On Mon, Nov 08, 2004 at 11:04:56PM -0800, Nilesh wrote: > Hello All, > > I am using Squid proxy and IPtables Firewall > through squid I am able to block Messenger and other > sites but If I put this in firewall I couldnt able to > block messenger > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to > $EXTIP that's a NAT rule that translates the source IP address of all your outbound traffic leaving $EXTIF to $EXTIP. > In connection settings If I choose no proxies the > Yahoo messenger easily get connected. > > also we use CISCO VPN client to connect Outside VPN > server If I want to connect VPN I need to put that > rules otherwise I wont connect. > > Could any one please tell How to solve my problem > I want to block messengers also want to connect VPN > server though client i'm going to assume that your FORWARD policy must be set to ACCEPT (note: i wouldn't have to assume if you had included your rules via: iptables -t mangle -vnxL; iptables -t nat -vnxL; iptables -vnxL). if your FORWARD policy is set to ACCEPT, you can explicitly drop the ports used by yahoo messenger: # yahoo messenger iptables -A FORWARD -p tcp --dport 5050 -j DROP # yahoo messenger voice chat iptables -A FORWARD -p tcp --dport 5000:5001 -j DROP iptables -A FORWARD -p udp --dport 5000:5010 -j DROP # yahoo messenger web cam iptables -A FORWARD -p tcp --dport 5100 -j DROP if your FORWARD policy is set to DROP, and need to allow the VPN client, you should be able to allow it with: # IKE iptables -A FORWARD -i $INT_IF -p udp --dport 500 -j ACCEPT # IPSec iptables -A FORWARD -i $INT_IF -p 50 -j ACCEPT # UDP Encapsulation iptables -A FORWARD -i $INT_IF -p udp --dport 4500 -j ACCEPT the specific encapsulation ports/protocols may vary depending on your client settings. -j -- "I saw weird stuff in that place last night. Weird, strange, sick, twisted, eerie, godless, evil stuff. And I want in." --The Simpsons