Dear Friends,
I installed CENTOS 4.4 on server.
I need DROP MSN Messenger using IPTABLES, I created the rule below.
$IPTABLES -A INPUT -p tcp -m string --string "x-msn-messenger" -j DROP
But, When I run IPTABLES, I have received follow error:
DROP -> MSN Messenger iptables v1.2.11: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory
Where DO I find library libipt_string ?
Thanks for help.
Adriano Frare
I noticed there are a lot of the "cooler" iptables match targets missing from centos. You could recompile your kernel, which is taboo and dangerous, or you could run a more firewall friendly distro. Centos makes for a great and reliable server, but it's not a firewall, it's much too heavy of a distro for a firewall imho.
If you really want to proceed you'll need to check out compiling your own kernel, as well as updating the netfilter/iptables code (patch-o-matic).
Gordon
On 11/3/06, Adriano Frare alfrare@e-alinux.com wrote:
Dear Friends,
I installed CENTOS 4.4 on server.
I need DROP MSN Messenger using IPTABLES, I created the rule below.
$IPTABLES -A INPUT -p tcp -m string --string "x-msn-messenger" -j DROP
But, When I run IPTABLES, I have received follow error:
DROP -> MSN Messenger iptables v1.2.11: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory
Where DO I find library libipt_string ?
Thanks for help.
Adriano Frare _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
won't that iptables command block some legit traffic ? like a google search or something ?
I remember blocking msn messenger with iptables and squid proxy, it was reliable but kinda heavy if you want to run only a firewall.
Recompiling a kernel once is alright but if you have to do it on every update it can get time consuming :)
anyways good luck.
On Friday 03 November 2006 06:37, Adriano Frare wrote:
Dear Friends,
I installed CENTOS 4.4 on server.
I need DROP MSN Messenger using IPTABLES, I created the rule below.
$IPTABLES -A INPUT -p tcp -m string --string "x-msn-messenger" -j DROP
But, When I run IPTABLES, I have received follow error:
DROP -> MSN Messenger iptables v1.2.11: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory
Where DO I find library libipt_string ?
Thanks for help.
Adriano Frare _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It's more simple deny the messenger's port. try the follow rule:
/sbin/iptables -t filter -A FORWARD -p tcp --dport 1863:1864 -j DROP
by this way, the client is disabled for auth process in MSN servers, and you can say bye-bye to this cancer... :-)
[]
On Fri, 2006-11-03 at 09:35 -0400, Charles Lacroix wrote:
won't that iptables command block some legit traffic ? like a google search or something ?
I remember blocking msn messenger with iptables and squid proxy, it was reliable but kinda heavy if you want to run only a firewall.
Recompiling a kernel once is alright but if you have to do it on every update it can get time consuming :)
anyways good luck.
On Friday 03 November 2006 06:37, Adriano Frare wrote:
Dear Friends,
I installed CENTOS 4.4 on server.
I need DROP MSN Messenger using IPTABLES, I created the rule below.
$IPTABLES -A INPUT -p tcp -m string --string "x-msn-messenger" -j DROP
But, When I run IPTABLES, I have received follow error:
DROP -> MSN Messenger iptables v1.2.11: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory
Where DO I find library libipt_string ?
Thanks for help.
Adriano Frare _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Humm, won't msn fall back to http protocol?
On Friday 03 November 2006 09:43, Rafael Azenha Aquini wrote:
It's more simple deny the messenger's port. try the follow rule:
/sbin/iptables -t filter -A FORWARD -p tcp --dport 1863:1864 -j DROP
by this way, the client is disabled for auth process in MSN servers, and you can say bye-bye to this cancer... :-)
[]
On Fri, 2006-11-03 at 09:35 -0400, Charles Lacroix wrote:
won't that iptables command block some legit traffic ? like a google search or something ?
I remember blocking msn messenger with iptables and squid proxy, it was reliable but kinda heavy if you want to run only a firewall.
Recompiling a kernel once is alright but if you have to do it on every update it can get time consuming :)
anyways good luck.
On Friday 03 November 2006 06:37, Adriano Frare wrote:
Dear Friends,
I installed CENTOS 4.4 on server.
I need DROP MSN Messenger using IPTABLES, I created the rule below.
$IPTABLES -A INPUT -p tcp -m string --string "x-msn-messenger" -j DROP
But, When I run IPTABLES, I have received follow error:
DROP -> MSN Messenger iptables v1.2.11: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory
Where DO I find library libipt_string ?
Thanks for help.
Adriano Frare _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I solved access MSN by rules below.
# MSN Messenger echo -en "\033[1;32m" echo "DROP -> MSN Messenger" echo -en "\033[1;37m" $IPTABLES -A FORWARD -d 64.4.13.0/24 -j LOG $IPTABLES -A FORWARD -d 64.4.13.0/24 -j REJECT #CHAT $IPTABLES -A FORWARD -p TCP --dport 1863 -i $LAN_IFACE1 -o $INET_IFACE \ -j LOG $IPTABLES -A FORWARD -p TCP --dport 1863 -i $LAN_IFACE1 -o $INET_IFACE \ -j REJECT $IPTABLES -A FORWARD -p TCP --dport 5190 -i $LAN_IFACE1 -o $INET_IFACE \ -j LOG $IPTABLES -A FORWARD -p TCP --dport 5190 -i $LAN_IFACE1 -o $INET_IFACE \ -j REJECT
for msnip in $(/usr/bin/host gateway.messenger.hotmail.com | awk '( / has address / ) \ { print $NF } '); do $IPTABLES -A FORWARD -d $msnip -p TCP -j DROP ; done
$IPTABLES -A FORWARD --protocol tcp --dport 1863 -j REJECT --reject-with tcp-reset for i in `cat /etc/msnserverlist` do $IPTABLES -A FORWARD -d $i -j DROP done
$IPTABLES -A FORWARD -d 64.4.12.200 -p udp --dport 7001 -j DROP $IPTABLES -A FORWARD -d 64.4.12.201 -p udp --dport 7001 -j DROP $IPTABLES -A FORWARD -d 65.54.226.247 -p udp --dport 443 -j DROP $IPTABLES -A FORWARD -s 64.4.12.200 -p udp --sport 7001 -j DROP $IPTABLES -A FORWARD -s 64.4.12.201 -p udp --sport 7001 -j DROP $IPTABLES -A FORWARD -s 65.54.226.247 -p udp --sport 443 -j DROP $IPTABLES -A FORWARD -d 64.4.12.200 -p tcp --dport 7001 -j DROP $IPTABLES -A FORWARD -d 64.4.12.201 -p tcp --dport 7001 -j DROP $IPTABLES -A FORWARD -d 65.54.226.247 -p tcp --dport 443 -j DROP $IPTABLES -A FORWARD -s 64.4.12.200 -p tcp --sport 7001 -j DROP $IPTABLES -A FORWARD -s 64.4.12.201 -p tcp --sport 7001 -j DROP $IPTABLES -A FORWARD -s 65.54.226.247 -p tcp --sport 443 -j DROP #FILE TRANSFER $IPTABLES -A FORWARD -p TCP --dport 6891:6900 -i $LAN_IFACE1 -o $INET_IFACE \ -j LOG $IPTABLES -A FORWARD -p TCP --dport 6891:6900 -i $LAN_IFACE1 -o $INET_IFACE \ -j REJECT #CAMERA $IPTABLES -A FORWARD -p TCP --dport 6901 -i $LAN_IFACE1 -o $INET_IFACE \ -j LOG $IPTABLES -A FORWARD -p TCP --dport 6901 -i $LAN_IFACE1 -o $INET_IFACE \ -j REJECT
=========================== FILE /etc/msnserverlist =================== 207.46.4.55 207.46.4.161 207.46.0.74 207.46.4.40 207.46.6.101 207.46.4.93 207.46.4.38 207.46.0.48 207.46.0.144 207.46.4.59 207.46.6.29 207.46.6.176 207.46.0.22 207.46.0.54 65.54.239.20 207.46.0.92 207.46.0.68 207.46.0.46 207.46.6.186 207.46.2.161 207.46.0.81 207.46.6.201 65.54.239.140 207.46.0.96 61.129.45.63 207.46.0.57 207.46.0.75 207.46.0.83 207.46.0.151 207.46.0.147 213.199.154.54 216.178.160.34 207.68.178.239 194.130.106.132 195.33.103.52 213.199.154.11 213.249.102.94 207.46.104.0/25 207.46.105.0/25 207.46.106.0/25 207.46.107.0/25 207.46.108.0/25 207.46.109.0/25 207.46.110.0/25 ====================================================================
Thanks for all
Charles Lacroix wrote:
Humm, won't msn fall back to http protocol?
On Friday 03 November 2006 09:43, Rafael Azenha Aquini wrote:
It's more simple deny the messenger's port. try the follow rule:
/sbin/iptables -t filter -A FORWARD -p tcp --dport 1863:1864 -j DROP
by this way, the client is disabled for auth process in MSN servers, and you can say bye-bye to this cancer... :-)
[]
On Fri, 2006-11-03 at 09:35 -0400, Charles Lacroix wrote:
won't that iptables command block some legit traffic ? like a google search or something ?
I remember blocking msn messenger with iptables and squid proxy, it was reliable but kinda heavy if you want to run only a firewall.
Recompiling a kernel once is alright but if you have to do it on every update it can get time consuming :)
anyways good luck.
On Friday 03 November 2006 06:37, Adriano Frare wrote:
Dear Friends,
I installed CENTOS 4.4 on server.
I need DROP MSN Messenger using IPTABLES, I created the rule below.
$IPTABLES -A INPUT -p tcp -m string --string "x-msn-messenger" -j DROP
But, When I run IPTABLES, I have received follow error:
DROP -> MSN Messenger iptables v1.2.11: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory
Where DO I find library libipt_string ?
Thanks for help.
Adriano Frare _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Adriano Frare -
Charles Lacroix -
Gordon McLellan -
Rafael Azenha Aquini