MikroTik

Posted: **Tue Jan 04, 2011 10:03 pm**

It seems like most members of this community are interested in exploring methods for blocking BitTorrent traffic, but I have an idea for something a little different. My goal will be to implement a BitTorrent "blocklist" at the router level to block malicious IP addresses, but allow BitTorrent traffic from all other IP addresses. I use this one which contains roughly a quarter million entries, if I remember correctly. I would like to implement this list in a firewall filter triggered by my BitTorrent client's port, though I am open to suggestions on this.

I did several searches with this criteria, but to no avail. Since I am relatively new to Mikrotik, I'd appreciate the input and criticism of the community's more seasoned users. Any direction on this will help.

Thanks!

Posted: **Tue Jan 04, 2011 10:19 pm**

An address list with 250,000 entries would probably slow your router to a crawl. Just importing it (including on reboots) will slow the router to a crawl for several minutes. It would only be possible on models with quite a lot of RAM. You would have to very carefully construct the filter rule set to hit that rule as little as possible.

Posted: **Tue Jan 04, 2011 10:23 pm**

Additionally, the list would probably have to update at least weekly. You cannot process that right on the router, since the scripting language cannot process files larger than 4k. Even if the file containing the IP addresses was so simply as to only contain one IP per line, on average a single IP would be 2*4 + 3 + 1 bytes in text format, so you couldn't store more than 331 addresses in that file.

Posted: **Tue Jan 04, 2011 10:27 pm**

That was my concern. I assume then that this sort of implementation is just not practical.

Posted: **Tue Jan 04, 2011 10:30 pm**

Sorry to be posting in bursts. Kinda preoccupied today.

That all said, you'd have to externally generate scripts in the following format. It assumes an address list of 'bad-hosts' that is used to block traffic with on tcp/10000 to host 192.168.1.100 - replace that with your torrent port, and torrent host.

/ip firewall address-list
remove [find]
add list=bad-hosts address=1.1.1.1
add list=bad-hosts address=2.2.2.2

Your external script would produce that as output and apply it to the router - upload manually as a.rsc file and /import it, or run equivalent commands via the API, or copy/paste it in bits. Then the firewall filter rules would look something like this:

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward dst-address=192.168.1.100 protocol=tcp dst-port=10000 src-address-list=bad-hosts action=drop
add chain=forward dst-address=192.168.1.100 protocol=tcp dst-port=10000 action=accept

Again, I don't think that will scale well.

MikroTik

BitTorrent blocklist at the router level

BitTorrent blocklist at the router level

Re: BitTorrent blocklist at the router level

Re: BitTorrent blocklist at the router level

Re: BitTorrent blocklist at the router level

Re: BitTorrent blocklist at the router level