Block MSN and other messengers on your network

Posted on January 29, 2007 | Leave a comment

This is my iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN if, eth1 = LAN if)

You’ll notice 192.168.1.16 is allowed to connect to any services

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Basic protections against syn floods and other stuff
-A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
-A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
-A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT

# Block MSN
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp –dport 1863 -j DROP
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp –dport 1863 -j LOG –log-prefix “MESSENGER MSN > ”
-I FORWARD -s 192.168.1.16 -p tcp -m tcp –dport 1863 -j ACCEPT

# Block AIM/ICQ
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG –log-prefix “MESSENGER ICQ/AIM > ”
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT

# Block Yahoo IM
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG –log-prefix “MESSENGER YIM > ”
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT

# Allowing anything else
-A FORWARD -i eth1 -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT

Read more at Sébastien Wains homepage

Advertisement
This entry was posted in Administration, Networking. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s