Sometimes knowing something about the protocol amy help. For example all ymessenger messages start with the string "YMSG" as a header in application payload. I believe you can use string match to detect such packets and drop them. iptables -A FORWARD -m string --string 'YMSG' -j DROP I haven't analysed any other IM protocol as of now, but i'm sure a little bit of googling will help ya out of the situation. On Mon, 03 Jan 2005 17:05:06 -0500, Jason Opperisano <opie@xxxxxxxxxxx> wrote: > On Mon, 2005-01-03 at 16:52, Jerry2A wrote: > > Hello - this is probably a dumb question....I'm using iptables for my > > home network (DSL) and I have masquerading, some port forwarding, > > etc., etc., and everything works great...EXCEPT....I have a situation > > where I occaisionally want to block outbound traffic from a certain > > host inside to a certain destination IP and/or port. For example, I'd > > like to block one host from within my network from using Instant > > Messenger but still allow web surfing. I've been able to dynamically > > block ALL outbound access to the internet but I'm unable to restrict > > access to certain destination ports. > > > > So this works: > > iptables -A INPUT -s 10.1.1.10 -j DROP > > iptables -A OUTPUT -d 10.1.1.10 -j DROP > > iptables -A FORWARD -d 10.1.1.10 -j DROP > > > > And I thought I could do something like this: > > iptables -A OUTPUT -s 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP > > iptables -A FORWARD -d 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP > > ....but it has no effect. > > > > I've tried different combinations of "-d and -s" and "--dport and > > --sport" just to see if I was doing something backwards....no dice. I > > was wondering if I needed to set up some kind of pre or post routing > > because of the masquerading? > > > > Any help would be appreciated. > > > > Thanks! > > > > Jerry A. > > first--NAT/MASQ has nothing to do with this--we're talking about > FILTER-ing here. > > second--INPUT and OUTPUT have nothing to do with blocking Internet > access for a host behind a gateway--that is the domain of FORWARD. > > third--whatever rule you use to block access from host 10.1.1.10 needs > to come *before* any rule that allows all traffic from network > 10.1.1.0/24 or from interface $inside. > > finally: > > iptables -I FORWARD -p tcp -s 10.1.1.10 --dport 5190 -j DROP > > will insert a rule as the first rule in FORWARD that drops port 5190 > traffic from 10.1.1.10. > > keep in mind that blocking IM apps from connecting is often much more > complicated than dropping a single port, as they have a habit of > tunneling themselves through port 80. > > -j > > -- > "I have thought this through. First, I will send Bart the money to > fly home. Then I will murder him." > --The Simpsons > > -- cheers Ashish -- cheers Ashish
