Make

Over to you...
0
Comment
Question by:OliWarner
  • 6
  • 4
  • 4
  • +2
16 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12079751
Your ISP or the RIAA is running something that looks at the network data and identifies packets that are part of a peer-to-peer transaction. Neither they nor the "govt/riaa/other people" did any "evil scans" on your machines. So this isn't something that you can "fix" with an IPtables rule set.

The warning that "the RIAA caught somebody on our network downloading something over bittorrent" most likely means that your network traffic showed that somebody was observed downloading copywrited material. Typically the RIAA will indicate in their warning exactly what they saw being downloaded. If they don't provide that information we disregard the warning, but if they cite a specific download that is protected we take action against the individual that did the download.

0
 
LVL 16

Author Comment

by:OliWarner
ID: 12080123
They cant in the UK... to foreigners all they can do is report network abuse to the ISP...

FYI, "evil scans" (perhaps not my best wording ever) do exist... The way they collect information is not by accessing and scanning your traffic directly but buy connecting to a P2P node and asking for the share lists from the node. Their PC then accesses your P2P software as if it were any other user, and requests the file. The file is confirmed manually. They then ask/order your ISP to hand over logs for the timeframe where the network abuse took part. Then if you're in the US they decide whether or not to sue you.

The whole method relies on their RIAA PC connecting to your p2p client. If their IPs are banned they cannot gather the evidence or even a list from it.


So yes, there are already windows versions of software that will block IPs, and I know setting up an IP table would work... I'm just not sure what i'm doing =) as you may have guessed...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12080376
>  They cant in the UK... to foreigners all they can do is report network abuse to the ISP

The RIAA (Recording Industry Association of America) is a US organization and doesn't (as far as I know) have the same protection under law in the UK as it does in the US (the DCMA law).

> The whole method relies on their RIAA PC connecting to your p2p client

Nope. They can tell if someone has downloaded copywrited materal by sniffing the network traffic at or in the network path to a suspected or known source site in the US. And in fact that is commonly done by the RIAA and allowed for by the DMCA in the US.

They could connect to a foreign P2P client site and note what that machine is offering, but if the laws of that nation don't provide the same protection as the DMCA in the US there'd be nothing that they could do other than to send harrasing notices.
0
 
LVL 2

Accepted Solution

by:
montasirma earned 500 total points
ID: 12080418
You have one of 2 options.

Either add all the IPs you got in the hosts file (/etc/hosts) on all computers and let them point to an internal IP or localhost (127.0.0.1).

Or try installing something like squid-proxy (http://www.squid-cache.org)
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 12084479
You do have options.

P2P has it's usefulness and I do understand both sides of the issue.

The problem you have is the RIAA has identified somebody on your network as downloading protected material.
Assuming it wasn't you, and to put a good foot forward (should you need the ability to show action) I woiuld block
access to the port bittorrant uses along with access to all associated IP's (should you have access to a mirror list)

Once that's done, you can simply add a rule to allow your machine (IP) access while denying access to the rest of the network.
0
 
LVL 16

Author Comment

by:OliWarner
ID: 12084710
But for reasons that the terms and conditions would not allow me to say, I want to be able to use bittorrent, from any machine for any torrent...

I just dont want anybody I dont want viewing my network at all, least of scanning any p2p software that someody here might be running and regardless of its use.

I have a protowall list of IPs to block, updated all the time and currently stands at over 70million IPs that have to be denied access.


If nothing else could somebody al least tell me how to use IP tables? I'll try and get this thing blocking manually if I have to...
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 12084826
Hmm,

Well sorry, but if commenting would violate TOS of EE then that's where I'm going to leave it.

Good Luck
0
 
LVL 16

Author Comment

by:OliWarner
ID: 12084938
No, i typed up a load comment before realising if the admins want to be really anal they could interpret it in a negative light, so i scrubbed that post and started afresh, just saying what I did.

The network here is about freedom to allow people to do what they like. Just like the connection your ISP offers you. It doesnt block all the ports off that it deems not necessary. I just want to block a list of IPs from intruding in on our network...
Can you help me?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 13

Expert Comment

by:kenfcamp
ID: 12085145
> The network here is about freedom to allow people to do what they like

That commendable, however someone on your network has shown they can not be trusted to do what is right.
If this is a network of a private org. then the business can and probably be held accountable if they ignore the isp warning and allow further infringement.
(Don't forget about the Grandmother who had to pay 20k because her grand daughter downloaded MP3's)

Our network and services follow the same principle, however our clients/users know that freedom has responsibilities attached to it.

If your users can't be trusted than facilitating them to further infringe on another's rights "IS NOT" the answer.

I do not agree with the RIAA and  I do believe that "IF" I buy a song I should be able to use it where I like for my own purposes, but this is not the solution.
0
 
LVL 16

Author Comment

by:OliWarner
ID: 12085283
om(f)g... I'm really not trying to get into any copyright battle here... I'm not trying to pirate anything...
And because of the T&C I dont feel its appropriate to say what my opinions on copyrights are, but that's now what I'm asking...

We're not in the same country as the RIAA, they have no legal power here - but they can ask the ISP to be evil to us, which they might do if our users here keep on using P2P... I've told everybody about it and told them that they should only use p2p for legal purposes.

Another problem with what you're suggesting is that P2P networks are always changing... I'd rather keep on top of the bad IPs than blocking each and every p2p network and allowing it to certain IPs...


I'm asking you, everybody on here for some method, preferably using something like IP tables that I can block a large list of IPs?
Please no more on alternative suggestions, just answers....
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 12085536
>  I'm not trying to pirate anything..

I never implied that you had (or were trying to).  I'm sure your intentions are legitmate.

However that's not saying that the person who stumbles upon this question/answer isn't looking for the same solution for a less than favorable purpose.

> We're not in the same country as the RIAA, they have no legal power here

Maybe not, but it's still about piracy. For that reason you may find that you won't get exactly what you're looking for.
0
 
LVL 16

Author Comment

by:OliWarner
ID: 12085684
Its not about copyright, its not about allowing people to download things... I a) dont want the likes of the RIAA on my network, period, and b) cant be bothered with the hassle of finding another ISP if a user's action gets our current one annoyed...

I dont care how favourable or unfavourable it may seem to you, i'm just interested in getting results.


IP blocking is the only scalable, cross-network solution for this problem... So answer my question and get your points, or dont... Just stop giving me greif about how my intentions look... I tell you if i blocked all the p2p, there would be a lot more angry people emailing me tomorrrow asking why they cannot download the latest kernels or do legit file searching... Which are two things that lots of users on the network do...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12085761
I can't say for certain what the RIAA does to identify machines offering or downloading materials protected by DMCA, but I know how I'd go about it. I'd simply get accounts at a number of ISP's and particpate in the various p2p networks, taking note of the IP's that are offering material that I'm interested in. And, when attached to a broadband network (DSL, Cable) I'd simply sniff the traffic that's in my machines collision domain. With some IP's identified it is simply a matter of watching what those machines do.

Because of the legal issues scanning a network for p2p nodes is "right out". Legally that would be seen as an illegal search and any information I discovered would be inadmissible ("fruit of the poisoned tree" rule). If I only work with information gathered in a legal manner (see above) I have the basis for a court order allowing me to do data collection at ISP's or NOC's.

And, because I need to do this covertly I'm not going to run a "detection" node for any significant period of time. A few days a any given place is probably sufficient, then I'll drop that account and create a new one elsewhere.

The end result of all of this is that you can never tell whether any p2p node that you might talk to is an RIAA "detection node" or if that node is in the collision domain of a "detection node". So attempting to use any sort of IP blocking will be useless. Yeah, you might block a known sensor, but you'd have no way to tell if another system anywhere in the network path is running a sniffer looking for p2p traffic.

> I just dont want anybody I dont want viewing my network at all

So enable a firewall for the network that blocks all inbound connections except for those you specifically offer to the Internet (e.g., DNS, mail, web, etc).
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12085806
> I'm asking you, everybody on here for some method, preferably using something like IP tables that I can block a large list of IPs?

No, I'm pretty sure that you'll run out of kernel resources before you even get the list built.
0
 
LVL 3

Expert Comment

by:thunder_moose
ID: 12136492
I don't really think it would help. Bittorrent relies on a "tracker", a machine that helps all the peers connect, to get its files shared.

Trackers usually display lists of the IP's currently downloading/uploading. They could easily have seen that an IP that falls within your companies range has downloaded copyrighted material from the tracker itself. And since the tracker is outside your network, blocking their IP's would have no effect. Though it probably is better to have them blocked anyway.

Or at least, that's how I understand it.
0
 
LVL 16

Author Comment

by:OliWarner
ID: 12136883
Evidence needs a successful download off the suspect...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now