LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-28-2006, 04:03 AM   #1
`neo
LQ Newbie
 
Registered: Jan 2006
Location: Romania,Constanta
Posts: 9

Rep: Reputation: 0
How to disable yahoo messenger with iptables


Please can some one help me disable yahoo messenger with the iptables firewall.

Thanks in advance
 
Old 01-28-2006, 07:40 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
what do your current iptables rules look like??

the best way to disable yahoo messenger access is to not enable it in the first place... in other words, your iptables rules should start by filtering EVERYTHING and then adding rules allowing ONLY what you want to allow... since you don't want to allow yahoo messenger, you wouldn't add a rule allowing it, and it would be filtered automagically...

also, if you want specific help with this, such as the necessary iptables rules, you want to explain the setup you have... do you want to block access to yahoo messenger from the box you are running on?? or is the box a firewall for a LAN and you wish to block access for the entire LAN, etc?? what have you tried so far??
 
Old 01-31-2006, 06:15 AM   #3
`neo
LQ Newbie
 
Registered: Jan 2006
Location: Romania,Constanta
Posts: 9

Original Poster
Rep: Reputation: 0
Well i want to block yahoo messenger for the entire LAN. I have a Red Hat 7 installed on my server i i'm the administrator. The problem is that i havent instaled the server and i don't want to change the hole firewall i want to make a script that will runt at the start of the server. I have tried to block some yahoo address but nothing happens.

Thanks for trying to help me.
 
Old 01-31-2006, 07:52 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
tell me the names of your internal and external interfaces, as well as the protocol(s) and port numbers yahoo messenger uses, and i'll provide you with a script you can run at boot time to disable yahoo for the LAN...
 
Old 01-31-2006, 10:47 AM   #5
Dmjmusser
Member
 
Registered: Nov 2005
Location: Detroit, Michigan -- USA
Distribution: Fedora Core
Posts: 90

Rep: Reputation: 15
Perhaps you could just block the port that Yahoo messenger runs on by default? I know that with AIM, you can search for available ports to use for the service, and can get around firewall rules sometimes by doing that. I'm not sure you can do that with Yahoo messenger, though.

~Myles
 
Old 02-03-2006, 10:23 AM   #6
`neo
LQ Newbie
 
Registered: Jan 2006
Location: Romania,Constanta
Posts: 9

Original Poster
Rep: Reputation: 0
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 5050 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 5000 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 5001 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 5055 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 5010 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 5150 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 8000 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 1683 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 1644 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 1455 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 1071 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 8001 -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --destination-port 1083 -j DROP
iptables -A FORWARD -p tcp --dport 5000:5010 -j DROP
iptables -A FORWARD -d 216.136.233.128 -j DROP
iptables -A FORWARD -d 216.136.226.208 -j DROP
iptables -A FORWARD -d 216.136.233.129 -j DROP
iptables -A FORWARD -d 216.136.175.144 -j DROP
iptables -A FORWARD -d 216.136.227.168 -j DROP
iptables -A FORWARD -d 216.136.225.12 -j DROP
iptables -A FORWARD -d 216.136.224.213 -j DROP
iptables -A FORWARD -d 216.136.175.142 -j DROP
iptables -A FORWARD -d 216.136.175.143 -j DROP
iptables -A FORWARD -d 216.136.233.132 -j DROP
iptables -A FORWARD -d 216.136.224.214 -j DROP
iptables -A FORWARD -d 216.136.225.11 -j DROP
iptables -A FORWARD -d 216.155.193.145 -j DROP
iptables -A FORWARD -d 216.155.193.146 -j DROP
iptables -A FORWARD -d 66.163.181.150 -j DROP
iptables -A FORWARD -d 216.155.193.150 -j DROP
iptables -A FORWARD -d 216.155.194.191 -j DROP

this is all that i have block and yahoo is still on, and i don't know what to block to stop yahoo.

If you could help me i will be very happy

If someone know other ip or ports to block i will be glad to add them.

Last edited by `neo; 02-03-2006 at 10:25 AM.
 
Old 02-03-2006, 12:08 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
it's not a very good idea to use the PRE/POSTROUTING chains to do packet filtering... it's best to do it in the FORWARD chain...

having said that, it looks like you already know which ports and stuff to use... the thing is that, from what little i've read (via google), it seems yahoo messenger will attempt to connect using all kinds of ports if it finds that it's not getting through those default ones... if that's true, then it will be quite difficult for you to filter it by using only port numbers...

this leaves you with the destination IP address option, which could be very effective, but i assume yahoo has TONS of IPs and probably changes them often, so you'd be playing cat and mouse forever...

IMHO, the best way to take care of something like this is to use an application-layer proxy... this way no matter which port or IP the packets are using, your linux gateway will know the packets are YAHOO MESSENGER packets and will filter them as you wish...

of course, setting-up an application-layer gateway takes more effort than setting-up iptables rules, but it is truly a much better option when it comes to filtering specific programs from your network for obvious reasons...

Last edited by win32sux; 02-03-2006 at 12:16 PM.
 
Old 02-03-2006, 12:30 PM   #8
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Doesn't Yahoo Messanger rely on a messanger server? Go into the config on one of the YM clients and find the server IP and just block that.

Also, win32sux is correct, trying to filter in the PRE/POSTROUTING chains has limited effectiveness. On top of that, I don't like to try and filter in the FORWARD chain either. The most effective way to filter is by using the INPUT chain, after all the best way to stop something bad is at the door, not when it's inside and trying to figure out where to go. Something like:

iptables -I INPUT -s ethX -d www.xxx.yyy.zzz -j DROP

Where ethX is the internal interface with the LAN clients you want to block on it and www.xxx.yyy.zzz is the IP address of the messanger server.

Also note the -I instead of -A.
-I does an Insert, adding the rule to the top of the filter list.
-A does an Append, adding the rule to the bottom of the filter list, possibly below another rule that allows all traffic in making it never used.

Last edited by Darin; 02-03-2006 at 12:35 PM.
 
Old 02-03-2006, 12:38 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by Darin
Doesn't Yahoo Messanger rely on a messanger server? Go into the config on one of the YM clients and find the server IP and just block that.
except they'd probably have several of these IPs, and most likely change them quite often... no??

Quote:
Also, win32sux is correct, trying to filter in the PRE/POSTROUTING chains has limited effectiveness. On top of that, I don't like to try and filter in the FORWARD chain either. The most effective way to filter is by using the INPUT chain, after all the best way to stop something bad is at the door, not when it's inside and trying to figure out where to go. Something like:

iptables -I INPUT -s ethX -d www.xxx.yyy.zzz -j DROP

Where ethX is the internal interface with the LAN clients you want to block on it and www.xxx.yyy.zzz is the IP address of the messanger server.
the INPUT chain is not used for routing, so your example rule would not work at all (unless the iptables box itself is running the messenger server - and we can probably assume it's NOT)...

the INPUT chain is only used for packets which are destined for the iptables box itself... the FORWARD chain is used for packets which are destined to other boxes...

so an incoming packet will enter either the FORWARD or INPUT chains depending on where it's addressed to... in this case, the packets would not enter through the INPUT chain, so a rule there is out of the question...

BTW: "-s ethX" is not right... "-s" is used for source addresses... to specify incoming interfaces you'd wanna use "-i", like "-i ethX"...

Last edited by win32sux; 02-03-2006 at 12:44 PM.
 
Old 02-03-2006, 01:04 PM   #10
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Oops, apparently I posted too quick, excuse me while I pull my foot out of my mouth here...there we go.

OK so I wanted to know and I looked for it, he's correct on the chains, "If we get a packet into the first routing decision that is not destined for the local machine itself, it will be routed through the FORWARD chain. If the packet is, on the other hand, destined for an IP address that the local machine is listening to, we would send the packet through the INPUT chain and to the local machine." - http://iptables-tutorial.frozentux.n...ERSINGOFTABLES

So the INPUT chain is the front door for packets destined for IP addresses the firewall listens on and the FORWARD chain is the front door for packes passing through the firewall.

And yes the -s was a typo, -i interface is correct.

As for the server IP addresses, one would assume that since each client has to have an initial configuration that the server would be in a fixed location on The Internet (aka fixed IP address or URL.)
 
Old 02-03-2006, 01:43 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
perhaps you could use squid... like, force all the machines on the LAN to use squid and forget about routing... by using squid you could use an ACL to filter based on URL (instead of IP)... this way you eliminate the cat and mouse game of having to keep-up with all the diifferent possible IPs yahoo could use... in other words, with squid you could filter any outgoing connections to *.yahoo.com while still being able to make exceptions for some addresses like maybe mail.yahoo.com or www.yahoo.com or whatever... reverse-dns lookups would be done, so that when an attempt to connect directly to an IP is made, like for example 216.136.233.128, the lookup is performed and since the result is cs41.msg.sc5.yahoo.com then the connection is not performed...

just something to think about...
 
Old 02-03-2006, 02:01 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by Darin
As for the server IP addresses, one would assume that since each client has to have an initial configuration that the server would be in a fixed location on The Internet (aka fixed IP address or URL.)
yes, it could be one IP address - or it could be a *thousand*... seriously, they probably have tons and tons of messaging servers scattered across the planet... the clients don't all need to connect to one specific server...

application-layer aside, i'd go for what the IPs have in common, which AFAICT is that they reverse-resolve to *.yahoo.com addresses (specifically *.msg.*.yahoo.com)... so by blocking via squid access to those addresses, for example, one would achieve much higher effectiveness than would be possible by trying to use IP addresses...
 
Old 02-03-2006, 02:17 PM   #13
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
From http://www.helpbytes.co.uk/yconnect.php

Ports Yahoo! Messenger uses!

Yahoo! Messenger services uses a variety of ports.
Service Ports
Chat & Messenger TCP Port 5050: Client Access only
Insider/Room Lists TCP Port 80: Client Access only
File Transfer TCP Port 80: Server Access.
Your ISP may block this port, as its used for web hosting.
You can change port in Messenger, Preferences, File Transfer.
Voice Chat UDP 5000-5010
TCP 5000-5001: Client Access
If UDP Fails, TCP will be used instead, see below.
WebCam TCP Port 5100: Client Access
Super Webcam TCP Port 5100: Server Access
P2P Instant Messages TCP Port 5101: Server Access
PMs between Buddys may not use the Yahoo! Server, but this is not a requirement.

I also found some references to other ports and included those, to be:
Code:
#!/bin/bash

#all yahoo ports
for YM_TCP_PORTS in 5050 5000 5001 5100 5101 23
 do
  iptables -I FORWARD -p tcp --dport $YM_TCP_PORTS -J DROP
 done

for YM_UDP_PORTS in "5000:5010" 5055
 do
  iptables -I FORWARD -p udp --dport $YM_UDP_PORTS -J DROP
 done
Assuming you wouldn't be trying to block port 80 traffic.

see also http://www.google.com/search?q=yahoo+messenger+port
 
Old 02-03-2006, 03:00 PM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
yeah, of course you can block those ports with iptables - but then the yahoo messenger has about sixty-thousand other TCP ports it can try, plus about sixty-thousand UDP ports...

IMHO, if you wanna filter yahoo messenger *FOR REAL*, you can't rely on iptables...
 
Old 02-03-2006, 06:08 PM   #15
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Would blocking port 53 and setting up an internal DNS server that is the master for zone yahoo.com. cover that?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo Messenger DoctorVell Linux - Software 14 09-14-2006 07:50 AM
How can i use MSN Messenger or Yahoo Messenger in slack ware ruzvay Linux - Software 8 02-16-2006 12:42 PM
blocking yahoo messenger with iptables mardanian Linux - Networking 5 04-24-2004 02:32 PM
blocking yahoo messenger with iptables linuxboy_inside Linux - Security 3 01-20-2004 09:12 PM
Instant messenger Chat Kopete mandrake linux yahoo and MSN messenger saurya_s Linux - Software 1 11-22-2003 01:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration