how do i block a client from accessing yahoo chat My current set ups is as follows -- have a firewall and behind it have a proxy server running on port 3128.
now to block yahoo chat access i did the following in my squid.conf
acl special_url url_regex -i chat.yahoo.com|messenger.yahoo.com http_access deny special_url
but this still allows clients to log to yahoo chat .
Do i need to block certain ports , and if so which ones
Thank you !!
On Thu, 2007-12-13 at 14:35 +0530, Agnello George wrote:
how do i block a client from accessing yahoo chat My current set ups is as follows -- have a firewall and behind it have a proxy server running on port 3128.
now to block yahoo chat access i did the following in my squid.conf
acl special_url url_regex -i chat.yahoo.com|messenger.yahoo.com http_access deny special_url
but this still allows clients to log to yahoo chat .
Do i need to block certain ports , and if so which ones
Thank you !!
-- Agnello . G .Dsouza email : agnello.dsouza@gmail.com agnello@qualispace.com
www.linux-vashi.blogspot.com www.study-the-word.blogspot.com
Look for iptables -t mangle -A PREROUING chain
Look for iptables -t mangle -A PREROUING chain
What i tried to do was a Prerouting
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5050 -j REDIRECT --to-port 3128
and in my squid conf
acl chat_ports port 5050 http_access deny CONNECT !chat_ports
but i am still able to log in to the chat client
which port can i block for yahoo chat ??
On Dec 13, 2007 3:15 PM, Agnello George agnello.dsouza@gmail.com wrote:
Look for iptables -t mangle -A PREROUING chain
What i tried to do was a Prerouting
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5050 -j REDIRECT --to-port 3128
and in my squid conf
acl chat_ports port 5050 http_access deny CONNECT !chat_ports
What are you trying to do here? Allow only port 5050?
but i am still able to log in to the chat client
The location of the acl in your squid.conf is important. Squid processes the file top-down. If you have enabled http access (either explicitly or implicitly) to yahoo chat before ( ie above) the chat-blocking acl, squd will allow access.
BTW, have you configured yahoo messenger to actually use the proxy?
Regards, NMK.
On Thu, 2007-12-13 at 15:40 +0530, Agnello George wrote:
Look for iptables -t mangle -A PREROUING chain
How exactly do i need to use the above command.
--
/sbin/iptables -t mangle -A PREROUTING -s "your network add or host ip add" -p tcp --dport 5050 -j REJECT
Agnello . G .Dsouza email : agnello.dsouza@gmail.com agnello@qualispace.com
www.linux-vashi.blogspot.com www.study-the-word.blogspot.com
What are you trying to do here? Allow only port 5050?
trying to block yahoo chat client from accessing the Yahoo server t via port 5050 !!!
The location of the acl in your squid.conf is important. Squid processes the file top-down. If you have enabled http access (either explicitly or implicitly) to yahoo chat before ( ie above) the chat-blocking acl, squd will allow access.
I have created a file called /etc/squid/special_url with the following content in it
www.orkut.com .messenger.yahoo.com .psq.yahoo.com .us.il.yimg.com .msg.yahoo.com .login.yahoo.com .csa.yahoo.com .csb.yahoo.com .csc.yahoo.com .cs.yahoo.co.jp .filetransfer.msg.yahoo.co.jp
and in my squid.conf fle i added the following acl special_url dstdomain "/etc/squid/special_url" http_access deny special_url
which works perfectly well
when i put the url as chat.yahoo.com in my browser i am denied access ( so that is working fine )
But when i access the yahoo chat .. i am able to log in
Where am i going wrong !! :(
On Dec 13, 2007 5:29 PM, Derwyn Dpenha derwynd@gmail.com wrote:
trying to block yahoo chat client from accessing the Yahoo server t via port 5050 !!!
Yahoo messenger uses many other ports not just 5050. See their help pages all ports are listed there.
On 12/13/07, Agnello George agnello.dsouza@gmail.com wrote: <snip>
and in my squid.conf fle i added the following acl special_url dstdomain "/etc/squid/special_url" http_access deny special_url
which works perfectly well
when i put the url as chat.yahoo.com in my browser i am denied access ( so that is working fine )
But when i access the yahoo chat .. i am able to log in
Where am i going wrong !! :(
You will only be able to block port 80 and 443 access with squid acl. What you need to do is as following
1) Block all ports with iptables 2) selectively open ports 25, 80, 443, 110, 143, 465, 995, 993 (email and web access). Also open port 21 and 22 if you want ftp and ssh connections 3) Open any other port required. (Some apps still use fancy ports to do thinks)
I have never tried blocking google talk but i think blocking jabber ports plus blocking chatenabled.google.com (with squid) should block the google chat.
regards VK
On Dec 13, 2007 8:24 PM, vivek khurana mailing.vivek@gmail.com wrote:
I have never tried blocking google talk but i think blocking jabber ports plus blocking chatenabled.google.com (with squid) should block the google chat.
Slightly off-topic here, but that only blocks the chat feature on the left pane of gmail. Gtalk (the standalone version) is not blocked.
Regards, NMK.
On Dec 13, 2007 8:21 PM, Nadeem M. Khan nadeem.m.khan@gmail.com wrote:
On Dec 13, 2007 8:24 PM, vivek khurana mailing.vivek@gmail.com wrote:
I have never tried blocking google talk but i think blocking jabber ports plus blocking chatenabled.google.com (with squid) should block the google chat.
Slightly off-topic here, but that only blocks the chat feature on the left pane of gmail. Gtalk (the standalone version) is not blocked.
Read my reply carefully dear, "blocking jabber ports" will block the standlalone gtalk version as gtalk uses jabber.
regards VK
I was able to block gtalk accessed through gmail ( following is how i did it )
In /etc/squid/special_url add the following .chatenabled.mail.google.com .talk.google.com
and in squid.conf add the following
acl special_url dstdomain "/etc/squid/special_url"
and deny acces to special_url
http_access deny special_url
However i am not able to to block gtalk chat client even after i blocked port 5222.
On Dec 14, 2007 7:00 PM, Agnello George agnello.dsouza@gmail.com wrote:
However i am not able to to block gtalk chat client even after i blocked port 5222.
Why not just use the firewall - iptables to block port 5222 as people have been saying? And I believe one can connect to gtalk on port 443 too so that should be tricky I guess with a transparent proxy running. http://www.google.com/support/talk/bin/answer.py?answer=27930
On Dec 14, 2007 7:38 PM, Mehul Ved mehul.n.ved@gmail.com wrote:
On Dec 14, 2007 7:00 PM, Agnello George agnello.dsouza@gmail.com wrote:
However i am not able to to block gtalk chat client even after i blocked port 5222.
Why not just use the firewall - iptables to block port 5222 as people have been saying? And I believe one can connect to gtalk on port 443 too so that should be tricky I guess with a transparent proxy running. http://www.google.com/support/talk/bin/answer.py?answer=27930
He has mentioned about blocking talk.google.com . So even if you are running a transparent proxy, user will not be able to connect to gtalk server, when talk.google.com is blocked.
regards VK
On Dec 14, 2007 7:00 PM, Agnello George agnello.dsouza@gmail.com wrote:
However i am not able to to block gtalk chat client even after i blocked port 5222.
Please check your gtalk setting. Hope you are not tunneling gtalk and ymessenger through the proxy.
regards VK
On Dec 13, 2007 4:17 PM, Agnello George agnello.dsouza@gmail.com wrote:
when i put the url as chat.yahoo.com in my browser i am denied access ( so that is working fine )
But when i access the yahoo chat .. i am able to log in
Where am i going wrong !! :(
Agnello,
Some questions: Did you use iptables to redirect port 80 to port 3128? That is, are you using a transparent proxy or are you manually entering the ip and port of squid in your browser? If you are not using a transparent proxy and setting up your browser manually, you need to do the same with yahoo messenger as well. Messenger > Preferences > Connection > Use Proxy.
If you are using a transparent proxy, you also need to redirect the yahoo messenger port(s) to port 3128. After that, use squid acls to block these ports.
To know exactly which port messenger is using and to understand the mechanism of how it accesses its servers, do a tail -f of the squid access logs and then login to messenger. This will help you write better acls. Effectively, it will tell you if the messenger requests are passing through squid or not.
Regards, NMK.
On Dec 13, 2007 3:15 PM, Agnello George agnello.dsouza@gmail.com wrote:
acl chat_ports port 5050 http_access deny CONNECT !chat_ports
I don't get this rule. Can someone please explain? Does this rule deny connect to port 5050?
Regards, NMK.
On 14-Dec-07, at 2:06 AM, Nadeem M. Khan wrote:
On Dec 13, 2007 3:15 PM, Agnello George agnello.dsouza@gmail.com wrote:
acl chat_ports port 5050 http_access deny CONNECT !chat_ports
I don't get this rule. Can someone please explain? Does this rule deny connect to port 5050?
looks like it denys connect to every port except 5050
On 12/13/07, Agnello George agnello.dsouza@gmail.com wrote:
how do i block a client from accessing yahoo chat My current set ups is as follows -- have a firewall and behind it have a proxy server running on port 3128.
now to block yahoo chat access i did the following in my squid.conf
I'm a little late in replying. The best way to setup access control is to start with a completely closed Firewall and Proxy. Open the ports you require and setup port redirection 80 -> 3128 ( if SQUID is running as transparent proxy ). Then open only THOSE services in squid which you require. Also remember NOT to NAT the machines or put ANY machine in DMZ.
On 12/15/07, Dinesh Joshi dinesh.a.joshi@gmail.com wrote:
now to block yahoo chat access i did the following in my squid.conf
I'm a little late in replying. The best way to setup access control is to start with a completely closed Firewall and Proxy. Open the ports you require and setup port redirection 80 -> 3128 ( if SQUID is running as transparent proxy ). Then open only THOSE services in squid which you require. Also remember NOT to NAT the machines or put ANY machine in DMZ.
Cant understand this no DMZ policy ?
regards VK
On 12/16/07, vivek khurana mailing.vivek@gmail.com wrote:
Cant understand this no DMZ policy ?
DMZ is DeMilitarized Zone. Any machine put in this "zone" is accessible directly from the outside world. No packets are filtered by the firewall and the machine is completely exposed.
Please be more verbose while asking questions as I'm not clear what you mean.
On 12/16/07, Dinesh Joshi dinesh.a.joshi@gmail.com wrote:
On 12/16/07, vivek khurana mailing.vivek@gmail.com wrote:
Cant understand this no DMZ policy ?
DMZ is DeMilitarized Zone. Any machine put in this "zone" is accessible directly from the outside world. No packets are filtered by the firewall and the machine is completely exposed.
Please be more verbose while asking questions as I'm not clear what you mean.
Yup I know what is DMZ, so why not put machines in dmz ? We use it often to keep servers seperate from rest of the network. What i cant understand from your sugestion is "Why not put any machine is DMZ" ? DMZ is meant for exposing machines to outer world. If you dont want to expose a machine to DMZ, do not create a DMZ, simple!
regards VK
On 12/16/07, vivek khurana mailing.vivek@gmail.com wrote:
Yup I know what is DMZ, so why not put machines in dmz ? We use it often to keep servers seperate from rest of the network. What i cant understand from your sugestion is "Why not put any machine is DMZ" ? DMZ is meant for exposing machines to outer world. If you dont want to expose a machine to DMZ, do not create a DMZ, simple!
Thats exactly the advise I gave him my Friend! :)
On 12/16/07, Dinesh Joshi dinesh.a.joshi@gmail.com wrote:
On 12/13/07, Agnello George agnello.dsouza@gmail.com wrote:
how do i block a client from accessing yahoo chat My current set ups is as follows -- have a firewall and behind it have a proxy server running on port 3128.
now to block yahoo chat access i did the following in my squid.conf
I'm a little late in replying. The best way to setup access control is to start with a completely closed Firewall and Proxy. Open the ports you require and setup port redirection 80 -> 3128 ( if SQUID is running as transparent proxy ). Then open only THOSE services in squid which you require. Also remember NOT to NAT the machines or put ANY machine in DMZ.
Sorry of the late reply on this, i did exactly what every one was suggesting, Blocking all the ports and enabling all only those ports that that we require ( 80 8080 21 22 443 ) . By doing so we automatically block gtalk, yahoo chat and msn messenger. Here is what i did
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -p tcp -m multiport --dport 21,22,80,8080,443 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
this is all great and all , but i have one IM installed on my system called "pidgin".. i am able to log in here in when configured to yahoo messenger.
Does any one have any idea why this happens ??
On Monday 17 Dec 2007, Agnello George wrote:
[lots of iptables snipped] this is all great and all , but i have one IM installed on my system called "pidgin".. i am able to log in here in when configured to yahoo messenger.
Does any one have any idea why this happens ??
This happens because you're using the wrong approach to block Internet services. Services are blocked by policy, not by technology. Tell your employees ``Do not use Yahoo at work'' and disincentivise the ones who continue using it. Works like a charm, and no messing around with iptables!
Even better, just reward your employees on their productivity. Then it doesn't matter whether they chat all day or not -- the question is, do they deliver and meet deadlines? If they do, why should you worry about how they achieve it?
BTW, did I just create a word?
Regards,
-- Raju
On Dec 18, 2007 9:21 AM, Raj Mathur raju@linux-delhi.org wrote:
On Monday 17 Dec 2007, Agnello George wrote:
[lots of iptables snipped] this is all great and all , but i have one IM installed on my system called "pidgin".. i am able to log in here in when configured to yahoo messenger.
well i do not like to get my access to internet blocked, but any ways, i think this will work for you.
acl ysg dstdomain messenegr.yahoo.com acl ysg dstdomain shttp.msg.yahoo.com acl ysg dstdomain psq.yahoo.com acl ysg dstdomain us.il.yimg.com
try to make these acls & deny access to these urls in the config file of squid.
krazy
On 12/17/07, Agnello George agnello.dsouza@gmail.com wrote:
On 12/16/07, Dinesh Joshi dinesh.a.joshi@gmail.com wrote:
On 12/13/07, Agnello George agnello.dsouza@gmail.com wrote:
how do i block a client from accessing yahoo chat My current set ups is as follows -- have a firewall and behind it have a proxy server running on port 3128.
now to block yahoo chat access i did the following in my squid.conf
I'm a little late in replying. The best way to setup access control is to start with a completely closed Firewall and Proxy. Open the ports you require and setup port redirection 80 -> 3128 ( if SQUID is running as transparent proxy ). Then open only THOSE services in squid which you require. Also remember NOT to NAT the machines or put ANY machine in DMZ.
Sorry of the late reply on this, i did exactly what every one was suggesting, Blocking all the ports and enabling all only those ports that that we require ( 80 8080 21 22 443 ) . By doing so we automatically block gtalk, yahoo chat and msn messenger. Here is what i did
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -p tcp -m multiport --dport 21,22,80,8080,443 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
this is all great and all , but i have one IM installed on my system called "pidgin".. i am able to log in here in when configured to yahoo messenger.
Does any one have any idea why this happens ??
As mentioned before i said i was able to block all chats ... i was however wrong. i am kind of lost here.... bellow is my iptables file ( generated by the command system-config-securitylevel )
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth2 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth2 -j MARK --set-mark 0x9 COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE COMMIT
can some one just help me out here :(
Thanks
INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth2 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
As per the above iptables i have blocked all ports, however i can still access ports 443 and 80 without mentioning it in the iptables ...i dont undersatnd why this happening .... how do i block all ports ?
On 12/17/07, Agnello George agnello.dsouza@gmail.com wrote:
this is all great and all , but i have one IM installed on my system called "pidgin".. i am able to log in here in when configured to yahoo messenger.
Does any one have any idea why this happens ??
Did you block yahoo messenger access form squid too ? Most probably pidgin is auto detcting proxy settings and tunneling data via port 80. You need to block yahoo messenger from squid too.
regards VK
-
Agnello George -
Amish Mehta -
Derwyn Dpenha -
Dinesh Joshi -
Kenneth Gonsalves -
krazy lizard -
Mehul Ved -
Milind Dhoke -
Nadeem M. Khan -
Raj Mathur -
vivek khurana