LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-18-2006, 04:09 AM   #1
branden_burger
Member
 
Registered: Dec 2004
Posts: 66

Rep: Reputation: 15
(Un)simple iptables question


Hello all

Well, this is a common enough question - how to block yahoo messenger, MSN, etc. Well, earlier, the answer used to be - allow through only 'Safe' ports like http, smtp, ftp and such like, drop everything else.

Well, this isn't a complete solution. YMessenger, for one, can use other ports like smtp, nntp, in addition to http - so how on earth do I block it on my gateway?

Especially the usage of port 80! Alright, I can allow through on port 25, only access to my mail server, through 119 only to trusted newsgroups - but what about port 80? Do I need to know all the IPs of yahoo messenger servers to drop connections to them? What do the sysadmins recommend?

Thanks,
branden
 
Old 11-18-2006, 05:40 AM   #2
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
For yahoo, you could drop connections to
Code:
24.71.200.68/32 204.71.202.73/32 204.71.200.0/24 204.71.177.35/32 204.71.202.59/32 204.71.202.58/32 216.1
15.105.214/32 204.71.201.47/32 204.71.201.48/32 216.115.105.215/32 216.136.172.221/32

& 
.msg.yahoo.com
pager.yahoo.com
update.messenger.yahoo.com
update.pager.yahoo.com
But your simple or UNsimple iptables question is not actually limited to iptables scope only, Using squid for these filtering would be very usefull.

Apart from squid & iptables you can also use snort(configured with iptables inline function) for dropping packets.

But the best suggestion would be with domain policies; Using domain policies to enforce users not to install such applications. This helps stopping streaming media as well.
 
Old 11-18-2006, 12:17 PM   #3
branden_burger
Member
 
Registered: Dec 2004
Posts: 66

Original Poster
Rep: Reputation: 15
As far as my understanding goes, just using squid won't be enough. Ports proxied by Squid must be blocked by a firewall right? Else you can't force users to use the proxy.

And ultimately, you do have to know the IP ranges/FQDNs of servers you have to block - whether you use squid or not.

I haven't tried Snort with iptables though. Domain policies are the hardest to enforce - it's hard to take control of their own computers away from people.

Thanks,
will check out the Snort option.

branden_burger
 
Old 11-19-2006, 03:25 PM   #4
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
As far as my understanding goes, just using squid won't be enough. Ports proxied by Squid must be blocked by a firewall right?
The highlighted text is absolutely correct in a general approach but in context of messengers, why would someone'll be allowing these ports through squid if he's supposed to enforce a block.(Btw we can block ports with squid as well)

Else you can't force users to use the proxy.
Are there any clients/users which are being given a direct access via MASQUERADING or SNATing ? Only if this is the case then we would be requiring same squid rules to be implemented at firewall level as well. And here your saying goes OK of "ports proxied/blocked must be blocked by a firewall also."

And ultimately, you do have to know the IP ranges/FQDNs of servers you have to block - whether you use squid or not.
Yea, that is true; Since our more conventional way of blocking applications via dport isnt really effective these days. (as these days most of the messenger's have started falling back on 80 port in case of non-availability of their default ports)

Domain policies are the hardest to enforce - it's hard to take control of their own computers away from people.

Are we talking about M$ or SAMBA domain ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple iptables question deleted/ Linux - Security 4 05-11-2006 11:31 AM
Problem with iptables, and a simple question about a NTFS part. Jorek Linux - Newbie 2 12-30-2005 02:05 PM
Ubuntu Fluxbox simple question, simple answer? generallimptoes Linux - Software 3 09-26-2005 02:03 PM
Iptables newbie / simple question wr3ck3d Linux - Networking 2 03-06-2003 08:08 AM
Simple iptables DNAT question taylor Linux - General 0 10-02-2001 06:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration