At our institution we had connected 300+ computers to different LAN's with Internet. Included here are Officies LAN, and Internet Laboratory for students. And we want to Control Torrents or any P2P Protocols. Previous solution to our problem is KerioWinRoute 6.5.x, which satisfies most.
The problem is, we have migrated to Ubuntu 8.04 LTS using Webmin Platform.
Port based P2P blocking is hardly a 100% solution. What you might want to consider is called L7 filtering (Layer 7 filtering). Basically, linux has an implementation that does regex based matching on all packets to decide whats good and whats bad.
http://l7-filter.sourceforge.net/
This can help you block all sorts of stuff, including skype.
http://l7-filter.sourceforge.net/protocols
Please Note: Regex matching to inspect and filter packets is resource intensive making any system alot more vulnerable to DDOS attacks, the preferred method would be to target the protocol within iptables.
The only proper technical solution is to have all traffic going through a proxy that will decrypt SSL traffic on the fly and then apply layer 7 filtering on the passing traffic.
Such products are pretty expensive as there is usually a big team of engineers behind them updating the rules needed to classify the packets.
You can help yourself somewhat with
iptablesmodules sush as before mentionedipp2porl7-filter, but they will not catch encrypted traffic.In any case, technology is very rarely the solution for social problems, and misuse od corporate/public/whatever networks for p2p is a social problem. Try talking to your users, get your organization to create appropriate policies and enforce them with sanctions. This in my experience works much better than a constant technology arms race with your users.
There is a module named IPP2P that can detect & block P2P protocols: http://www.ipp2p.org/
The simple solution is to block all outgoing ports except the ones you want to allow.
Alternatively, you can find a list of the ports likely to be used for common P2P applications and block those. Bittorrent tends to only allow a very limited amount of downloading if you are not also uploading, so you should also make sure that you don't accept any incoming connections.
You might find it useful to set up some sort of IP accounting on your router based on the TCP port used, and then find out which port is the most heavily used. IPTraf is a useful tool for checking this.
I should warn you that you'll never stop everything; people are ingenious and will find a way around any restriction you put in place. Most firewalls will stop the casual user though, which may be enough.
You can't block P2P completely -- unless you only allow the "good" TCP ports 80, 443, 22... And even that is usually enough for the computer-minded types who have VPNs and similar things.
bittorrent and most p2p now days is quite evasive. Instead of blocking traffic, use QOS rules to starve clients that are using a large amount of bandwidth, or slowly throttles p2p traffic to zero over amount of time. It won't block the protocol but it will deter p2p'ers that it's so slow it's not worth doing.
Remember not all torrent traffic is bad, some of it good! :-)
Use these iptables forwarding rules to drop bit torrent seeding and peer discovery. They worked for me.
Rules in action, hit counter incrementing nicely.
Popular SSL tunneling programs like Ultrasurf can let users bypass your firewalls easily. To block encrypted bittornet traffic you would need a specialized UTM device that can inspect and block encrypted tunnels going over http(s). I know only about one that is able to do that - Astaro, but there should be more.
You can use ip2p, as earlier mentioned. It's not going to block things completely however. Ideally, you should be fire walling every port you don't specifically use, and using ip2p. Not a perfect solution, but the best you're likely to get.
You cannot use straight port blocking. There's a few alternatives. Layer7 filter is slow, unreliable, and to my knowledge no longer maintained.
IPP2P is ok but was superceded by OpenDPI, which has now been discontinued by sponsor ipoque (who sell PACE, a commercial equivalent) nDPI appears to be the logical conclusion of this little path: http://www.ntop.org/products/ndpi/
Easiest, and fairly effective is an extension of David Pashley's suggestion. Block all ports and only allow what you need - and extend this by proxying those services you need - eg with a web proxy, and perhaps an internal mailserver whichn is allowed port25, but clients only talk to the internal server. In this way you can have clients which need no open ports on the firewall at all. This should work but can start to fall to bits if you need to use any complex and/or badly written apps that need direct access.