Re: [CentOS] DROP MSN MESSENGER by IPTABLES- CENTOS 4 (SOLVED)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

I solved access MSN by rules below.

# MSN Messenger
echo -en "\\033[1;32m"
echo "DROP -> MSN Messenger"
echo -en "\\033[1;37m"
$IPTABLES -A FORWARD -d 64.4.13.0/24 -j LOG
$IPTABLES -A FORWARD -d 64.4.13.0/24 -j REJECT
#CHAT
$IPTABLES -A FORWARD -p TCP --dport 1863 -i $LAN_IFACE1 -o $INET_IFACE \
-j LOG
$IPTABLES -A FORWARD -p TCP --dport 1863 -i $LAN_IFACE1 -o $INET_IFACE \
-j REJECT
$IPTABLES -A FORWARD -p TCP --dport 5190 -i $LAN_IFACE1 -o $INET_IFACE \
-j LOG
$IPTABLES -A FORWARD -p TCP --dport 5190 -i $LAN_IFACE1 -o $INET_IFACE \
-j REJECT
for msnip in $(/usr/bin/host gateway.messenger.hotmail.com | awk '( / has address / ) \ { print $NF } '); do $IPTABLES -A FORWARD -d $msnip -p TCP -j DROP ; done
$IPTABLES -A FORWARD --protocol tcp --dport 1863 -j REJECT --reject-with tcp-reset 
for i in `cat /etc/msnserverlist`
   do
     $IPTABLES -A FORWARD -d $i -j DROP
   done

$IPTABLES -A FORWARD -d 64.4.12.200 -p udp --dport 7001 -j DROP
$IPTABLES -A FORWARD -d 64.4.12.201 -p udp --dport 7001 -j DROP
$IPTABLES -A FORWARD -d 65.54.226.247 -p udp --dport 443 -j DROP
$IPTABLES -A FORWARD -s 64.4.12.200 -p udp --sport 7001 -j DROP
$IPTABLES -A FORWARD -s 64.4.12.201 -p udp --sport 7001 -j DROP
$IPTABLES -A FORWARD -s 65.54.226.247 -p udp --sport 443 -j DROP
$IPTABLES -A FORWARD -d 64.4.12.200 -p tcp --dport 7001 -j DROP
$IPTABLES -A FORWARD -d 64.4.12.201 -p tcp --dport 7001 -j DROP
$IPTABLES -A FORWARD -d 65.54.226.247 -p tcp --dport 443 -j DROP
$IPTABLES -A FORWARD -s 64.4.12.200 -p tcp --sport 7001 -j DROP
$IPTABLES -A FORWARD -s 64.4.12.201 -p tcp --sport 7001 -j DROP
$IPTABLES -A FORWARD -s 65.54.226.247 -p tcp --sport 443 -j DROP
#FILE TRANSFER
$IPTABLES -A FORWARD -p TCP --dport 6891:6900 -i $LAN_IFACE1 -o $INET_IFACE \ 
-j LOG
$IPTABLES -A FORWARD -p TCP --dport 6891:6900 -i $LAN_IFACE1 -o $INET_IFACE \ 
-j REJECT
#CAMERA
$IPTABLES -A FORWARD -p TCP --dport 6901 -i $LAN_IFACE1 -o $INET_IFACE \
-j LOG
$IPTABLES -A FORWARD -p TCP --dport 6901 -i $LAN_IFACE1 -o $INET_IFACE \
-j REJECT

=========================== FILE /etc/msnserverlist  ===================
207.46.4.55
207.46.4.161
207.46.0.74
207.46.4.40
207.46.6.101
207.46.4.93
207.46.4.38
207.46.0.48
207.46.0.144
207.46.4.59
207.46.6.29
207.46.6.176
207.46.0.22
207.46.0.54
65.54.239.20
207.46.0.92
207.46.0.68
207.46.0.46
207.46.6.186
207.46.2.161
207.46.0.81
207.46.6.201
65.54.239.140
207.46.0.96
61.129.45.63
207.46.0.57
207.46.0.75
207.46.0.83
207.46.0.151
207.46.0.147
213.199.154.54
216.178.160.34
207.68.178.239
194.130.106.132
195.33.103.52
213.199.154.11
213.249.102.94
207.46.104.0/25
207.46.105.0/25
207.46.106.0/25
207.46.107.0/25
207.46.108.0/25
207.46.109.0/25
207.46.110.0/25
====================================================================


Thanks for all







Charles Lacroix wrote:
Humm, won't msn fall back to http protocol? 

On Friday 03 November 2006 09:43, Rafael Azenha Aquini wrote:

It's more simple deny the messenger's port. try the follow rule:

/sbin/iptables -t filter -A FORWARD -p tcp --dport 1863:1864 -j DROP

by this way, the client is disabled for auth process in MSN servers, and
you can say bye-bye to this cancer... :-)

[]

On Fri, 2006-11-03 at 09:35 -0400, Charles Lacroix wrote:

won't that iptables command block some legit traffic ? like a google
search or something ?

I remember blocking msn messenger with iptables and squid proxy, it was
reliable but kinda heavy if you want to run only a firewall.

Recompiling a kernel once is alright but if you have to do it on every
update it can get time consuming :)

anyways good luck.

On Friday 03 November 2006 06:37, Adriano Frare wrote:

Dear Friends,

I installed CENTOS 4.4 on server.

I need DROP MSN Messenger using IPTABLES,  I created the rule below.

$IPTABLES -A INPUT -p tcp -m string --string "x-msn-messenger" -j DROP



But, When I run IPTABLES, I have received follow error:

DROP -> MSN Messenger
iptables v1.2.11: Couldn't load match
`string':/lib/iptables/libipt_string.so: cannot open shared object
file: No such file or directory


Where DO I find library libipt_string ?



Thanks for help.


Adriano Frare
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux