[CentOS] DROP MSN MESSENGER by IPTABLES- CENTOS 4 (SOLVED)

Adriano Frare alfrare at e-alinux.com
Sat Nov 4 16:10:15 UTC 2006 

I solved access MSN by rules below.

# MSN Messenger
echo -en "\\033[1;32m"
echo "DROP -> MSN Messenger"
echo -en "\\033[1;37m"
$IPTABLES -A FORWARD -d 64.4.13.0/24 -j LOG
$IPTABLES -A FORWARD -d 64.4.13.0/24 -j REJECT
#CHAT
$IPTABLES -A FORWARD -p TCP --dport 1863 -i $LAN_IFACE1 -o $INET_IFACE \
-j LOG
$IPTABLES -A FORWARD -p TCP --dport 1863 -i $LAN_IFACE1 -o $INET_IFACE \
-j REJECT
$IPTABLES -A FORWARD -p TCP --dport 5190 -i $LAN_IFACE1 -o $INET_IFACE \
-j LOG
$IPTABLES -A FORWARD -p TCP --dport 5190 -i $LAN_IFACE1 -o $INET_IFACE \
-j REJECT

for msnip in $(/usr/bin/host  gateway.messenger.hotmail.com | awk '( / 
has address / ) \
   { print $NF } ');  do $IPTABLES -A FORWARD -d $msnip -p TCP -j DROP ; 
done

$IPTABLES -A FORWARD --protocol tcp --dport 1863 -j REJECT --reject-with 
tcp-reset
for i in `cat /etc/msnserverlist`
    do
      $IPTABLES -A FORWARD -d $i -j DROP
    done

$IPTABLES -A FORWARD -d 64.4.12.200 -p udp --dport 7001 -j DROP
$IPTABLES -A FORWARD -d 64.4.12.201 -p udp --dport 7001 -j DROP
$IPTABLES -A FORWARD -d 65.54.226.247 -p udp --dport 443 -j DROP
$IPTABLES -A FORWARD -s 64.4.12.200 -p udp --sport 7001 -j DROP
$IPTABLES -A FORWARD -s 64.4.12.201 -p udp --sport 7001 -j DROP
$IPTABLES -A FORWARD -s 65.54.226.247 -p udp --sport 443 -j DROP
$IPTABLES -A FORWARD -d 64.4.12.200 -p tcp --dport 7001 -j DROP
$IPTABLES -A FORWARD -d 64.4.12.201 -p tcp --dport 7001 -j DROP
$IPTABLES -A FORWARD -d 65.54.226.247 -p tcp --dport 443 -j DROP
$IPTABLES -A FORWARD -s 64.4.12.200 -p tcp --sport 7001 -j DROP
$IPTABLES -A FORWARD -s 64.4.12.201 -p tcp --sport 7001 -j DROP
$IPTABLES -A FORWARD -s 65.54.226.247 -p tcp --sport 443 -j DROP
#FILE TRANSFER
$IPTABLES -A FORWARD -p TCP --dport 6891:6900 -i $LAN_IFACE1 -o 
$INET_IFACE \
-j LOG
$IPTABLES -A FORWARD -p TCP --dport 6891:6900 -i $LAN_IFACE1 -o 
$INET_IFACE \
-j REJECT
#CAMERA
$IPTABLES -A FORWARD -p TCP --dport 6901 -i $LAN_IFACE1 -o $INET_IFACE \
-j LOG
$IPTABLES -A FORWARD -p TCP --dport 6901 -i $LAN_IFACE1 -o $INET_IFACE \
-j REJECT

=========================== FILE /etc/msnserverlist  ===================
207.46.4.55
207.46.4.161
207.46.0.74
207.46.4.40
207.46.6.101
207.46.4.93
207.46.4.38
207.46.0.48
207.46.0.144
207.46.4.59
207.46.6.29
207.46.6.176
207.46.0.22
207.46.0.54
65.54.239.20
207.46.0.92
207.46.0.68
207.46.0.46
207.46.6.186
207.46.2.161
207.46.0.81
207.46.6.201
65.54.239.140
207.46.0.96
61.129.45.63
207.46.0.57
207.46.0.75
207.46.0.83
207.46.0.151
207.46.0.147
213.199.154.54
216.178.160.34
207.68.178.239
194.130.106.132
195.33.103.52
213.199.154.11
213.249.102.94
207.46.104.0/25
207.46.105.0/25
207.46.106.0/25
207.46.107.0/25
207.46.108.0/25
207.46.109.0/25
207.46.110.0/25
====================================================================


Thanks for all







Charles Lacroix wrote:
> Humm, won't msn fall back to http protocol? 
> 
> 
> On Friday 03 November 2006 09:43, Rafael Azenha Aquini wrote:
>> It's more simple deny the messenger's port. try the follow rule:
>>
>> /sbin/iptables -t filter -A FORWARD -p tcp --dport 1863:1864 -j DROP
>>
>> by this way, the client is disabled for auth process in MSN servers, and
>> you can say bye-bye to this cancer... :-)
>>
>> []
>>
>> On Fri, 2006-11-03 at 09:35 -0400, Charles Lacroix wrote:
>>> won't that iptables command block some legit traffic ? like a google
>>> search or something ?
>>>
>>> I remember blocking msn messenger with iptables and squid proxy, it was
>>> reliable but kinda heavy if you want to run only a firewall.
>>>
>>> Recompiling a kernel once is alright but if you have to do it on every
>>> update it can get time consuming :)
>>>
>>> anyways good luck.
>>>
>>> On Friday 03 November 2006 06:37, Adriano Frare wrote:
>>>> Dear Friends,
>>>>
>>>> I installed CENTOS 4.4 on server.
>>>>
>>>> I need DROP MSN Messenger using IPTABLES,  I created the rule below.
>>>>
>>>> $IPTABLES -A INPUT -p tcp -m string --string "x-msn-messenger" -j DROP
>>>>
>>>>
>>>>
>>>> But, When I run IPTABLES, I have received follow error:
>>>>
>>>> DROP -> MSN Messenger
>>>> iptables v1.2.11: Couldn't load match
>>>> `string':/lib/iptables/libipt_string.so: cannot open shared object
>>>> file: No such file or directory
>>>>
>>>>
>>>> Where DO I find library libipt_string ?
>>>>
>>>>
>>>>
>>>> Thanks for help.
>>>>
>>>>
>>>> Adriano Frare
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>

More information about the CentOS mailing list