On Wed, 2003-06-25 at 06:23, Asim Ejaz Butt wrote: > Hello Gurus, As David Busby pointed out, you are probably better off with DROP policies, and ACCEPT only desired/required traffic. > I am trying to block MSN and Yahoo Instant Messengers with my LAN using > IPTABLES. Following commands are used to block them but unsuccessful. > > /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 --dport 1863 -j REJECT > /sbin/iptables -A FORWARD -p tcp -s 192.168.5.85 -d 64.4.0.0/18 -j REJECT DROP port 1863 should be sufficient to prevent MSN clients from logging on to MSN messenger, IIRC. (My only use of MSN is with Gaim under Linux, and 1863 is the only port I need to open for it to connect) > /sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT > /sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT Apparently the only way to stop YIM is to block all connections to the servers. The trick here is that there are quite a few more yahoo IM servers than these two rules cover... /sbin/iptables -A FORWARD -d 63.216.136.22 -j DROP /sbin/iptables -A FORWARD -d 66.135.224.142 -j DROP /sbin/iptables -A FORWARD -d 66.136.175.132 -j DROP /sbin/iptables -A FORWARD -d 66.163.168.105 -j DROP /sbin/iptables -A FORWARD -d 66.163.172.117 -j DROP /sbin/iptables -A FORWARD -d 66.163.173.76 -j DROP /sbin/iptables -A FORWARD -d 66.163.173.77 -j DROP /sbin/iptables -A FORWARD -d 66.163.173.78 -j DROP /sbin/iptables -A FORWARD -d 66.163.173.203 -j DROP /sbin/iptables -A FORWARD -d 66.163.175.128 -j DROP /sbin/iptables -A FORWARD -d 66.163.178.78 -j DROP /sbin/iptables -A FORWARD -d 204.71.200.36 -j DROP /sbin/iptables -A FORWARD -d 204.71.200.37 -j DROP /sbin/iptables -A FORWARD -d 204.71.201.134 -j DROP /sbin/iptables -A FORWARD -d 204.71.201.141 -j DROP /sbin/iptables -A FORWARD -d 216.136.173.172 -j DROP /sbin/iptables -A FORWARD -d 216.136.173.179 -j DROP /sbin/iptables -A FORWARD -d 216.136.175.132 -j DROP /sbin/iptables -A FORWARD -d 216.136.175.142 -j DROP /sbin/iptables -A FORWARD -d 216.136.175.143 -j DROP /sbin/iptables -A FORWARD -d 216.136.175.144 -j DROP /sbin/iptables -A FORWARD -d 216.136.175.145 -j DROP /sbin/iptables -A FORWARD -d 216.136.175.145 -j DROP /sbin/iptables -A FORWARD -d 216.136.175.226 -j DROP /sbin/iptables -A FORWARD -d 216.136.224.134 -j DROP /sbin/iptables -A FORWARD -d 216.136.224.142 -j DROP /sbin/iptables -A FORWARD -d 216.136.224.213 -j DROP /sbin/iptables -A FORWARD -d 216.136.224.213 -j DROP /sbin/iptables -A FORWARD -d 216.136.224.214 -j DROP /sbin/iptables -A FORWARD -d 216.136.225.12 -j DROP /sbin/iptables -A FORWARD -d 216.136.226.117 -j DROP /sbin/iptables -A FORWARD -d 216.136.226.118 -j DROP /sbin/iptables -A FORWARD -d 216.136.226.209 -j DROP /sbin/iptables -A FORWARD -d 216.136.226.210 -j DROP /sbin/iptables -A FORWARD -d 216.136.227.168 -j DROP /sbin/iptables -A FORWARD -d 216.136.233.129 -j DROP /sbin/iptables -A FORWARD -d 216.136.233.130 -j DROP /sbin/iptables -A FORWARD -d 216.136.233.131 -j DROP /sbin/iptables -A FORWARD -d 216.136.233.133 -j DROP /sbin/iptables -A FORWARD -d 216.136.233.135 -j DROP /sbin/iptables -A FORWARD -d 216.136.233.148 -j DROP /sbin/iptables -A FORWARD -d 216.136.233.151 -j DROP /sbin/iptables -A FORWARD -d 216.136.233.152 -j DROP BTW, the two FQDNs you have are NOT (fully) represented in this list, I don't know if they need to be or not. Be aware that scsa.yahoo.com actually maps to 8 IPs, so using it the way you do in your rule will NOT actually catch all of them. "dig scsa.yahoo.com" yields: scsa.yahoo.com. 1800 IN CNAME scs.yahoo.com. scs.yahoo.com. 1800 IN CNAME scs-fooe.yahoo.com. scs-fooe.yahoo.com. 617 IN A 216.136.233.138 scs-fooe.yahoo.com. 617 IN A 216.136.233.148 scs-fooe.yahoo.com. 617 IN A 216.136.233.152 scs-fooe.yahoo.com. 617 IN A 216.136.226.208 scs-fooe.yahoo.com. 617 IN A 216.136.233.133 scs-fooe.yahoo.com. 617 IN A 216.136.233.134 scs-fooe.yahoo.com. 617 IN A 216.136.233.135 scs-fooe.yahoo.com. 617 IN A 216.136.233.137 > Anyone help in blocking them through IPTABLES. > > Asim Ejaz Butt asim.butt@xxxxxxxxxxxxxxxxxxxxxx j
