ICQ from LAN

dr_sad · 10-11-2005, 12:29 AM

Hello,
I need to allow local users use ICQ. They are not allowed to transfer files. And one more thing... I want to cut banners out. Are there any solutions? Thank You.

fouldsy · 10-18-2005, 05:06 AM

Whole lot of things you could do with requirements like that! First up, look at squid. That allows you to control ports accessible and inaccessible, providing access to ICQ whilst blocking other stuff. Also, using SquidGuard, you could build up lists of ad-serving sites. We're doing that here, but using DansGuardian for more intense content filtering. DansGuardian also has the advantage of allowing you to block MIME types, preventing .exe files from being downloaded for example, though you can also block .mp3, .zip, .rar, etc.

dr_sad · 10-19-2005, 06:16 AM

Ok. I tryed to use nat on cisco, but I could not disallow an opportunity to send/receive files. )o:

Code:

cisco6509-0#sh run | inc nat
 tunnel destination 217.106.13.2
 ip nat outside
 ip nat inside
 ip nat inside
 ip nat inside
ip nat pool icq_pool 192.168.80.210 192.168.80.210 prefix-length 24
ip nat inside source list 105 pool icq_pool overload
ip nat inside source list 7 interface Vlan100 overload
cisco6509-0#sh ip nat transl
Pro Inside global         Inside local          Outside local         Outside global
tcp 192.168.80.210:2134     10.10.6.113:2134      205.188.7.184:5190    205.188.7.184:5190
tcp 192.168.80.210:2289     10.10.6.113:2289      205.188.7.184:5190    205.188.7.184:5190
cisco6509-0#sh run | inc access-list 105
access-list 105 permit tcp 10.10.6.0 0.0.0.255 205.188.0.0 0.0.255.255 eq 5190
access-list 105 permit tcp 10.10.6.0 0.0.0.255 64.12.0.0 0.0.255.255 eq 5190
access-list 105 deny   ip any any
alias exec sh105 sh run | inc access-list 105
cisco6509-0#

So, I've decided to take another approach.

Code:

interface Vlan304
 description STel_LAN_04
 ip address 10.10.6.97 255.255.255.224
 ip access-group 123 out
 ip helper-address 192.168.80.1
 ip nat inside
 ip policy route-map to_proxy
end

cisco6509-0#sh route-map to_proxy
route-map to_proxy, permit, sequence 10
  Match clauses:
    ip address (access-lists): to_proxy
  Set clauses:
    ip next-hop 192.168.80.9
  Policy routing matches: 268 packets, 16616 bytes
cisco6509-0#
cisco6509-0#
cisco6509-0#sh ip access-list to_proxy
Extended IP access list to_proxy
    permit tcp host 10.10.6.109 any eq 5190 (12 matches)
    permit tcp host 10.10.6.116 any eq 5190 (6 matches)
    permit tcp host 10.10.6.113 any eq 5190 (250 matches)
    deny ip any any (359689 matches)
cisco6509-0#

On host 192.168.80.9 (it is a Linux 9.2) i've installed a proxy-server (most recent Squid). But packets from local users have the source addr 10.10.6.113 and the dist address login.icq.com, so my proxy does not process them. I can see them with iptraf, for example, but how can i redirect them to local ip and port of the proxy-server? May be iptables can do it?

P.S. Actually 192.168.80.0/24 - is a global network.