MSN and Yahoo Block through IPTABLES

MSN and Yahoo Block through IPTABLES

[Asim Ejaz Butt]

Hello Gurus,

I am trying to block MSN and Yahoo Instant Messengers with my LAN using
IPTABLES. Following commands are used to block them but unsuccessful.

 /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 --dport 1863 -j REJECT
 /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 -d 64.4.0.0/18 -j REJECT

 /sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT
 /sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT

Anyone help in blocking them through IPTABLES.

Asim Ejaz Butt
asim.butt@streaming-networks.com

Re: MSN and Yahoo Block through IPTABLES

[David Busby]

Can you set policy to DROP then only allow what you need?

/B


----- Original Message ----- 
From: "Asim Ejaz Butt" <asim.butt@streaming-networks.com>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, June 25, 2003 03:23
Subject: MSN and Yahoo Block through IPTABLES


> Hello Gurus,
>
> I am trying to block MSN and Yahoo Instant Messengers with my LAN using
> IPTABLES. Following commands are used to block them but unsuccessful.
>
>  /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 --dport 1863 -j REJECT
>  /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 -d 64.4.0.0/18 -j REJECT
>
>  /sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT
>  /sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT
>
> Anyone help in blocking them through IPTABLES.
>
> Asim Ejaz Butt
> asim.butt@streaming-networks.com
>

Re: MSN and Yahoo Block through IPTABLES

[Joel Newkirk]

On Wed, 2003-06-25 at 06:23, Asim Ejaz Butt wrote:
> Hello Gurus,

As David Busby pointed out, you are probably better off with DROP
policies, and ACCEPT only desired/required traffic.

> I am trying to block MSN and Yahoo Instant Messengers with my LAN using
> IPTABLES. Following commands are used to block them but unsuccessful.
> 
>  /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 --dport 1863 -j REJECT
>  /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 -d 64.4.0.0/18 -j REJECT

DROP port 1863 should be sufficient to prevent MSN clients from logging
on to MSN messenger, IIRC.  (My only use of MSN is with Gaim under
Linux, and 1863 is the only port I need to open for it to connect)

>  /sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT
>  /sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT

Apparently the only way to stop YIM is to block all connections to the
servers.  The trick here is that there are quite a few more yahoo IM
servers than these two rules cover...

/sbin/iptables -A FORWARD -d 63.216.136.22     -j DROP
/sbin/iptables -A FORWARD -d 66.135.224.142    -j DROP
/sbin/iptables -A FORWARD -d 66.136.175.132    -j DROP
/sbin/iptables -A FORWARD -d 66.163.168.105    -j DROP
/sbin/iptables -A FORWARD -d 66.163.172.117    -j DROP
/sbin/iptables -A FORWARD -d 66.163.173.76     -j DROP
/sbin/iptables -A FORWARD -d 66.163.173.77     -j DROP
/sbin/iptables -A FORWARD -d 66.163.173.78     -j DROP
/sbin/iptables -A FORWARD -d 66.163.173.203    -j DROP
/sbin/iptables -A FORWARD -d 66.163.175.128    -j DROP
/sbin/iptables -A FORWARD -d 66.163.178.78     -j DROP
/sbin/iptables -A FORWARD -d 204.71.200.36     -j DROP
/sbin/iptables -A FORWARD -d 204.71.200.37     -j DROP
/sbin/iptables -A FORWARD -d 204.71.201.134    -j DROP
/sbin/iptables -A FORWARD -d 204.71.201.141    -j DROP
/sbin/iptables -A FORWARD -d 216.136.173.172   -j DROP
/sbin/iptables -A FORWARD -d 216.136.173.179   -j DROP
/sbin/iptables -A FORWARD -d 216.136.175.132   -j DROP
/sbin/iptables -A FORWARD -d 216.136.175.142   -j DROP
/sbin/iptables -A FORWARD -d 216.136.175.143   -j DROP
/sbin/iptables -A FORWARD -d 216.136.175.144   -j DROP
/sbin/iptables -A FORWARD -d 216.136.175.145   -j DROP
/sbin/iptables -A FORWARD -d 216.136.175.145   -j DROP
/sbin/iptables -A FORWARD -d 216.136.175.226   -j DROP
/sbin/iptables -A FORWARD -d 216.136.224.134   -j DROP
/sbin/iptables -A FORWARD -d 216.136.224.142   -j DROP
/sbin/iptables -A FORWARD -d 216.136.224.213   -j DROP
/sbin/iptables -A FORWARD -d 216.136.224.213   -j DROP
/sbin/iptables -A FORWARD -d 216.136.224.214   -j DROP
/sbin/iptables -A FORWARD -d 216.136.225.12    -j DROP
/sbin/iptables -A FORWARD -d 216.136.226.117   -j DROP
/sbin/iptables -A FORWARD -d 216.136.226.118   -j DROP
/sbin/iptables -A FORWARD -d 216.136.226.209   -j DROP
/sbin/iptables -A FORWARD -d 216.136.226.210   -j DROP
/sbin/iptables -A FORWARD -d 216.136.227.168   -j DROP
/sbin/iptables -A FORWARD -d 216.136.233.129   -j DROP
/sbin/iptables -A FORWARD -d 216.136.233.130   -j DROP
/sbin/iptables -A FORWARD -d 216.136.233.131   -j DROP
/sbin/iptables -A FORWARD -d 216.136.233.133   -j DROP
/sbin/iptables -A FORWARD -d 216.136.233.135   -j DROP
/sbin/iptables -A FORWARD -d 216.136.233.148   -j DROP
/sbin/iptables -A FORWARD -d 216.136.233.151   -j DROP
/sbin/iptables -A FORWARD -d 216.136.233.152   -j DROP

BTW, the two FQDNs you have are NOT (fully) represented in this list, I
don't know if they need to be or not.  Be aware that scsa.yahoo.com
actually maps to 8 IPs, so using it the way you do in your rule will NOT
actually catch all of them.  "dig scsa.yahoo.com" yields:

scsa.yahoo.com.         1800    IN      CNAME   scs.yahoo.com.
scs.yahoo.com.          1800    IN      CNAME   scs-fooe.yahoo.com.
scs-fooe.yahoo.com.     617     IN      A       216.136.233.138
scs-fooe.yahoo.com.     617     IN      A       216.136.233.148
scs-fooe.yahoo.com.     617     IN      A       216.136.233.152
scs-fooe.yahoo.com.     617     IN      A       216.136.226.208
scs-fooe.yahoo.com.     617     IN      A       216.136.233.133
scs-fooe.yahoo.com.     617     IN      A       216.136.233.134
scs-fooe.yahoo.com.     617     IN      A       216.136.233.135
scs-fooe.yahoo.com.     617     IN      A       216.136.233.137



> Anyone help in blocking them through IPTABLES.
> 
> Asim Ejaz Butt
asim.butt@streaming-networks.com

j

Re: MSN and Yahoo Block through IPTABLES

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 5199 bytes --]

On Thu, 2003-06-26 at 09:40, Joel Newkirk wrote:
> On Wed, 2003-06-25 at 06:23, Asim Ejaz Butt wrote:
> > Hello Gurus,
> 
> As David Busby pointed out, you are probably better off with DROP
> policies, and ACCEPT only desired/required traffic.
> 
> > I am trying to block MSN and Yahoo Instant Messengers with my LAN using
> > IPTABLES. Following commands are used to block them but unsuccessful.
> > 
> >  /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 --dport 1863 -j REJECT
> >  /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 -d 64.4.0.0/18 -j REJECT
> 
> DROP port 1863 should be sufficient to prevent MSN clients from logging
> on to MSN messenger, IIRC.  (My only use of MSN is with Gaim under
> Linux, and 1863 is the only port I need to open for it to connect)
> 
The MSN messenger that comes with XP tries to be clever and 'probes'
your network looking for ways out using SDLP (AFAIR) to try and
autoconfigure itself. As a last resort it will try and tunnel the MSN
traffic through http.

> >  /sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT
> >  /sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT
> 
> Apparently the only way to stop YIM is to block all connections to the
> servers.  The trick here is that there are quite a few more yahoo IM
> servers than these two rules cover...
> 
> /sbin/iptables -A FORWARD -d 63.216.136.22     -j DROP
> /sbin/iptables -A FORWARD -d 66.135.224.142    -j DROP
> /sbin/iptables -A FORWARD -d 66.136.175.132    -j DROP
> /sbin/iptables -A FORWARD -d 66.163.168.105    -j DROP
> /sbin/iptables -A FORWARD -d 66.163.172.117    -j DROP
> /sbin/iptables -A FORWARD -d 66.163.173.76     -j DROP
> /sbin/iptables -A FORWARD -d 66.163.173.77     -j DROP
> /sbin/iptables -A FORWARD -d 66.163.173.78     -j DROP
> /sbin/iptables -A FORWARD -d 66.163.173.203    -j DROP
> /sbin/iptables -A FORWARD -d 66.163.175.128    -j DROP
> /sbin/iptables -A FORWARD -d 66.163.178.78     -j DROP
> /sbin/iptables -A FORWARD -d 204.71.200.36     -j DROP
> /sbin/iptables -A FORWARD -d 204.71.200.37     -j DROP
> /sbin/iptables -A FORWARD -d 204.71.201.134    -j DROP
> /sbin/iptables -A FORWARD -d 204.71.201.141    -j DROP
> /sbin/iptables -A FORWARD -d 216.136.173.172   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.173.179   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.175.132   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.175.142   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.175.143   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.175.144   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.175.145   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.175.145   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.175.226   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.224.134   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.224.142   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.224.213   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.224.213   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.224.214   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.225.12    -j DROP
> /sbin/iptables -A FORWARD -d 216.136.226.117   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.226.118   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.226.209   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.226.210   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.227.168   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.233.129   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.233.130   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.233.131   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.233.133   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.233.135   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.233.148   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.233.151   -j DROP
> /sbin/iptables -A FORWARD -d 216.136.233.152   -j DROP
> 
> BTW, the two FQDNs you have are NOT (fully) represented in this list, I
> don't know if they need to be or not.  Be aware that scsa.yahoo.com
> actually maps to 8 IPs, so using it the way you do in your rule will NOT
> actually catch all of them.  "dig scsa.yahoo.com" yields:
> 
> scsa.yahoo.com.         1800    IN      CNAME   scs.yahoo.com.
> scs.yahoo.com.          1800    IN      CNAME   scs-fooe.yahoo.com.
> scs-fooe.yahoo.com.     617     IN      A       216.136.233.138
> scs-fooe.yahoo.com.     617     IN      A       216.136.233.148
> scs-fooe.yahoo.com.     617     IN      A       216.136.233.152
> scs-fooe.yahoo.com.     617     IN      A       216.136.226.208
> scs-fooe.yahoo.com.     617     IN      A       216.136.233.133
> scs-fooe.yahoo.com.     617     IN      A       216.136.233.134
> scs-fooe.yahoo.com.     617     IN      A       216.136.233.135
> scs-fooe.yahoo.com.     617     IN      A       216.136.233.137
> 
> 
> 
> > Anyone help in blocking them through IPTABLES.
> > 
> > Asim Ejaz Butt
> asim.butt@streaming-networks.com
> 
> j
> 
> 
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: MSN and Yahoo Block through IPTABLES

[Asim Ejaz Butt]

I have tried DROP policy as well but not succeeded.

One thing that I should mentioned that my Internet setup is upload through
normal DDP and download through Satellite Downlink and both are on separate
systems. That is one linux based PC where I am running IPTABLES used to
upload request and the 2nd PC which is a Satellite Receiver used for
download. So my upload request goes to one system and download request
received from another system.

Is that help U to find out that particular problem of blocking MSN/Yahoo
chat using IPTABLES.

Regards,
Asim
----- Original Message -----
From: "David Busby" <busby@pnts.com>
To: "Asim Ejaz Butt" <asim.butt@streaming-networks.com>;
<netfilter@lists.netfilter.org>
Sent: Wednesday, June 25, 2003 11:49 PM
Subject: Re: MSN and Yahoo Block through IPTABLES


> Can you set policy to DROP then only allow what you need?
>
> /B
>
>
> ----- Original Message -----
> From: "Asim Ejaz Butt" <asim.butt@streaming-networks.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Wednesday, June 25, 2003 03:23
> Subject: MSN and Yahoo Block through IPTABLES
>
>
> > Hello Gurus,
> >
> > I am trying to block MSN and Yahoo Instant Messengers with my LAN using
> > IPTABLES. Following commands are used to block them but unsuccessful.
> >
> >  /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 --dport 1863 -j REJECT
> >  /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 -d 64.4.0.0/18 -j
REJECT
> >
> >  /sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT
> >  /sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT
> >
> > Anyone help in blocking them through IPTABLES.
> >
> > Asim Ejaz Butt
> > asim.butt@streaming-networks.com
> >

Re: MSN and Yahoo Block through IPTABLES

[Jamie Pratt]

Doesn't blocking tcp port 5050 outbound pretty much kill yahoo instant 
messenger clients? (Last I checked, it wouldn't connect for me at home 
until i opened 5050, but then again, maybe they got smarter like msn?)

jamie

Asim Ejaz Butt wrote:
> I have tried DROP policy as well but not succeeded.
> 
> One thing that I should mentioned that my Internet setup is upload through
> normal DDP and download through Satellite Downlink and both are on separate
> systems. That is one linux based PC where I am running IPTABLES used to
> upload request and the 2nd PC which is a Satellite Receiver used for
> download. So my upload request goes to one system and download request
> received from another system.
> 
> Is that help U to find out that particular problem of blocking MSN/Yahoo
> chat using IPTABLES.
> 
> Regards,
> Asim
> ----- Original Message -----
> From: "David Busby" <busby@pnts.com>
> To: "Asim Ejaz Butt" <asim.butt@streaming-networks.com>;
> <netfilter@lists.netfilter.org>
> Sent: Wednesday, June 25, 2003 11:49 PM
> Subject: Re: MSN and Yahoo Block through IPTABLES
> 
> 
> 
>>Can you set policy to DROP then only allow what you need?
>>
>>/B
>>
>>
>>----- Original Message -----
>>From: "Asim Ejaz Butt" <asim.butt@streaming-networks.com>
>>To: <netfilter@lists.netfilter.org>
>>Sent: Wednesday, June 25, 2003 03:23
>>Subject: MSN and Yahoo Block through IPTABLES
>>
>>
>>
>>>Hello Gurus,
>>>
>>>I am trying to block MSN and Yahoo Instant Messengers with my LAN using
>>>IPTABLES. Following commands are used to block them but unsuccessful.
>>>
>>> /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 --dport 1863 -j REJECT
>>> /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 -d 64.4.0.0/18 -j
> 
> REJECT
> 
>>> /sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT
>>> /sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT
>>>
>>>Anyone help in blocking them through IPTABLES.
>>>
>>>Asim Ejaz Butt
>>>asim.butt@streaming-networks.com
>>>
> 
> 
> 
> 
> 

Re: MSN and Yahoo Block through IPTABLES

[Aaron Sethman]

On Thu, 26 Jun 2003, Jamie Pratt wrote:

> Doesn't blocking tcp port 5050 outbound pretty much kill yahoo instant
> messenger clients? (Last I checked, it wouldn't connect for me at home
> until i opened 5050, but then again, maybe they got smarter like msn?)

The problem here is, the yahoo messenger servers listen on all ports, 1 to
65535, so even if you leave something like squid running and transparent
proxy everything through that, they would still be able to get through
using CONNECT to port 443.  The other option is, just tell your users it
is forbidden and that there will be actions taken if they use it ;)

Aaron