Solved

I don't want ICQ in my network! How?

Posted on 2002-05-13
11
230 Views
Last Modified: 2010-03-18
I am using Mandrake 8.1 as a NAT gateway. Could anyone show me how to prevent windows clients from using ICQ?  I've tried the following and it doesn't work.

iptables -A INPUT -i eth1 -p tcp --dport 5190 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 5190 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 1024:65535 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 1024:65535 -j DROP

(eth1 is my NIC connecting to the adsl modem)
0
Comment
Question by:carrado94
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7006907
iptables -I FORWARDD -p tcp --dport 5190 -j DROP

# but keep in mind that there exist sophisticated proxies
# AFAIK there is no other way than an application level firewall
0
 
LVL 2

Expert Comment

by:canani
ID: 7007043
You should also disable UDP and TCP port 4000:

iptables -I FORWARD -p tcp --dport 4000 -j DROP
iptables -I FORWARD -p udp --dport 4000 -j DROP
0
 

Author Comment

by:carrado94
ID: 7007632
Thanks for you guys.  I can now the port successfully.  But I found that ICQ2002 allows users to enter any port number for logging into the servers.  I can't block all ports.  Can I do something else?  e.g. Can I block all traffic to domain name *.icq.com?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 7007758
iptables -I FORWARD -d <icq.com IP>/24 -j DROP

# where <icq.com IP> is the network to block, and /24 the size of this network
#
# probably you have to use more than one such rule

# and as I said before, only a application level firewall can do what you want
0
 

Author Comment

by:carrado94
ID: 7008049
Acturally login.icq.com is a domain name for a collection of IP addresses.  I cannot always monitor if any new IP is added as a login server.  So I prefer a solution that work on the domain name instead of IPs.

I've no idea on the application level firewall.  Is it a 3rd party software?  Where can I get one?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 100 total points
ID: 7008308
The only one I currently know is TIS Gauntlet. Unfortunately it was sold to NAI, so check at http://www.nai.com/. I'm not shure if TIS' FWTK can do it also check at http://www.tis.com/ or http://www.fwtk.org/

Also have a look at the squid proxy, AFAIK you can do it there too.
0
 
LVL 2

Expert Comment

by:joepezt
ID: 7023495
i think you will have problems disabling ICQ..
since it can use allmost any port..

20 21 22 23 79 80 443 etc etc...

the only way i think can work is to prevent new software from being installed on the windows clients..

i heard of a software called "deepfreeze" (www.deepfreezeusa.com) which i think can prevent these events..


0
 
LVL 2

Expert Comment

by:quietyakr3
ID: 7570166
Add the following:

iptables -I FORWARD -j ICQ-CHECK

Then create a script /etc/cron.hourly/icq_check_update.sh which contains:

------------

#!/bin/bash

IPTABLES="/sbin/iptables"

$IPTABLES -N ICQ-CHECK
$IPTABLES -F ICQ-CHECK

for i in `/usr/bin/host login.icq.com | /bin/egrep "(([0-9])+\.){3,}" | /bin/cut -d " " -f 4`;
do
  $IPTABLES -A ICQ-CHECK -s $i -j DROP
  $IPTABLES -A ICQ-CHECK -d $i -j DROP
done

-------------

This will check every hour and update the list of IP addresses as needed.  You could make it check to see if they changed and not flush and rebuild the list each hour to be more efficient, but that's the idea of how to do it.
0
 
LVL 1

Expert Comment

by:gbonne
ID: 7923559
I successfully locked out ICQ by using these subnets (I still use ipchains but adapting this to iptables should be no problem.

ICQ is now owned by AOL hence the patterns from AOL alike suibnets. They DO change their server IP's regularly but getting rid of these complete subnets should do the trick.

It is outrageous that a chat software writer makes its software in such a manner that it actually attempts in bypassing all networking security. ICQ and AOL both scan all ports possible to get through (even known reserved ports like http, pop, smtp and worse ... dns). It is possible that the dns port gets through after all. I read somewhere else on the net that you can add routing table entries pointing to "wherever" for these subnets to be sure to lock out ICQ.

Here is the part from my /etc/sysconfig/ipchains that does it:
-A output -s 0/0 -d 205.188.179.0/24 -j DENY
-A output -s 0/0 -d 205.188.162.0/24 -j DENY
-A output -s 0/0 -d 64.12.161.0/24 -j DENY
-A output -s 0/0 -d 64.12.162.0/24 -j DENY
-A output -s 0/0 -d 64.12.163.0/24 -j DENY
-A output -s 0/0 -d 64.12.200.0/24 -j DENY

Beware these subnets are for ICQ only AOL uses even other subnets.

Yours,
Tonton.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7924092
for a iptables solution, just read my very first suggestion where you omit the --dport
;-)
0
 

Expert Comment

by:SpideyMod
ID: 8276265
Force Accepted

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question