LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   (Un)simple iptables question (https://www.linuxquestions.org/questions/linux-security-4/un-simple-iptables-question-502731/)

branden_burger 11-18-2006 04:09 AM
(Un)simple iptables question
 
Hello all

Well, this is a common enough question - how to block yahoo messenger, MSN, etc. Well, earlier, the answer used to be - allow through only 'Safe' ports like http, smtp, ftp and such like, drop everything else.

Well, this isn't a complete solution. YMessenger, for one, can use other ports like smtp, nntp, in addition to http - so how on earth do I block it on my gateway?

Especially the usage of port 80! Alright, I can allow through on port 25, only access to my mail server, through 119 only to trusted newsgroups - but what about port 80? Do I need to know all the IPs of yahoo messenger servers to drop connections to them? What do the sysadmins recommend?

Thanks,
branden

amitsharma_26 11-18-2006 05:40 AM
For yahoo, you could drop connections to
Code:
24.71.200.68/32 204.71.202.73/32 204.71.200.0/24 204.71.177.35/32 204.71.202.59/32 204.71.202.58/32 216.1
15.105.214/32 204.71.201.47/32 204.71.201.48/32 216.115.105.215/32 216.136.172.221/32

&
.msg.yahoo.com
pager.yahoo.com
update.messenger.yahoo.com
update.pager.yahoo.com
But your simple or UNsimple iptables question is not actually limited to iptables scope only, Using squid for these filtering would be very usefull.

Apart from squid & iptables you can also use snort(configured with iptables inline function) for dropping packets.

But the best suggestion would be with domain policies; Using domain policies to enforce users not to install such applications. This helps stopping streaming media as well.

branden_burger 11-18-2006 12:17 PM
As far as my understanding goes, just using squid won't be enough. Ports proxied by Squid must be blocked by a firewall right? Else you can't force users to use the proxy.

And ultimately, you do have to know the IP ranges/FQDNs of servers you have to block - whether you use squid or not.

I haven't tried Snort with iptables though. Domain policies are the hardest to enforce - it's hard to take control of their own computers away from people.

Thanks,
will check out the Snort option.

branden_burger

amitsharma_26 11-19-2006 03:25 PM
As far as my understanding goes, just using squid won't be enough. Ports proxied by Squid must be blocked by a firewall right?
The highlighted text is absolutely correct in a general approach but in context of messengers, why would someone'll be allowing these ports through squid if he's supposed to enforce a block.(Btw we can block ports with squid as well)

Else you can't force users to use the proxy.
Are there any clients/users which are being given a direct access via MASQUERADING or SNATing ? Only if this is the case then we would be requiring same squid rules to be implemented at firewall level as well. And here your saying goes OK of "ports proxied/blocked must be blocked by a firewall also."

And ultimately, you do have to know the IP ranges/FQDNs of servers you have to block - whether you use squid or not.
Yea, that is true; Since our more conventional way of blocking applications via dport isnt really effective these days. (as these days most of the messenger's have started falling back on 80 port in case of non-availability of their default ports)

Domain policies are the hardest to enforce - it's hard to take control of their own computers away from people.
Are we talking about M$ or SAMBA domain ?


All times are GMT -5. The time now is 03:23 PM.