Key Pages: [ Rope Home Page | Basics (tutorial) | Language Reference | Download ]

How To Control Bittorrent Traffic Using A Linux Firewall

Blocking Bittorrent with Linux is now possible with the aid of IpTables and Rope.

Bittorrent clients include: the original "BitTorrent", ABC, Azureus, BitManager, eDonkey2000, Rufus, BitComet, BitLord, BitSpirit, BitTornedo, Burst!, G3 Torrent, Shareza, TorrentStorm, XBT Client, Bits on wheels, Tomato Torrent, ctorrent, Qtorrent and rtorrent. For description of some of these clients, see: or

Depending on your local policies, you may need to identify the network traffic used when people download bittorrent movies, TV episodes, and album tracks etc - either to restrict it, block it or enhance it by applying QoS or other rules. Linux, IpTables and Rope provide all the building blocks you need to enforce your company's policy on Bittorrent downloads.

The Bittorrent protocol can be identified (to apply QoS policies, throttle or log the traffic or block it entirely) easily using Linux, IpTables, the scriptable Rope match module and the bittorrent.rope script. Once Rope has been installed in the Linux kernel, the script can be used to identify the bittorrent protocol by inspecting the TCP/IP packets, identifying two distinct packet types based on the data they contain.

The IpTables rule needed to deploy this logic into a Linux firewall is as follows (or some local variation of it)...

iptables -A FORWARD -p tcp -m rope --script bittorrent -j DROP

Refer to the Rope home page for information on downloading, installing the module and deploying the script.

How The Protocol Is Recognised

A typical protocol setup packet looks like this (there's a binary dump of this in the file bittorrent.pkt1.bin).

0x0000   4500 006c 40b4 4000 8006 4506 c0a8 0066   E..l@.@...E....f
0x0010   c41e efa4 0729 1ae2 b65b 7e40 bc89 e335   .....)...[~@...5
0x0020   5019 ffff cf93 0000 1342 6974 546f 7272   P........BitTorr
0x0030   656e 7420 7072 6f74 6f63 6f6c 0000 0000   ent.protocol....
0x0040   0000 0000 9f42 6ffd f801 3595 2350 0ed8   .....Bo...5.#P..
0x0050   7aae aae8 5c54 8c45 2d41 5a32 3230 302d   z...\T.E-AZ2200-
0x0060   7a59 5044 324e 644f 5852 784e             zYPD2NdOXRxN

The bittorrent.rope script identifies this packet by verifying the following..

  • The data starts with the hex character 0x13
  • Then comes the string "BitTorrent protocol"
  • Then 8 null characters
  • Then 20 characters we dont check
  • Then 20 "printable" (non-space) characters
  • Then the end of the packet.

The second packet type is used to initiate downloads and looks like this. (there's a dump of this one in bittorrent.pkt2.bin).

0x0000   4500 011e 5aa4 4000 8006 fd67 c0a8 0066   E...Z.@....g...f
0x0010   43a9 9d16 0821 1f92 d3ec 1a63 2d74 9795   C....!.....c-t..
0x0020   5018 ffff 94f3 0000 4745 5420 2f73 6372   P.......GET./scr
0x0030   6170 653f 696e 666f 5f68 6173 683d 2539   ape?info_hash=%9
0x0040   4642 6f25 4644 2546 3825 3031 3525 3935   FBo%FD%F8%015%95
0x0050   2532 3350 2530 4525 4438 7a25 4145 2541   %23P%0E%D8z%AE%A
0x0060   4125 4538 2535 4354 2538 4345 2048 5454   A%E8%5CT%8CE.HTT
0x0070   502f 312e 310d 0a55 7365 722d 4167 656e   P/1.1..User-Agen
0x0080   743a 2041 7a75 7265 7573 2032 2e32 2e30   t:.Azureus.2.2.0
0x0090   2e30 0d0a 4163 6365 7074 2d45 6e63 6f64   .0..Accept-Encod
0x00a0   696e 673a 2067 7a69 700d 0a48 6f73 743a   ing:.gzip..Host:
0x00b0   2074 7261 6e73 616d 7269 742e 6e65 743a
0x00c0   3830 3832 0d0a 4163 6365 7074 3a20 7465   8082..Accept:.te
0x00d0   7874 2f68 746d 6c2c 2069 6d61 6765 2f67   xt/html,.image/g
0x00e0   6966 2c20 696d 6167 652f 6a70 6567 2c20   if,.image/jpeg,.
0x00f0   2a3b 2071 3d2e 322c 202a 2f2a 3b20 713d   *;.q=.2,.*/*;.q=
0x0100   2e32 0d0a 436f 6e6e 6563 7469 6f6e 3a20   .2..Connection:.
0x0110   6b65 6570 2d61 6c69 7665 0d0a 0d0a        keep-alive....

The script identifies this packet using the following criteria..

  • The data starts with "GET /" followed by "scrape" or "announce".
  • Next comes the string "?info_hash=".
  • The end of the first text line in the packet contains "HTTP/1.1"
  • The string "Accept-Encoding: gzip" is found later in the packet
  • The packet ends with the string "\r\n\r\n".
  • All characters in the data payload are "ASCII" ones (as defined by isascii).

Downloading The Files

Click on these links..

Scroll to Top