RE: block msn

RE: block msn

[George Vieira]

Another one... Use TCPDUMP and see where there're coming from.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: juanca [mailto:juanca@sat.com.py]
Sent: Wednesday, July 16, 2003 9:36 PM
To: netfilter@lists.netfilter.org
Subject: block msn 


I`ve got this rulset but It doesn`t work what else do I need to add?
All the windows machine work msn, just on linux doesn`t
Any suggetions ?
Thanks in advance

iptables -A FORWARD -s 192.168.0.10 -p TCP --dport 1443:1467 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.107.33 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.110.38 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1513:1525 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 66.35.229.204 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 65.54.194.118 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.107.34 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 208.45.129.195 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -d 207.46.110.11 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1601:1603 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -d 64.4.13.0/24 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 64.4.0.0/24 -j REJECT
iptables -A INPUT -p tcp -s 192.168.0.10 -d messenger.microsoft.com -j DROP

blocking MSN Messenger: my experiences ( almost long )

[Leonardo Rodrigues Magalhães]

    I've tried for a long time block MSN Messenger using only iptables
rules. I couldnt get that working. I've seen some 'crazy' rules blocking
lots of IP blocks which, teorically, are the MSN Servers, but I really dont
like this kind of rules.

    I could successfully block MSN Messenger using the following approach:
    - all ports in my firewall are blocked, expect those I really want (
specified one by one ) which are allowed in FORWARD and POSTROUTING;
    - even with this approach, MSN works because of the HTTP tunneling
stuff;
    - for blocking the HTTP tunneling stuff, I've configured squid ( which
works in transparent proxy mode, which means ALL 80/tcp traffic goes there )
to block the expression 'gateway.dll'. Seems that all access done by MSN
Messenger using HTTP protocol uses this file.

( squid.conf relevant entries )

acl msnmessenger url_regex -i gateway.dll
http_access deny msnmessenger ( and this deny should be placed BEFORE your
ALLOW rules, are they're parsed linearly )


    Here are some squid log entries that 'proves' my theory about
'gateway.dll'. In this firewall access to MSN Messenger is DENIED in squid,
so we'll see only DENYs here .... This DENYed entries represents MSN
Messenger trying to login ........

[root@correio squid]# cat /var/log/squid/access.log | grep gateway.dll
1058182392.455    147 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058182397.640      1 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058194534.786     29 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058206234.395      1 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058206492.547      4 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058206498.132      4 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058268737.709      1 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058268744.993      4 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058296167.865      1 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058297215.332      4 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058304370.039      1 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058355175.908      7 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058361247.628      1 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058362187.640      4 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058364639.802      1 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com - NONE/- text/html
1058440598.704      1 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
1058440604.017      4 10.0.1.25 TCP_DENIED/407 2070 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com -
NONE/- text/html
[root@correio squid]#




    In my case, access using 'random' ports wont happen, because I allow
only ports I want. And HTTP traffic is controled by squid which blocks
'gateway.dll' URLs. Using this, I could successfully block MSN Messenger
usage.

    This is not a squid mailing list, I know. But i've tried for several
weeks block MSN Messenger using only iptables but I couldnt. I found
interesting to share my experiences in this subject with the list because I
know that a lot of people that are using iptables are also using squid, so I
think these comments and this 'solution' is relevant.


    Sincerily,
    Leonardo Rodrigues

RE: block msn

[Rob Sterenborg]

> I`ve got this rulset but It doesn`t work what else do I need to add?
> All the windows machine work msn, just on linux doesn`t
> Any suggetions ?

With these rules I'm successfully blocking MSN usage.

Iptables :

/usr/local/sbin/iptables -A FORWARD -p tcp --dport 1863 -j REJECT
--reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.46.104.20 -p tcp --dport 80
-j REJECT --reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.46.110.35 -p tcp --dport 80
-j REJECT --reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.46.110.41 -p tcp --dport 80
-j REJECT --reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.46.110.43 -p tcp --dport 80
-j REJECT --reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.46.110.48 -p tcp --dport 80
-j REJECT --reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.46.110.49 -p tcp --dport 80
-j REJECT --reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.46.110.254 -p tcp --dport 80
-j REJECT --reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.68.171.247 -p tcp --dport 80
-j REJECT --reject-with tcp-reset
/usr/local/sbin/iptables -A FORWARD -d 207.68.178.239 -p tcp --dport 80
-j REJECT --reject-with tcp-reset

Squid :

# Deny MSN access to servers
acl MSN_Servers dst 207.46.104.20
acl MSN_Servers dst 207.46.110.35
acl MSN_Servers dst 207.46.110.41
acl MSN_Servers dst 207.46.110.43
acl MSN_Servers dst 207.46.110.48
acl MSN_Servers dst 207.46.110.49
acl MSN_Servers dst 207.46.110.254
acl MSN_Servers dst 207.68.171.247
acl MSN_Servers dst 207.68.178.239
http_access deny MSN_Servers

I don't know if the serverlist is complete, but at the moment it works
for me.


--
Rob

Re: block msn

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1868 bytes --]

The msn clients with winblows xp also 'tunnel' via your proxy if they
can't get out via the normal methods. You need to block the msn mime
types.

With ip tables I think you could probably use a string match for
'x-msn-messenger' (if that's the mime type).

Ray

On Wed, 2003-07-16 at 13:36, juanca wrote:
> I`ve got this rulset but It doesn`t work what else do I need to add?
> All the windows machine work msn, just on linux doesn`t
> Any suggetions ?
> Thanks in advance
> 
> iptables -A FORWARD -s 192.168.0.10 -p TCP --dport 1443:1467 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -d 207.46.107.33 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -d 207.46.110.38 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1513:1525 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -d 66.35.229.204 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -d 65.54.194.118 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -d 207.46.107.34 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -d 208.45.129.195 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -d 0/0 -j DROP
> iptables -A FORWARD -s 192.168.0.10 -d 207.46.110.11 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -d 0/0 -j DROP
> iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1601:1603 -d 0/0 -j DROP
> iptables -A FORWARD -s 192.168.0.10 -d 64.4.13.0/24 -j REJECT
> iptables -A FORWARD -s 192.168.0.10 -d 64.4.0.0/24 -j REJECT
> iptables -A INPUT -p tcp -s 192.168.0.10 -d messenger.microsoft.com -j DROP
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

RE: block msn

[Anderson, Ray]

[-- Attachment #1: Type: text/plain, Size: 1513 bytes --]

Well, it looks like to me that the source should be 0.0.0.0, or nothing at
all to block all msn on all machines.

-=Ray


-----Original Message-----
From: juanca [mailto:juanca@sat.com.py] 
Sent: Wednesday, July 16, 2003 4:36 AM
To: netfilter@lists.netfilter.org
Subject: block msn


I`ve got this rulset but It doesn`t work what else do I need to add?
All the windows machine work msn, just on linux doesn`t
Any suggetions ?
Thanks in advance

iptables -A FORWARD -s 192.168.0.10 -p TCP --dport 1443:1467 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.107.33 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.110.38 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1513:1525 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 66.35.229.204 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 65.54.194.118 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.107.34 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 208.45.129.195 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -d 207.46.110.11 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1601:1603 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -d 64.4.13.0/24 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 64.4.0.0/24 -j REJECT
iptables -A INPUT -p tcp -s 192.168.0.10 -d messenger.microsoft.com -j DROP


[-- Attachment #2: Type: text/html, Size: 2497 bytes --]

block msn

[juanca]

I`ve got this rulset but It doesn`t work what else do I need to add?
All the windows machine work msn, just on linux doesn`t
Any suggetions ?
Thanks in advance

iptables -A FORWARD -s 192.168.0.10 -p TCP --dport 1443:1467 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.107.33 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.110.38 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1513:1525 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 66.35.229.204 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 65.54.194.118 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 207.46.107.34 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 208.45.129.195 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -d 207.46.110.11 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1863 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -p tcp --dport 1601:1603 -d 0/0 -j DROP
iptables -A FORWARD -s 192.168.0.10 -d 64.4.13.0/24 -j REJECT
iptables -A FORWARD -s 192.168.0.10 -d 64.4.0.0/24 -j REJECT
iptables -A INPUT -p tcp -s 192.168.0.10 -d messenger.microsoft.com -j DROP