Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to block gtalk completely.I have blocked port no 5222 and 5223 for gtalk.
Gtalk uses port no 80 and 443 for communication,now i cant block port 80 and 433 ...
Can any one let me know how to block gtalk completely.I dont want it to be used even in gmail browser.
I am using iptables for blocking.And have transparency proxy(squid)
I want to block gtalk completely.I have blocked port no 5222 and 5223 for gtalk.
Gtalk uses port no 80 and 443 for communication,now i cant block port 80 and 433 ...
Can any one let me know how to block gtalk completely.I dont want it to be used even in gmail browser.
I am using iptables for blocking.And have transparency proxy(squid)
Sorry, unless you block ports 80/443, you can't block it, without some serious firewall/packet sniffing hardware. Be VERY hard to identify which packet was gtalk over port 80, and which wasn't.....
Sorry, unless you block ports 80/443, you can't block it, without some serious firewall/packet sniffing hardware. Be VERY hard to identify which packet was gtalk over port 80, and which wasn't.....
Hi TBone,
Well this is really a tough job to block 80 port. Is there any external tool that will allow this?
That is actually not always possible. If you block the 5222 port and 5223 it will use 80 and 443. If you block the domains it will use google. If I block tcp protocol it will use http.
I have used wireshark to find it out and it will scan all the possibilities to connect and will do it.
Thanks for the reply.But u mean to say iptables have limitation?Can you please explain how gtalk works or communicates?
Regards,
Prayag
IPtables blocks ports, or redirects them. That's it. If you block the Google Talk client on 5222 and 5223, that works, but if you fire up your web browser (running on port 80 or 443 for https), those go through. IPtables doesn't know what sites you're going to. All the gtalk web piece through gmail is, is a small java applet, on a web page. IPtables can't distinguish that...that's just port 80 traffic, which is allowed.
You can fire up squid, and block the gmail site, but that's only a patch too. Theoretically, you can use any number of other chat clients (pidgin and kopete both support proxy servers, via port 80), and go right out again.
As I said, the only way to REALLY do it, is to get some expensive, real-time packet sniffing stuff, and monitor EVERY PACKET going in and out, and block what you don't want.
IPtables blocks ports, or redirects them. That's it. If you block the Google Talk client on 5222 and 5223, that works, but if you fire up your web browser (running on port 80 or 443 for https), those go through. IPtables doesn't know what sites you're going to. All the gtalk web piece through gmail is, is a small java applet, on a web page. IPtables can't distinguish that...that's just port 80 traffic, which is allowed.
You can fire up squid, and block the gmail site, but that's only a patch too. Theoretically, you can use any number of other chat clients (pidgin and kopete both support proxy servers, via port 80), and go right out again.
As I said, the only way to REALLY do it, is to get some expensive, real-time packet sniffing stuff, and monitor EVERY PACKET going in and out, and block what you don't want.
HI TBOne,
In squid there is an option called req_header. It can be used with other attributed like User-Agent, Browser.
But it does not work.
Squid just refuses to recognize the User-Agent. It does if I want to block MSIE but does not if same has to be applied to gtalk.
In squid there is an option called req_header. It can be used with other attributed like User-Agent, Browser.
But it does not work.
Squid just refuses to recognize the User-Agent. It does if I want to block MSIE but does not if same has to be applied to gtalk.
Any ideas on how to make it work?
No, that doesn't work like that...I don't think you're understanding what I'm saying. Re-read my other posts.
Squid is a proxy server. It can block/allow sites, and IPtables blocks/allows TCP/IP ports. If you allow traffic on port 80 out to Google, then you can load gtalk. The Google site is allowed...neither squid nor iptables can determine which packets of that page load contain web-page data, and which contain java applet data for the chat function.
As I said before, the only way to do it, is to use real-time packet sniffing stuff, which is expensive. And again, alot of chat clients can use a proxy server, and get right out anyway.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.