Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent BitTorrent Filtering with nDPI #184

Closed
houmie opened this issue Jan 2, 2024 · 4 comments
Closed

Inconsistent BitTorrent Filtering with nDPI #184

houmie opened this issue Jan 2, 2024 · 4 comments
Labels
bug

Comments

@houmie
Copy link

houmie commented Jan 2, 2024

Describe the bug

In Short: The BitTorrent filter functions correctly only when opening a Torrent magnet file and initiating the download. However, there is a workaround. By switching the network to one without nDPI, starting the torrent download, and then reverting to the network with nDPI, nDPI can no longer recognize the torrent traffic. This issue could be related to my iptables setup, but I cannot identify any mistakes.

This describes how I have configured iptables to filter BitTorrent for Wireguard users.
The Wireguard VPN (wg interface) operates over the FORWARD chain.

# Generated by iptables-save v1.8.9 (nf_tables) on Sat Dec 30 11:05:43 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13:3404]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 57060 -j ACCEPT
-A INPUT -s 172.16.96.0/21 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 275 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -m ndpi --proto bittorrent -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -o wg0 -j ACCEPT
-A FORWARD -i wg0 -o eth0 -j ACCEPT
COMMIT
# Completed on Sat Dec 30 11:05:43 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Sat Dec 30 11:05:43 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:288]
:POSTROUTING ACCEPT [1:288]
-A POSTROUTING -s 172.16.96.0/21 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Dec 30 11:05:43 2023

Expected behavior

In all circumstances the bittorrent packets should be blocked.

nDPI Environment (please complete the following information):

  • OS name: Debian
  • OS version: 12
  • Architecture: amd64
  • nDPI version or commit hash: 36d25ac
  • nDPI compilation flags used: ./autogen.sh --with-only-libndpi
@houmie houmie added the bug label Jan 2, 2024
@vel21ripn
Copy link
Owner

We cannot detect encrypted bittorrent protocol traffic.
My version has DHT decoding, which allows you to get additional information about likely bittorrent connections, but this still does not guarantee detection of all bittorrent traffic.

@houmie
Copy link
Author

houmie commented Jan 7, 2024
edited
Loading

Thank you for the information. Could you please clarify if the DHT decoding feature is automatically enabled when I use your project, or do I need to activate it by setting a specific flag during the compilation process?

@vel21ripn
Copy link
Owner

No special settings required.

@houmie
Copy link
Author

houmie commented Jan 9, 2024

Thank you for confirming. Based on this, I plan to modify the iptables settings from:

-A FORWARD -m ndpi --proto bittorrent -j REJECT

to:

-A FORWARD -m ndpi --proto bittorrent -j DROP

My understanding is that using REJECT might not be ideal in this scenario, as it informs the torrent client that the packet was rejected, potentially prompting it to resend. Conversely, DROP simply discards the packet without notifying the torrent client, potentially slowing down or fully blocking the transfer without encouraging repeated attempts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@houmie @vel21ripn