rules for skype

rules for skype

[varun_saa]

Hello,
     My server is on Mandriva 10.1
eth0 is WAN with static IP connected to 512K DSL
eth1 is LAN - 192.168.0.0/24 and 192.168.21.0/24

I am doing a nat/masq on eth0.

Some of clients are going to using Skype.

Any rules to be included for skype ?

Thanks

Varun

Re: rules for skype

[Askar]

It depends, if you have "iptables -P FORWARD DROP" at the top of your
rules set then you have to allow skype ports (any) with something like
this

iptables -A FORWARD -p tcp --dport SKYPEPORT -j ACCEPT

and if you have ""iptables -P FORWARD ACCEPT" , then you don't have to
do anything fanncy.

regards

Askar

On 5/1/05, varun_saa@vsnl.net <varun_saa@vsnl.net> wrote:
> Hello,
>      My server is on Mandriva 10.1
> eth0 is WAN with static IP connected to 512K DSL
> eth1 is LAN - 192.168.0.0/24 and 192.168.21.0/24
> 
> I am doing a nat/masq on eth0.
> 
> Some of clients are going to using Skype.
> 
> Any rules to be included for skype ?
> 
> Thanks
> 
> Varun
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: rules for skype

[Taylor, Grant]

> iptables -A FORWARD -p tcp --dport SKYPEPORT -j ACCEPT

<devilish @^*% eating grin> He, Skype does not have a port (per say). </devilish @^*% eating grin>

Skype will use just about any port that it can use (all the standards you would think for internet traffic) to connect to any ""super node that it can connect to.  unfortunately what qualifies as a Super Node is any node / computer that is running Skype that is directly connected to the internet with out a firewall that would inhibit other systems from connecting directly to it.  Do a Google for "Skype Protocol" and see what you find.  I have a PDF on it at the office that I'd be happy to send you.  (If you want this PDF I'll find the URL to it and post it to the list or email individually as I don't think the list would like a PDF sent to it.)  The only way that I've heard to even slow down Skype is to force it to pass through a proxy, beyond that nothing, that I have heard of or read about, will stop it.



Grant. . . .

RE: rules for skype

[Seferovic Edvin]

DEVIL_MODE = 1;
You can stop it by blocking incoming high ports ;) 

DEVIL_MODE = 0;
Why should you block all incoming high ports? Hm.. maybe you want to allow
only web traffic that comes and goes through a squid proxy ;)

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Taylor, Grant
Sent: Montag, 02. Mai 2005 00:00
To: netfilter@lists.netfilter.org
Subject: Re: rules for skype

> iptables -A FORWARD -p tcp --dport SKYPEPORT -j ACCEPT

<devilish @^*% eating grin> He, Skype does not have a port (per say).
</devilish @^*% eating grin>

Skype will use just about any port that it can use (all the standards you
would think for internet traffic) to connect to any ""super node that it can
connect to.  unfortunately what qualifies as a Super Node is any node /
computer that is running Skype that is directly connected to the internet
with out a firewall that would inhibit other systems from connecting
directly to it.  Do a Google for "Skype Protocol" and see what you find.  I
have a PDF on it at the office that I'd be happy to send you.  (If you want
this PDF I'll find the URL to it and post it to the list or email
individually as I don't think the list would like a PDF sent to it.)  The
only way that I've heard to even slow down Skype is to force it to pass
through a proxy, beyond that nothing, that I have heard of or read about,
will stop it.



Grant. . . .

Re: rules for skype

[Mogens Valentin]

Taylor, Grant wrote:
>> iptables -A FORWARD -p tcp --dport SKYPEPORT -j ACCEPT
> 
> 
> <devilish @^*% eating grin> He, Skype does not have a port (per say). 
> </devilish @^*% eating grin>
> 
> Skype will use just about any port that it can use (all the standards 
> you would think for internet traffic) to connect to any ""super node 
> that it can connect to.  unfortunately what qualifies as a Super Node is 
> any node / computer that is running Skype that is directly connected to 
> the internet with out a firewall that would inhibit other systems from 
> connecting directly to it.

No wonder, since Skype is based upon the methods as used for Kazaa.
Damn thing to deny too, as is many other sharing apps...
AFAIR I found it slightly easier blocking such using ipchains explicit 
in/out/forward rules, than with iptables and ESTABLISHED,RELATED rules.

> Do a Google for "Skype Protocol" and see 
> what you find.  I have a PDF on it at the office that I'd be happy to 
> send you.  (If you want this PDF I'll find the URL to it and post it to 
> the list or email individually as I don't think the list would like a 
> PDF sent to it.)  The only way that I've heard to even slow down Skype 
> is to force it to pass through a proxy, beyond that nothing, that I have 
> heard of or read about, will stop it.

Mind adding me to that list? If so, thanks a lot!

-- 
Kind regards,
Mogens Valentin

Re: rules for skype

[Daniel Lopes]

Mogens Valentin schrieb:
> Taylor, Grant wrote:
> 
>>> iptables -A FORWARD -p tcp --dport SKYPEPORT -j ACCEPT
>>
>>
>>
>> <devilish @^*% eating grin> He, Skype does not have a port (per say). 
>> </devilish @^*% eating grin>
>>
>> Skype will use just about any port that it can use (all the standards 
>> you would think for internet traffic) to connect to any ""super node 
>> that it can connect to.  unfortunately what qualifies as a Super Node 
>> is any node / computer that is running Skype that is directly 
>> connected to the internet with out a firewall that would inhibit other 
>> systems from connecting directly to it.
> 
> 
> No wonder, since Skype is based upon the methods as used for Kazaa.
> Damn thing to deny too, as is many other sharing apps...
> AFAIR I found it slightly easier blocking such using ipchains explicit 
> in/out/forward rules, than with iptables and ESTABLISHED,RELATED rules.
> 
>> Do a Google for "Skype Protocol" and see what you find.  I have a PDF 
>> on it at the office that I'd be happy to send you.  (If you want this 
>> PDF I'll find the URL to it and post it to the list or email 
>> individually as I don't think the list would like a PDF sent to it.)  
>> The only way that I've heard to even slow down Skype is to force it to 
>> pass through a proxy, beyond that nothing, that I have heard of or 
>> read about, will stop it.
> 
> 
> Mind adding me to that list? If so, thanks a lot!
> 
Mhm Kazaa can be blocked by IPP2P for example. But Skype´s payload is 
encrypted what makes it way more difficult or impossible. But what about 
NUFW doesn´t it authenticate upon application? I would like to receive a 
copy of that PDF too please :).

Re: rules for skype

[Taylor, Grant]

> ... I have a PDF on it at the office that I'd be happy to 
> send you.  (If you want this PDF I'll find the URL to it and post it to 
> the list or email individually as I don't think the list would like a 
> PDF sent to it.)...

Re: rules for skype (URL in this one)

[Taylor, Grant]

> ... I have a PDF on it at the office that I'd be happy to 
> send you.  (If you want this PDF I'll find the URL to it and post it to 
> the list or email individually as I don't think the list would like a 
> PDF sent to it.)...

The URL is http://www.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf



Grant. . . .

P.S.  Sorry for the double post.  VNCing to the office and control keys don't work the best.