This document explains how to effectively block MSN and P2P at your home or
work network provided you’re using a linux gateway for internet connectivity.
These blocks can be disabled for some computers based on its network card MAC address. Keep reading to know how.
Several approach exists for blocking MSN/P2P networks. Some of these are:
* blocking incoming/outgoing ports (using both IP-based and program-based firewalls)
* prevent users from installing the software (using Windows access rights, for example)
* blocking access to some websites using a proxy server
Each one of them has its advantages and disadvantages. Unfortunately there is no fail-proof method to block P2P/MSN. Yet, you can combine several mothods to achieve a very high level of protection.
That being said, I will provide here the steps to setup a MSN/P2P block using shorewall (an iptables frontend) and a squid transparent proxy. For this guide will suppose your LAN (192.168.1.0/24) interface is eth1 and your Internet interface is eth0.
What you’ll need:
* a linux NAT gateway (a very common method to provide internet connectivity for private networks)
* shorewall, which is platform-independant (made in base) so very easy to install. Universal RPMs provided in the main page
* squid, which is a very common web proxy and comes bundled in most linux distribution nowadays
Using only a firewall approach doesn’t work because both MSN and P2P clients can use connect using port 80, which is the same port used for HTTP transport (web pages) and hence, it can’t be blocked. Plus, there are now dozens of free web clients for MSN which can be used only with your browser and doesn’t requiere any program at all to be installed.