iptables to filter IM clients [Archive] - Glock Talk

PDA

View Full Version : iptables to filter IM clients


lomfs24
12-18-2004, 00:01
I am using iptables as a firewall on a linux box. It is actually a Linksys wrt54gs wireless router that has been converted to a linux box.

Here's the problem, one of the machines on my network is a work machine that runs the business. The GM comes in and has no idea what she is doing, installs Yahoo IM and clicks every link she sees. I want to disable Yahoo IM and pretty much all IM's from that machine. I have the traffic to that machine isolated in iptables but I don't know how to fiter IM traffic.

1) there are about a zillion yahoo servers to to try to filter URL's would be a nightmare and would have to be constantly updated regularly.

2) Yahoo IM does not run on a specific port. It looks for port 5050 but if it's not there will use any port.

Is there a few key central servers for Yahoo that you initially log onto? What other way is there to filter that traffic?

I have found a part of packet data that is consistent with all Yahoo IM traffic. It is the string YMSG and it is in all chat and command packets. Can iptables filter for something in packet data?

I don't want to fiter Yahoo from my whole network, just Yahoo IM traffic from one machine.

Deathwind
12-18-2004, 03:45
This should drop everything with YMSG in it (could cause some seriously hard to diagnose issues down the line though):
iptables -A INPUT -i eth0 -j DROP -m string --string "YMSG" -p tcp (your iptables has to support string matching for this to work though)

Your best bet is blocking the login servers, another site claims these are some common ones:
# AOL Instant Messenger: login.oscar.aol.com, possibly toc.oscar.aol.com and login.icq.com
# MSN Messenger: gateway.messenger.hotmail.com (was login.gateway.hotmail.com)
# ICQ: login.icq.com and http.proxy.icq.com (Was icq.mirabilis.com and login.icq.com previously)
# Yahoo! Messenger: msg.edit.yahoo.com/*
# (Yahoo! Messenger: Might also need to block messenger.yahoo.com/*andhttp.pager.yahoo.com/* Be sure to type in the http on that last URL).