If you are responsible for a network with many “nomadic” users, e.g. students, you’ll notice quite often they “forget” to shut down their bittorrent programs.

Port filters only work up to a certain amount, so I wanted to try out the “string” match included in recent kernels (e.g. 2.6.14).

You’ll need iptables 1.3.4, which is not yet in Debian, but you can grab some temp packages from my debian directory.

The filter rule I tested was

iptables -I OUTPUT -j DROP -m string --string "BitTorrent protocol" --algo bm --from 0 --to 100

(I don’t know if algo bm or algo kmp is more performant, or which performance hit this is going to have on your router. The from parameter could be increased to skip the tcp header, too)

Note that you might want to add high-volume “usually good” ports with accept rules in front, like port 80 (www), ssh (22) or mail (25, 465, 110, 995, 143, 993). Be careful with using “state ESTABLISHED”, too: the string will be sent over an already established connection, not a new, so this is where you need to apply the filter!