That's pretty clever, though a transparent squid proxy is a bit more than I'd put on most of my vpn hosts due to ram requirements.[..] you could even go so far as replacing all images to saying "No Torrenting".
That sounds very good.You may drop connections to common tcp and ports of public and private trackers.If you need more than that you have to implement level7 filtering via iptables.
What is the best way to implement that? IPTABLES or CSF one?The easiest solution is to only allow outgoing connections to specific ports. The short list I use is as such:
Add more depending on your usage scenario. If you need FTP, you can allow 21 & turn on ftp conntrack to allow the second connection through. Basically, don't allow anything you can't protocol analyze on nonstandard ports.
- 22 - ssh default
- 80 - http
- 443 - https
The harder, but in my opinion, more hilarious way of doing it is to tarpit everything else. Use connmark & QOS to tag any connections that are not these three and put them in a shared bucket going maybe 50KBps across all connections and all users. Check out the lartc guide for how to set up HTB to rate limit. Users will quickly get the idea that your service is not good for bittorrent.
I can tell them to not download torrent, but when they are keep downloading Torrent my VPS can automatically be suspended.Just tell your friends, that you see them downloading that pr0n, and GTFO.
Of you can do something more sinister, for example when the bittorrent connections are connected you could cause it to flip all websites upside down
This would still apply to your scenario since you have full control over their connections while on VPN, you could even go so far as replacing all images to saying "No Torrenting".
Same question for EartVPN, how do I implement L7-filter with VPN?
I am interested to know on how to use Squid Proxy as the main protection.That's pretty clever, though a transparent squid proxy is a bit more than I'd put on most of my vpn hosts due to ram requirements.
I think the problem becomes detecting torrenting; most, if not all, modern clients at least try to use encrypted connections, which you pretty much have to allow because SSL is used to secure a lot of applications. From the L7 filter page, matching for bittorrent is fickle at best, it won't positively ID all bt connections and time to classification is bad.
Honestly, I would handle this with 4 tools,
- QoS - known accepted traffic is prioritized above all others. A single user or group of users cannot be allowed to hose the entire service under any circumstance.
- Accountability - Keep traffic logs for quantity of data transferred, samplings of number of active connections from conntrack, when a high number of concurrents include a sample of connections list from conntrack, login ip connected from, login time, associated NAT or public ip if more than one available, logout time, and anything else you find appropriate. Require communication with clients be retained through a unified, searchable system including automated mailers, helpdesk tickets, and staff email, tagged by client.
This changes a technical solution into a social engineering solution. It takes significantly more maintenance effort to do this, as opposed to implementing a few firewall rules, but it's a lot more flexible for your users and provides a much higher quality service.
This is quite simple. L7-Filter is an addon to iptables. Add iptable rules to your tun0 device. Done.Same question for EartVPN, how do I implement L7-filter with VPN?
Any clear guide on this?
What is the best way to implement that? IPTABLES or CSF one? Is it also possible to use Squid for this?
I am interested to know on how to use Squid Proxy as the main protection. How do you do that?