LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-10-2009, 06:51 AM   #1
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Smile block gtalk


Hi All,

I want to block gtalk completely.I have blocked port no 5222 and 5223 for gtalk.
Gtalk uses port no 80 and 443 for communication,now i cant block port 80 and 433 ...
Can any one let me know how to block gtalk completely.I dont want it to be used even in gmail browser.


I am using iptables for blocking.And have transparency proxy(squid)


Regards,

Prayag
 
Old 08-10-2009, 03:28 PM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,926

Rep: Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690
Quote:
Originally Posted by prayag_pjs View Post
Hi All,

I want to block gtalk completely.I have blocked port no 5222 and 5223 for gtalk.
Gtalk uses port no 80 and 443 for communication,now i cant block port 80 and 433 ...
Can any one let me know how to block gtalk completely.I dont want it to be used even in gmail browser.

I am using iptables for blocking.And have transparency proxy(squid)
Sorry, unless you block ports 80/443, you can't block it, without some serious firewall/packet sniffing hardware. Be VERY hard to identify which packet was gtalk over port 80, and which wasn't.....
 
Old 08-11-2009, 01:38 AM   #3
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Original Poster
Rep: Reputation: 147Reputation: 147
Smile

Hi TB0ne,

Thanks for the reply.But u mean to say iptables have limitation?Can you please explain how gtalk works or communicates?

Regards,

Prayag
 
Old 08-11-2009, 01:46 AM   #4
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Sorry, unless you block ports 80/443, you can't block it, without some serious firewall/packet sniffing hardware. Be VERY hard to identify which packet was gtalk over port 80, and which wasn't.....
Hi TBone,

Well this is really a tough job to block 80 port. Is there any external tool that will allow this?
 
Old 08-11-2009, 03:51 AM   #5
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
surely you can block commnucations to the gtalk server??
Anyway you can block it in the squid proxy using url filtering and regexp

Last edited by centosboy; 08-11-2009 at 03:58 AM.
 
Old 08-11-2009, 06:24 AM   #6
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
That is actually not always possible. If you block the 5222 port and 5223 it will use 80 and 443. If you block the domains it will use google. If I block tcp protocol it will use http.
I have used wireshark to find it out and it will scan all the possibilities to connect and will do it.
 
Old 08-11-2009, 10:44 AM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,926

Rep: Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690
Quote:
Originally Posted by prayag_pjs View Post
Hi TB0ne,

Thanks for the reply.But u mean to say iptables have limitation?Can you please explain how gtalk works or communicates?

Regards,

Prayag
IPtables blocks ports, or redirects them. That's it. If you block the Google Talk client on 5222 and 5223, that works, but if you fire up your web browser (running on port 80 or 443 for https), those go through. IPtables doesn't know what sites you're going to. All the gtalk web piece through gmail is, is a small java applet, on a web page. IPtables can't distinguish that...that's just port 80 traffic, which is allowed.

You can fire up squid, and block the gmail site, but that's only a patch too. Theoretically, you can use any number of other chat clients (pidgin and kopete both support proxy servers, via port 80), and go right out again.

As I said, the only way to REALLY do it, is to get some expensive, real-time packet sniffing stuff, and monitor EVERY PACKET going in and out, and block what you don't want.
 
Old 08-12-2009, 05:04 AM   #8
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
IPtables blocks ports, or redirects them. That's it. If you block the Google Talk client on 5222 and 5223, that works, but if you fire up your web browser (running on port 80 or 443 for https), those go through. IPtables doesn't know what sites you're going to. All the gtalk web piece through gmail is, is a small java applet, on a web page. IPtables can't distinguish that...that's just port 80 traffic, which is allowed.

You can fire up squid, and block the gmail site, but that's only a patch too. Theoretically, you can use any number of other chat clients (pidgin and kopete both support proxy servers, via port 80), and go right out again.

As I said, the only way to REALLY do it, is to get some expensive, real-time packet sniffing stuff, and monitor EVERY PACKET going in and out, and block what you don't want.
HI TBOne,

In squid there is an option called req_header. It can be used with other attributed like User-Agent, Browser.
But it does not work.
Squid just refuses to recognize the User-Agent. It does if I want to block MSIE but does not if same has to be applied to gtalk.

Any ideas on how to make it work?
 
Old 08-12-2009, 09:28 AM   #9
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,926

Rep: Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690Reputation: 3690
Quote:
Originally Posted by linuxlover.chaitanya View Post
HI TBOne,

In squid there is an option called req_header. It can be used with other attributed like User-Agent, Browser.
But it does not work.
Squid just refuses to recognize the User-Agent. It does if I want to block MSIE but does not if same has to be applied to gtalk.

Any ideas on how to make it work?
No, that doesn't work like that...I don't think you're understanding what I'm saying. Re-read my other posts.

Squid is a proxy server. It can block/allow sites, and IPtables blocks/allows TCP/IP ports. If you allow traffic on port 80 out to Google, then you can load gtalk. The Google site is allowed...neither squid nor iptables can determine which packets of that page load contain web-page data, and which contain java applet data for the chat function.

As I said before, the only way to do it, is to use real-time packet sniffing stuff, which is expensive. And again, alot of chat clients can use a proxy server, and get right out anyway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
block gtalk in Squid sandeepthug Linux - Software 2 04-01-2009 08:07 AM
how to block gtalk through pfsense firewall sreeraj.K.G. Linux - Server 1 01-09-2009 02:00 PM
how to block gtalk through pfsense firewall sreeraj.K.G. Linux - Enterprise 2 01-08-2009 01:38 PM
how to block gtalk through pfsense firewall sreeraj.K.G. Linux - Security 2 01-08-2009 01:38 PM
How to block gtalk messenger through squid sakthi.s Linux - Server 4 04-18-2007 03:51 AM


All times are GMT -5. The time now is 06:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration