[H-GEN] Limiting MSN Access

Russell Stuart russell at stuart.wattle.id.au
Tue Jul 8 00:05:15 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Tue, 2003-07-08 at 10:25, Anthony Irwin wrote:
> The company I work for is having problems with people using MSN Messenger
> during the day, I have been asked to investigate ways to limit the use of
> MSN.
> 
> They would like to do one of the following things and I was wondering if
> anyone has done anything like this or can point me in the right direction.
> 
> -1 They would like to block MSN during the hours of 9am to 5pm.
> -2 They would like to block MSN to certain IP Addresses
> -3 They would like to block MSN completely

MSN messenger attempts to connect to the server on port 1863. If that
fails then it will attempt to tunnel to the server via HTTP, using
Internet Explorer's proxy settings.  You have to block both avenues.

To block direct connections you must use ipchains under Linux 2.2, or
iptables under Linux 2.4.  You can find tutorials on ipchains here:
  http://www.netfilter.org/ipchains/
Tutorials on iptables are here:
  http://netfilter.samba.org/unreliable-guides/
If there is one thing that is extraordinary about ipchains and iptables,
it is the quality of the man pages provided by their author, Paul
(Rusty) Russell.  It is an example everybody should follow.

Briefly, to block port 1863 for ipchains:
  ipchains \
    --append forward \
    --src <lanip>/<lanmask> \
    --destination-port 1863 \
    --syn
    --jump REJECT
And for iptables:
  iptables \
    --table filter \
    --append FORWARD \
    --protocol tcp \
    --source <lanip>/<lanmask> \
    --destination-port 1863 \
    --syn \
    --jump REJECT \
    --reject-with icmp-port-unreachable

<lanip>/<lanmask> specifies the IP address range your by your LAN.  A
typical value would be 192.168.0.0/24.  If you want to ban particular
hosts on your LAN, then use multiple ipchains/iptables commands and
substitute their host addresses for <lanip>/<lanmask>.  

A Red Hat specific thing is that once you have set up your chains/tables
to your satisfaction, you can execute for ipchains:
  ipchains-save >/etc/sysconfig/ipchains
And for iptables:
  iptables-save >/etc/sysconfig/ipchains
This will restore your setup after you reboot.

If you want to prevent / allow access to MSN on a timed basis then you
will have to write a script that deletes or adds the chains/tables as
appropriate depending on the date/time, and run that script from
crontab.

The next issue is preventing access via HTTP.  To do this you must use a
Web Proxy.  I assume you are using squid, and you already have it
running.  The first step is to prevent your users from by-passing your
proxy (which msn messenger will do) by using ipchains / iptables.  You
do this in the same manner as blocking msn messenger, but this time
instead of blocking port 1863 you block port 80.

The next step is to tell Squid to block access to MSN server, which you
can do by adding these lines to /etc/squid/squid.conf and restarting
squid:

  acl msnmsg url_regex
  ^http://gateway\.messenger\.hotmail\.com/gateway/gateway\.dll

  acl msnmsg url_regex
  ^http://64\.4\.[^/]*/gateway/gateway\.dll

  http_access deny msnmsg

Each paragraph above should be on one line, not word wrapped.  The
http_access line should be after the acl lines but before a line that
reads something like:

  http_access allow localhost

I suggest you don't ever allow access to msn via http.  It is less
efficient than the direct method, so you are better off forcing your
users to use direct access.

--
Russell

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list