This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: System Administration

Blocking specific network applications with iptables

By Sergio Gonzalez Duran on November 19, 2007 (4:00:00 PM)

Share    Print    Comments   

Many organizations face a productivity problem with employees who abuse chat programs like MSN Messenger. Some IT departments are instructed to block this kind of traffic for users who either abuse or simply don't require the software. You can block applications like MSN Messenger in your proxy server, but some clients may still have access to the applications, because there are many versions of MSN Messenger in use, making blocking the application with a proxy server difficult. Instead, block MSN Messenger traffic more easily with iptables.

Each version of Messenger sends network packets with unique headings, so in Squid, for example, you must use a url_regex-based access control list to scan a packet going through a Linux box looking for a string that allows the MSN Messenger connection, such as gateway.dll or application/x-msn-messenger, and instruct the proxy to deny those kinds of packets.

Iptables uses three tables to process packets going in and out of the firewall: mangle, which manipulates packets; nat, which does address translations on two networks, such as your LAN and the Internet; and filter, which filters packets. Each table has chains on which you can write rules that allow, block, log, and redirect packets to traverse the firewall. In Iptables Tutorial 1.2.2, Oskar Andreasson states that the PREROUTING chain in the mangle table is the first thing a packet hits when it enters the firewall. This is where you want to create your blockade.

MSN Messenger uses port 1863 on the server side to establish a socket with the client (check for more ports for Internet services). Knowing this, you can add a small addendum to whatever rules you already have in the iptables firewall.

Create a file that holds the IP addresses that you wish to block. Use one address per line, and add comments with the pound sign (#). (Your file could have line after line of IP addresses, no comments, and no blank lines, but it wouldn't be very understandable.)

# IP addresses blocked for msn messenger
# ********************************

# sales, office 2
192.168.100.10

# accounting (all)
192.168.100.23
192.168.100.24
192.168.100.25

# production, building A
192.168.100.50

Name this file as you wish; I called mine ip_msn. Now run the following command to remove the comments and the blank lines and create a temporary file that will become part of the iptables rules:

grep -v "#" /your/path/ip_msn | sed -e '/^$/d' > /tmp/temp

grep -v outputs the lines that don't start with #, and sed eliminates empty lines and redirects the output to the temporary file.

Now create a short script (you can include the above command) that reads every address from this file and adds the iptables rules:

grep -v "#" /your/path/ip_msn | sed -e '/^$/d' > /tmp/temp
while read IP ; do
 /sbin/iptables -t mangle -A PREROUTING -s $IP -p tcp --dport 1863 -j REJECT
done < /tmp/temp

The -t option specifies the mangle table, and the –A option specifies the prerouting chain. The –s option specifies a source IP address, the –p option specifies TCP packets, and the --dport option specifies the destination port number 1863. If the network packet fulfills all these criteria, then the –j option will indicate it should be dropped. Append these lines in the appropriate place in your iptables configuration file. Remember that rules are read top to bottom, so the order in which you place the rules for the mangle table is important; if you have a previous rule for this table that allows everything, this new block of code won't ever matched.

With so many network applications out there, you could enhance the script so it admits different port numbers and IP addresses all in the same file. Your configuration file (named ip_ports_blocked) could look something like this:

# IP addresses blocked for different applications
# ********************************

# MSN messenger
# sales, office 2
192.168.100.10:1863
# accounting (all)
192.168.100.23:1863
192.168.100.24:1863
192.168.100.25:1863
# production, building A
192.168.100.50:1863

# mysql
# sales, office 2 and 6
192.168.100.10:3306
192.168.100.11:3306

Here's the modified script to process that file:

grep -v "#" /your/path/ip_ports_blocked | sed -e '/^$/d' > /tmp/temp
while read row ; do
    IP=`echo $row | cut -d":" -f1`
    PORT=`echo $row | cut -d":" -f2`
    /sbin/iptables -t mangle -A PREROUTING -s $IP -p tcp --dport $PORT -j DROP
done < /tmp/temp

IT managers can use this technique to keep people from wasting time with unnecessary network applications. Use the script that best suits your needs, either to block a single application like MSN Messenger or to block several applications without a proxy.

Sergio Gonzalez Duran is a Linux administrator, systems developer, and network security counselor who also teaches Linux courses and publishes the Spanish-oriented Linux and open source Web site linuxtotal.com.mx.

Share    Print    Comments   

Comments

on Blocking specific network applications with iptables

Note: Comments are owned by the poster. We are not responsible for their content.

Improved grep/script

Posted by: Anonymous [ip: 66.191.115.187] on November 19, 2007 05:50 PM
I think you could change your grep/sed pipe to a single grep command (which I imagine would be slightly more efficient):


grep '^[^#]' /your/path/ip_msn


This should output any lines that start with something other than #, which also skips blank lines (because they start with nothing). I also think your loop could be rewritten like this to avoid the temporary file:


for IP in $(grep '^[^#]' /your/path/ip_msn) ; do
/sbin/iptables -t mangle -A PREROUTING -s $IP -p tcp --dport 1863 -j REJECT
done


Regards,

Keith

#

Re: Improved grep/script

Posted by: Anonymous [ip: 189.166.251.25] on November 19, 2007 08:53 PM
I tested as indicated by Keith and it works better than the original. I dont like the idea of leaving temporal files on /tmp, they may be edited or something, so this solution is more efficient and secure. thanks,

#

Re: Improved grep/script

Posted by: Anonymous [ip: 169.233.25.105] on November 20, 2007 03:55 PM
Better to use <code>while read</code>, than to use <code>for ... in</code>.

#

Blocking specific network applications with iptables

Posted by: Anonymous [ip: 128.187.0.164] on November 19, 2007 06:12 PM
The title is misleading - I was expecting an article about how to block _applications_, not the already common _ports_of_an_application.

#

Re: Blocking specific network applications with iptables

Posted by: Anonymous [ip: 207.138.32.130] on November 20, 2007 01:35 AM
Seconded.

Great article, but the title really should be changed.

#

Blocking specific network applications with iptables

Posted by: Anonymous [ip: 143.195.150.42] on November 19, 2007 08:35 PM
more easily?

#

Blocking specific network applications with iptables

Posted by: Anonymous [ip: 200.115.251.143] on November 20, 2007 02:32 AM
why mangle? isn't it enough filter:forward?

#

Blocking specific network applications with iptables

Posted by: Anonymous [ip: 164.164.97.81] on November 20, 2007 06:36 AM
Nice article, yeah title could have differenth though.

--Sachin

#

Blocking Skype ?

Posted by: Anonymous [ip: 89.217.130.41] on November 20, 2007 09:21 AM
Well, nice... How can I do the same with Skype ?

#

Blocking specific network applications with iptables

Posted by: Anonymous [ip: 84.94.205.29] on November 20, 2007 11:24 AM
The article name is misleading - specific ports are blocked, not specific applications.

I would really be interested to see how yo block specific applications.

That is, I would like to see how to make certain ports disabled on per application basis.

#

this is realy wrong

Posted by: Anonymous [ip: 164.39.53.112] on November 20, 2007 11:50 AM
in most msn, yahoo, aim clients you can change the port to use. for example yahoo client uses a wide port range, and a wider ip range. so this time of port filtering is realy unusefull. And I am not talking nonsense- I was involved in this tipe of filtering. Realy, the only application-based usefull filtering is proxy, but that becomes also unusefull when coming to online-3rdparty clients, wich are not few, and also come with many mirros. The best option seens so far is using internal instant messaing, wich keeps users busy with chating eachother internaly, and maybe talking business :) .

#

Re: this is realy wrong

Posted by: Anonymous [ip: 151.188.247.104] on November 21, 2007 07:12 PM
You are quite correct. You can't stop *applications* this way. We're in the middle of a major botnet infestation that uses TCP 80 as its control channel. We want to block the botnet traffic, but not normal Web surfing.

The title should be changed. I was expecting to see something akin to Cisco's Network-Based Application Recognition (NBAR), which actually does block application data, regardless of the port. Packeteer PacketShapers will do it, too.

#

Blocking specific network applications with iptables

Posted by: Anonymous [ip: 213.100.106.68] on November 20, 2007 02:10 PM
l7-filter could probably be used to block specific applications since it "identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., regardless of port." See http://l7-filter.sourceforge.net/ for more information. I haven't tried it in a long time, but it worked very well the last time I used it.

#

Re: Blocking specific network applications with iptables

Posted by: Anonymous [ip: 130.232.120.75] on November 22, 2007 12:23 PM
Doesn't work with custom applications and doesn't work with any applications that encrypt all "application layer data".

#

Blocking specific network applications with iptables

Posted by: Anonymous [ip: 152.17.103.33] on November 20, 2007 03:34 PM
See NuFw, which include some stuffs for netfilter :
http://www.nufw.org
(unfortunatly the website of nufw project and the INL company are only in french :( )
in 2 words : can have a packets filter politic with users of O.S and all applications on (not only an ip based filter politic) ...


#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya