I don't want ICQ in my network! How?

Posted on 2002-05-13
Medium Priority
Last Modified: 2010-03-18
I am using Mandrake 8.1 as a NAT gateway. Could anyone show me how to prevent windows clients from using ICQ?  I've tried the following and it doesn't work.

iptables -A INPUT -i eth1 -p tcp --dport 5190 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 5190 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 1024:65535 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 1024:65535 -j DROP

(eth1 is my NIC connecting to the adsl modem)
Question by:carrado94
LVL 51

Expert Comment

ID: 7006907
iptables -I FORWARDD -p tcp --dport 5190 -j DROP

# but keep in mind that there exist sophisticated proxies
# AFAIK there is no other way than an application level firewall

Expert Comment

ID: 7007043
You should also disable UDP and TCP port 4000:

iptables -I FORWARD -p tcp --dport 4000 -j DROP
iptables -I FORWARD -p udp --dport 4000 -j DROP

Author Comment

ID: 7007632
Thanks for you guys.  I can now the port successfully.  But I found that ICQ2002 allows users to enter any port number for logging into the servers.  I can't block all ports.  Can I do something else?  e.g. Can I block all traffic to domain name *.icq.com?
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

LVL 51

Expert Comment

ID: 7007758
iptables -I FORWARD -d <icq.com IP>/24 -j DROP

# where <icq.com IP> is the network to block, and /24 the size of this network
# probably you have to use more than one such rule

# and as I said before, only a application level firewall can do what you want

Author Comment

ID: 7008049
Acturally login.icq.com is a domain name for a collection of IP addresses.  I cannot always monitor if any new IP is added as a login server.  So I prefer a solution that work on the domain name instead of IPs.

I've no idea on the application level firewall.  Is it a 3rd party software?  Where can I get one?
LVL 51

Accepted Solution

ahoffmann earned 400 total points
ID: 7008308
The only one I currently know is TIS Gauntlet. Unfortunately it was sold to NAI, so check at http://www.nai.com/. I'm not shure if TIS' FWTK can do it also check at http://www.tis.com/ or http://www.fwtk.org/

Also have a look at the squid proxy, AFAIK you can do it there too.

Expert Comment

ID: 7023495
i think you will have problems disabling ICQ..
since it can use allmost any port..

20 21 22 23 79 80 443 etc etc...

the only way i think can work is to prevent new software from being installed on the windows clients..

i heard of a software called "deepfreeze" (www.deepfreezeusa.com) which i think can prevent these events..


Expert Comment

ID: 7570166
Add the following:

iptables -I FORWARD -j ICQ-CHECK

Then create a script /etc/cron.hourly/icq_check_update.sh which contains:





for i in `/usr/bin/host login.icq.com | /bin/egrep "(([0-9])+\.){3,}" | /bin/cut -d " " -f 4`;


This will check every hour and update the list of IP addresses as needed.  You could make it check to see if they changed and not flush and rebuild the list each hour to be more efficient, but that's the idea of how to do it.

Expert Comment

ID: 7923559
I successfully locked out ICQ by using these subnets (I still use ipchains but adapting this to iptables should be no problem.

ICQ is now owned by AOL hence the patterns from AOL alike suibnets. They DO change their server IP's regularly but getting rid of these complete subnets should do the trick.

It is outrageous that a chat software writer makes its software in such a manner that it actually attempts in bypassing all networking security. ICQ and AOL both scan all ports possible to get through (even known reserved ports like http, pop, smtp and worse ... dns). It is possible that the dns port gets through after all. I read somewhere else on the net that you can add routing table entries pointing to "wherever" for these subnets to be sure to lock out ICQ.

Here is the part from my /etc/sysconfig/ipchains that does it:
-A output -s 0/0 -d -j DENY
-A output -s 0/0 -d -j DENY
-A output -s 0/0 -d -j DENY
-A output -s 0/0 -d -j DENY
-A output -s 0/0 -d -j DENY
-A output -s 0/0 -d -j DENY

Beware these subnets are for ICQ only AOL uses even other subnets.

LVL 51

Expert Comment

ID: 7924092
for a iptables solution, just read my very first suggestion where you omit the --dport

Expert Comment

ID: 8276265
Force Accepted

Community Support Moderator @Experts Exchange

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month15 days, 5 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question