On Mon, Nov 08, 2004 at 11:04:56PM -0800, Nilesh wrote:
> Hello All,
>
> I am using Squid proxy and IPtables Firewall
> through squid I am able to block Messenger and other
> sites but If I put this in firewall I couldnt able to
> block messenger
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to
> $EXTIP
that's a NAT rule that translates the source IP address of all your
outbound traffic leaving $EXTIF to $EXTIP.
> In connection settings If I choose no proxies the
> Yahoo messenger easily get connected.
>
> also we use CISCO VPN client to connect Outside VPN
> server If I want to connect VPN I need to put that
> rules otherwise I wont connect.
>
> Could any one please tell How to solve my problem
> I want to block messengers also want to connect VPN
> server though client
i'm going to assume that your FORWARD policy must be set to ACCEPT
(note: i wouldn't have to assume if you had included your rules via:
iptables -t mangle -vnxL; iptables -t nat -vnxL; iptables -vnxL).
if your FORWARD policy is set to ACCEPT, you can explicitly drop the
ports used by yahoo messenger:
# yahoo messenger
iptables -A FORWARD -p tcp --dport 5050 -j DROP
# yahoo messenger voice chat
iptables -A FORWARD -p tcp --dport 5000:5001 -j DROP
iptables -A FORWARD -p udp --dport 5000:5010 -j DROP
# yahoo messenger web cam
iptables -A FORWARD -p tcp --dport 5100 -j DROP
if your FORWARD policy is set to DROP, and need to allow the VPN client,
you should be able to allow it with:
# IKE
iptables -A FORWARD -i $INT_IF -p udp --dport 500 -j ACCEPT
# IPSec
iptables -A FORWARD -i $INT_IF -p 50 -j ACCEPT
# UDP Encapsulation
iptables -A FORWARD -i $INT_IF -p udp --dport 4500 -j ACCEPT
the specific encapsulation ports/protocols may vary depending on your
client settings.
-j
--
"I saw weird stuff in that place last night. Weird, strange, sick,
twisted, eerie, godless, evil stuff. And I want in."
--The Simpsons
