Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Normando on January 28, 2005, 03:32:32 AM
-
I need to block internet access in some machines of my client shop.
First I installed IP Block by AbeLoveLess and not work for me because block the LAN too.
Then I install squidProperties-0.3.tar by Abe too. This work great, this block internet access but not MSN messenger. Any way to do this?
Thanks for the help.
Sorry my language
PicsOne
-
Any one?
-
you can use squid acl's to stop ip's I think. You can also use iptables.
don't know the best way to do this using the manager.
Hans-Cees
-
I would suspect that closing the appropriate port(s) would achieve this. Alas I do not know whaich port(s) off the top of my head, althoug a quick google threw up these ones:
1863: Server connection/conversation connections
3389: Remote Assistance (XP only)
1503: Whiteboard/Application Sharing (XP only -- connected to Netmeeting)
6891-6900: 10 File transfer ports for file simultaneous transfers
5004-65535: Audio (and video in XP) dynamic ports
Good luck
-
Thanks all for reply
I found an interesting document about block MSN. This say:
---------------------------------------------
The secret for block sucessfully MSN is not block directly the port 1863, because messenger pop up to port 80!!!!!
The formule is: Redirect port 1863 to an nonexistent IP
With iptables:
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.53 --dport 1863 -j DNAT --to-destination 192.168.0.5:1863
where 192.168.0.53 is the IP of PC have messenger
192.168.0.5 is the IP of nonexistent PC.
Redirect to a computer that doesn't exist, messenger believes that this dead the service and cannot make a session :D
----------------------------------------------
Well, i will try this, but i don't know how to implement this with iptables. Maybe with Muso contrib?
-
If you install Dansguardian you can block URL's and that will effectively stop MSN Messenger from logging in. No login, no use !! I have used it this way and it does work.
Command line version see
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm
Server manager version see dungog.net
-
if you have blocked http access to the internet already, you only have to block port 1863.
hc
-
This is the result:
Not work. I use iptables and not work
I refresh the concept:
I need to block some computers in the LAN.
For example 192.168.0.65
With Abbe contrib I can block internet access for this PC, but not MSN messenger for this PC
I need in the LAN some PCs access to internet, including msn messenger, and others PCs not access to ENTIRE internet, including msn messenger. Understand? Sorry for my bad english.
Dansguardian can make this control for local IP?
-
You can block Internet access completely to all PCs(using *.* in one of the config files) and then put the IPs of the PCs allowed to access Internet in the exclusion config files.
-
You can block Internet access completely to all PCs(using *.* in one of the config files) and then put the IPs of the PCs allowed to access Internet in the exclusion config files.
Where are those config files?
Sebastian
-
Sebastian
> Where are those config files?
They are the dansguardian config files in
/etc/dansguardian/.....
eg
/etc/dansguardian/bannedextensionlist
/etc/dansguardian/bannediplist
Open each file and read the tips about configuration & configure as required. Also read my HOWTO
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm
-
here's what microsoft say about blocking messenger, the port and the websites to block as well.
http://support.microsoft.com/kb/889829
hope that helps
cheers
-
Hola ??
Hi this is what I found, it mit work:
# MSN Messenger
/sbin/iptables -A FORWARD -p TCP --dport 1863 -j DROP
/sbin/iptables -A FORWARD -d 64.4.13.0/24 -j DROP
I did use something like this for Kazaa and apears to work.
If you whant contact direct.
Alberto
lu2fgn at yahoo.com.ar
:hammer:
-
Ray
Thank you!
The ip's will be blocked from accesing squid, but if they use some P2P programs (that do not use squid) they will be able to access internet.
Is that correct?
Sebastian
-
Hi Sebastian
http://redes-linux.all-inone.net/manuales/ancho_banda/qos_p2p.pdf
The first is a kernel 2.6.8.1 and will control several thing also the amount off conections allow, some part of this pdf is spanish, when Icanresove the 2.6.8.1 will put my nose into this and make some kind off howto in english.
Here is a list that I found, I did change from REJECT to DROP and this works on my BOX 6.5 (Kazaa)
# Red de Audio Galaxy
/sbin/iptables -A FORWARD -d 64.245.58.0/23 -j DROP
# GNUtella, Bearshare y ToadNode
/sbin/iptables -A FORWARD -p TCP --dport 6346 -j DROP
# eDonkey
/sbin/iptables -A FORWARD -p tcp --dport 4661:4662 -j DROP
/sbin/iptables -A FORWARD -p udp --dport 4665 -j DROP
# Puertos y redes de Kazaa y Morpheus
/sbin/iptables -A FORWARD –p tcp --dport 1214 -j DROP
/sbin/iptables -A FORWARD –d udp --dport 1214 -j DROP
/sbin/iptables -A FORWARD -d 213.248.112.0/24 -j DROP
/sbin/iptables -A FORWARD -d 206.142.53.0/24 -j DROP
# Red de Napigator
/sbin/iptables -A FORWARD -d 209.25.178.0/24 -j DROP
# Red de Napster
/sbin/iptables -A FORWARD -d 64.124.41.0/24 -j DROP
# Redes de WinMX
/sbin/iptables -A FORWARD -d 209.61.186.0/24 -j DROP
/sbin/iptables -A FORWARD -d 64.49.201.0/24 -j DROP
# Red de IMesh
/sbin/iptables -A FORWARD -d 216.35.208.0/24 -j DROP
MensajerÃa instantánea.
# AIM e ICQ
/sbin/iptables -A FORWARD --dport 9898 -j DROP
/sbin/iptables -A FORWARD --dport 5190:5193 -j DROP
/sbin/iptables -A FORWARD -d login.oscar.aol.com -j DROP
/sbin/iptables -A FORWARD -d login.icq.com -j DROP
# Jabber
/sbin/iptables -A FORWARD --dport 5222:5223 -j DROP
# MSN Messenger
/sbin/iptables -A FORWARD -p TCP --dport 1863 -j DROP
/sbin/iptables -A FORWARD -d 64.4.13.0/24 -j DROP
# Yahoo! Messenger
/sbin/iptables -A FORWARD -p TCP --dport 5000:5010 -j DROP
/sbin/iptables -A FORWARD -d cs.yahoo.com -j DROP
/sbin/iptables -A FORWARD -b scsa.yahoo.com -j DROP
Bet regards
Alberto
:hammer:
P2P
-
I'd like to limit the upload/download bandwidth for each ip in my LAN to 80kbps with CBQ. I have 2 files called cbq-80.eth1_up and cbq-80.eth0_down, as follows:
--------------------
cbq-80.eth1_up
--------------------
DEVICE=eth1,100Mbit,10Mbit
RATE=80Kbit
WEIGHT=8Kbit
PRIO=6
MARK=10
MARK=11
MARK=12
MARK=13
MARK=14
MARK=15
MARK=16
MARK=17
MARK=18
MARK=19
MARK=20
--------------------
cbq-80.eth0_down
--------------------
DEVICE=eth0,100Mbit,10Mbit
RATE=80Kbit
WEIGHT=8Kbit
PRIO=6
RULE=10.38.1.10
RULE=10.38.1.11
RULE=10.38.1.12
RULE=10.38.1.13
RULE=10.38.1.14
RULE=10.38.1.15
RULE=10.38.1.16
RULE=10.38.1.17
RULE=10.38.1.18
RULE=10.38.1.19
RULE=10.38.1.20
For limiting upload I mark packets (becouse I use NAT) with
iptables --table mangle -A POSTROUTING --out-interface eth1 --source 10.38.1.10 -j MARK --set-mark 10
iptables --table mangle -A POSTROUTING --out-interface eth1 --source 10.38.1.11 -j MARK --set-mark 11
(and so on for every ip)
The problem I have is that the ip's get 80kbps bandwidth divided to them not each ip taking a 80kbps bandwidth for upload and 80kbps for download.
Please help me with this.
Sebastian