LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-16-2005, 03:08 AM   #1
cksoo
LQ Newbie
 
Registered: Sep 2005
Posts: 19

Rep: Reputation: 0
how to block all the IM -- skype, googletalk, msn, yahoo, ICQ


Hi,

May I know how to total block all the IM using Iptables and squid because my company new policy want me to block all the IM. For time being i just able to block yahoo and ICQ using iptables and msn using squid. but I unable to block skype and google talk.

hope some one can help me to solve it or point me the useful link.

thanks.
 
Old 09-16-2005, 04:53 AM   #2
reddazz
LQ Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 77
I am not a networking guru but I think you need to find out which ports they use and block those ports.
 
Old 09-16-2005, 10:46 AM   #3
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid/RPIOS
Posts: 4,905
Blog Entries: 29

Rep: Reputation: 537Reputation: 537Reputation: 537Reputation: 537Reputation: 537Reputation: 537
If you can use Guarddog it has separate listings for AIM, YAhoo, MSN, ICQ,IRC, and netmeeting.

Aim uses Destination Port: 5190-5193

YAhoo:
Name: Yahoo! Messenger
Description:
Yahoo! instant messager.
Security Risk: Low
Network Usage:
Description: TCP connection from client to server.
Name: Login to network
Source Port: dynamic
Destination Port: 5050, 23
Description: TCP connection from client to server.
Name: Conference
Source Port: dynamic
Destination Port: 5000-5001
Description: UDP connection from client to server.
Name: Conference
Source Port: dynamic
Destination Port: 5000

MSN:Destination Port: 1863

ICQ:
Description: Bidirectional UDP connection from client to server.
Source Port: any
Destination Port: 4000
Description: TCP connection from client to client.
Source Port: nonprivileged
Destination Port: nonprivileged

Jabber/Gtalk:
Description: TCP connection from client to server.
Source Port: dynamic
Destination Port: 5222
Description: TCP connection from client to server.
Name: Jabber over Secure Socket Layer
Source Port: dynamic
Destination Port: 5223

Sorry I do not have Skype installed. Their documentation should tell you what ports to block.
 
Old 09-19-2005, 01:31 AM   #4
ckamheng
Member
 
Registered: Apr 2003
Location: Malaysia
Distribution: Slackware 10.2
Posts: 75

Rep: Reputation: 15
FYI, what i noticed that now all the IM are using the random port already so quick difficult to block them also. Cause I try to block all IM with the port no that list about but the user still can use the IM.
 
Old 09-19-2005, 08:21 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
wouldn't an application-level proxy be a more effective way to block these things??

http://www.balabit.com/products/zorp/


or maybe there's an add-on to iptables for IMs, kinda like the p2pwall project but for IMs instead of P2Ps??

http://www.lowth.com/p2pwall/
 
Old 09-20-2005, 08:19 PM   #6
cksoo
LQ Newbie
 
Registered: Sep 2005
Posts: 19

Original Poster
Rep: Reputation: 0
I use very stupid way to block the IM that I install all the IM and monitor it where and which IP they logon to then i block IP that they login to prevent user to use the IM.

Unfortunery, I still cant block the user using external Proxy server to logon to IM server. Any one got an idea on this. Can this be done by using the iptables which can block the internal user using an external Proxy server?
 
Old 09-20-2005, 09:58 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by cksoo
I use very stupid way to block the IM that I install all the IM and monitor it where and which IP they logon to then i block IP that they login to prevent user to use the IM.

Unfortunery, I still cant block the user using external Proxy server to logon to IM server. Any one got an idea on this. Can this be done by using the iptables which can block the internal user using an external Proxy server?
yes, if you know the IP of the proxy server it would be easy to block it with iptables...


Last edited by win32sux; 09-20-2005 at 11:57 PM.
 
Old 09-21-2005, 05:54 AM   #8
cksoo
LQ Newbie
 
Registered: Sep 2005
Posts: 19

Original Poster
Rep: Reputation: 0
The problem is there are a lot open proxy offer so quite difficult to block. May I know whether got a general iptables rules that force my internal must use my internal proxy server or not ?
 
Old 04-11-2006, 06:35 AM   #9
logu
LQ Newbie
 
Registered: May 2004
Posts: 2

Rep: Reputation: 0
You can have proxy and allow your users to have access just to the proxy port and deny all others.
 
Old 05-23-2007, 03:54 AM   #10
tuxchetan
LQ Newbie
 
Registered: May 2007
Posts: 3

Rep: Reputation: 0
To disable GTalk...
Setup these rules in your IPTables. or create ACLs in Squid.

Drop If destination is 72.14.253.125
Drop If destination is 72.14.255.100
Drop If destination is 209.85.139.83
Drop If destination is 66.249.89.99
Drop If destination is 64.233.163.189
Drop If destination is 209.85.137.125
Drop If protocol is TCP and destination is 66.249.89.103 and destination port is 443
Drop If protocol is TCP and destination is 209.85.137.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.147.83 and destination port is 80
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.163.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.163.125 and destination port is 5222
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 443
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 5222
Drop If protocol is TCP and destination is 72.14.253.125 and destination port is 443

+chetan
 
Old 05-24-2007, 03:27 AM   #11
logu
LQ Newbie
 
Registered: May 2004
Posts: 2

Rep: Reputation: 0
Quote:
Originally Posted by tuxchetan
To disable GTalk...
Setup these rules in your IPTables. or create ACLs in Squid.

Drop If destination is 72.14.253.125
Drop If destination is 72.14.255.100
Drop If destination is 209.85.139.83
Drop If destination is 66.249.89.99
Drop If destination is 64.233.163.189
Drop If destination is 209.85.137.125
Drop If protocol is TCP and destination is 66.249.89.103 and destination port is 443
Drop If protocol is TCP and destination is 209.85.137.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.147.83 and destination port is 80
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.163.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.163.125 and destination port is 5222
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 443
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 5222
Drop If protocol is TCP and destination is 72.14.253.125 and destination port is 443

+chetan
Blocking IMs based on IPs doent seem to be a good idea as the clients use the fqdn to connect and the corresponding IP keeps changing. Better way is to block them using the fqdn (talk.google.com) and keep IPtables rules updating it using cron jobs.

Thanks
-logu
 
Old 05-24-2007, 09:46 AM   #12
gloomy
Member
 
Registered: Jan 2006
Location: Finland
Distribution: Mainly Gentoo
Posts: 119

Rep: Reputation: 15
In my opinion the best filtering project at the application layer:

http://l7-filter.sourceforge.net/
 
Old 05-25-2007, 12:56 AM   #13
tuxchetan
LQ Newbie
 
Registered: May 2007
Posts: 3

Rep: Reputation: 0
Wink

Quote:
Originally Posted by logu
Better way is to block them using the fqdn (talk.google.com)
Yes, you are right. We have to keep watch if host/IP change. But if GTalk seems talk.google.com host down (that's what if we block it), seems that it tried those hosts and connection successfull.
Then, if you try to block port 5222/3 of Jabber, next it make an conn. attempt to those hosts at 443 or 80.

I'm using these iptables rules from past 3 months, and keeps blocking.

BTW, try to block these sites.... for Web IM
http://www.iloveim.com/
http://www.meebo.com ( alternatives- http://www.meebo.us or http://www.meebo.biz )
http://www.imunitive.com (alternatives- http://www.imunitive.co.uk )
http://www.imhaha.com ( alternatives- http://www.imhaha.net)
http://www.e-buddy.com (alternatives - http://www.e-buddy.us)
http://www.koolim.com (alternatives- http://www.koolim.us)
http://www.goowy.com -( alternatives- http://www.goowy.us
http://www.goowy.info , http://www.goowy.biz)
http://www.mabber.com (alternatives- http://www.mabber.us)
http://www.wablet.com - ( alternatives- http://www.wablet.us )
http://www.easymessenger.net/
http://www.pinkprank.com
http://www.ebuddy.com/

Last edited by tuxchetan; 05-25-2007 at 12:58 AM.
 
Old 05-25-2007, 05:35 AM   #14
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
as for skype that is the hardest application to block. The only way that i have seen to block skype is to do a packet matching with CISCO MARS systems. I use sidewinder firewalls at work and we cant even block skype on those.
 
Old 07-02-2007, 02:33 AM   #15
rkiran32
LQ Newbie
 
Registered: Jul 2007
Posts: 1

Rep: Reputation: 0
Smile Hi Chetan, can u pls guide me how to add the below lines in my (rc.firewall.up)

Hi Chetan,
can u pls guide me how to add the below lines in my rc.firewall.up)file.
I don't know where to add these lines & as per my knowledge it should come like this.....
for eg:
# drop hits from Google Talk
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 5222 -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 5223 -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 5224 -j DROP
if I am right. I m waiting for your earliest reply.

I m using smoothwall 2.0. I also want to learn more about blocking IP Addresses & the Ports, if U can help me it wud be gr8 for me.

You can reply me in kinna_kinnna@yahoo.com

Thanks
Kiran






Quote:
Originally Posted by tuxchetan
To disable GTalk...
Setup these rules in your IPTables. or create ACLs in Squid.

Drop If destination is 72.14.253.125
Drop If destination is 72.14.255.100
Drop If destination is 209.85.139.83
Drop If destination is 66.249.89.99
Drop If destination is 64.233.163.189
Drop If destination is 209.85.137.125
Drop If protocol is TCP and destination is 66.249.89.103 and destination port is 443
Drop If protocol is TCP and destination is 209.85.137.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.147.83 and destination port is 80
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.163.125 and destination port is 443
Drop If protocol is TCP and destination is 209.85.163.125 and destination port is 5222
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 443
Drop If protocol is TCP and destination is 216.239.51.125 and destination port is 5222
Drop If protocol is TCP and destination is 72.14.253.125 and destination port is 443

+chetan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Block MSN, YM, ICQ.... All..... gabriellai Linux - Networking 2 04-05-2005 06:21 PM
ICQ/MSN/IRC all-in-one for Linux? Cyberian Linux - Software 4 07-03-2004 09:52 PM
Yahoo Messenger or ICQ on FreeBSD? selvyn Linux - Software 11 03-03-2004 11:57 AM
MSN AND ICQ in one with filtransfer support pollymorf Linux - Newbie 1 09-24-2003 09:33 AM
SmoothWall + ICQ & MSN Messenger Albinus Linux - Networking 1 08-24-2001 11:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration