November 19, 2007

Blocking specific network applications with iptables

Author: Sergio Gonzalez Duran

Many organizations face a productivity problem with employees who abuse chat programs like MSN Messenger. Some IT departments are instructed to block this kind of traffic for users who either abuse or simply don't require the software. You can block applications like MSN Messenger in your proxy server, but some clients may still have access to the applications, because there are many versions of MSN Messenger in use, making blocking the application with a proxy server difficult. Instead, block MSN Messenger traffic more easily with iptables.

Each version of Messenger sends network packets with unique headings, so in Squid, for example, you must use a url_regex-based access control list to scan a packet going through a Linux box looking for a string that allows the MSN Messenger connection, such as gateway.dll or application/x-msn-messenger, and instruct the proxy to deny those kinds of packets.

Iptables uses three tables to process packets going in and out of the firewall: mangle, which manipulates packets; nat, which does address translations on two networks, such as your LAN and the Internet; and filter, which filters packets. Each table has chains on which you can write rules that allow, block, log, and redirect packets to traverse the firewall. In Iptables Tutorial 1.2.2, Oskar Andreasson states that the PREROUTING chain in the mangle table is the first thing a packet hits when it enters the firewall. This is where you want to create your blockade.

MSN Messenger uses port 1863 on the server side to establish a socket with the client (check for more ports for Internet services). Knowing this, you can add a small addendum to whatever rules you already have in the iptables firewall.

Create a file that holds the IP addresses that you wish to block. Use one address per line, and add comments with the pound sign (#). (Your file could have line after line of IP addresses, no comments, and no blank lines, but it wouldn't be very understandable.)

# IP addresses blocked for msn messenger
# ********************************

# sales, office 2

# accounting (all)

# production, building A

Name this file as you wish; I called mine ip_msn. Now run the following command to remove the comments and the blank lines and create a temporary file that will become part of the iptables rules:

grep -v "#" /your/path/ip_msn | sed -e '/^$/d' > /tmp/temp

grep -v outputs the lines that don't start with #, and sed eliminates empty lines and redirects the output to the temporary file.

Now create a short script (you can include the above command) that reads every address from this file and adds the iptables rules:

grep -v "#" /your/path/ip_msn | sed -e '/^$/d' > /tmp/temp
while read IP ; do
 /sbin/iptables -t mangle -A PREROUTING -s $IP -p tcp --dport 1863 -j REJECT

The -t option specifies the mangle table, and the ââ¬âA option specifies the prerouting chain. The ââ¬âs option specifies a source IP address, the ââ¬âp option specifies TCP packets, and the --dport option specifies the destination port number 1863. If the network packet fulfills all these criteria, then the ââ¬âj option will indicate it should be dropped. Append these lines in the appropriate place in your iptables configuration file. Remember that rules are read top to bottom, so the order in which you place the rules for the mangle table is important; if you have a previous rule for this table that allows everything, this new block of code won't ever matched.

With so many network applications out there, you could enhance the script so it admits different port numbers and IP addresses all in the same file. Your configuration file (named ip_ports_blocked) could look something like this:

# IP addresses blocked for different applications
# ********************************

# MSN messenger
# sales, office 2
# accounting (all)
# production, building A

# mysql
# sales, office 2 and 6

Here's the modified script to process that file:

grep -v "#" /your/path/ip_ports_blocked | sed -e '/^$/d' > /tmp/temp
while read row ; do
    IP=`echo $row | cut -d":" -f1`
    PORT=`echo $row | cut -d":" -f2`
    /sbin/iptables -t mangle -A PREROUTING -s $IP -p tcp --dport $PORT -j DROP

IT managers can use this technique to keep people from wasting time with unnecessary network applications. Use the script that best suits your needs, either to block a single application like MSN Messenger or to block several applications without a proxy.


  • System Administration
  • Networking