Solved

I don't want ICQ in my network! How?

Posted on 2002-05-13
11
219 Views
Last Modified: 2010-03-18
I am using Mandrake 8.1 as a NAT gateway. Could anyone show me how to prevent windows clients from using ICQ?  I've tried the following and it doesn't work.

iptables -A INPUT -i eth1 -p tcp --dport 5190 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 5190 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 1024:65535 -j DROP
iptables -A OUTPUT -o eth1 -p tcp --dport 1024:65535 -j DROP

(eth1 is my NIC connecting to the adsl modem)
0
Comment
Question by:carrado94
11 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7006907
iptables -I FORWARDD -p tcp --dport 5190 -j DROP

# but keep in mind that there exist sophisticated proxies
# AFAIK there is no other way than an application level firewall
0
 
LVL 2

Expert Comment

by:canani
ID: 7007043
You should also disable UDP and TCP port 4000:

iptables -I FORWARD -p tcp --dport 4000 -j DROP
iptables -I FORWARD -p udp --dport 4000 -j DROP
0
 

Author Comment

by:carrado94
ID: 7007632
Thanks for you guys.  I can now the port successfully.  But I found that ICQ2002 allows users to enter any port number for logging into the servers.  I can't block all ports.  Can I do something else?  e.g. Can I block all traffic to domain name *.icq.com?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 7007758
iptables -I FORWARD -d <icq.com IP>/24 -j DROP

# where <icq.com IP> is the network to block, and /24 the size of this network
#
# probably you have to use more than one such rule

# and as I said before, only a application level firewall can do what you want
0
 

Author Comment

by:carrado94
ID: 7008049
Acturally login.icq.com is a domain name for a collection of IP addresses.  I cannot always monitor if any new IP is added as a login server.  So I prefer a solution that work on the domain name instead of IPs.

I've no idea on the application level firewall.  Is it a 3rd party software?  Where can I get one?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 100 total points
ID: 7008308
The only one I currently know is TIS Gauntlet. Unfortunately it was sold to NAI, so check at http://www.nai.com/. I'm not shure if TIS' FWTK can do it also check at http://www.tis.com/ or http://www.fwtk.org/

Also have a look at the squid proxy, AFAIK you can do it there too.
0
 
LVL 2

Expert Comment

by:joepezt
ID: 7023495
i think you will have problems disabling ICQ..
since it can use allmost any port..

20 21 22 23 79 80 443 etc etc...

the only way i think can work is to prevent new software from being installed on the windows clients..

i heard of a software called "deepfreeze" (www.deepfreezeusa.com) which i think can prevent these events..


0
 
LVL 2

Expert Comment

by:quietyakr3
ID: 7570166
Add the following:

iptables -I FORWARD -j ICQ-CHECK

Then create a script /etc/cron.hourly/icq_check_update.sh which contains:

------------

#!/bin/bash

IPTABLES="/sbin/iptables"

$IPTABLES -N ICQ-CHECK
$IPTABLES -F ICQ-CHECK

for i in `/usr/bin/host login.icq.com | /bin/egrep "(([0-9])+\.){3,}" | /bin/cut -d " " -f 4`;
do
  $IPTABLES -A ICQ-CHECK -s $i -j DROP
  $IPTABLES -A ICQ-CHECK -d $i -j DROP
done

-------------

This will check every hour and update the list of IP addresses as needed.  You could make it check to see if they changed and not flush and rebuild the list each hour to be more efficient, but that's the idea of how to do it.
0
 
LVL 1

Expert Comment

by:gbonne
ID: 7923559
I successfully locked out ICQ by using these subnets (I still use ipchains but adapting this to iptables should be no problem.

ICQ is now owned by AOL hence the patterns from AOL alike suibnets. They DO change their server IP's regularly but getting rid of these complete subnets should do the trick.

It is outrageous that a chat software writer makes its software in such a manner that it actually attempts in bypassing all networking security. ICQ and AOL both scan all ports possible to get through (even known reserved ports like http, pop, smtp and worse ... dns). It is possible that the dns port gets through after all. I read somewhere else on the net that you can add routing table entries pointing to "wherever" for these subnets to be sure to lock out ICQ.

Here is the part from my /etc/sysconfig/ipchains that does it:
-A output -s 0/0 -d 205.188.179.0/24 -j DENY
-A output -s 0/0 -d 205.188.162.0/24 -j DENY
-A output -s 0/0 -d 64.12.161.0/24 -j DENY
-A output -s 0/0 -d 64.12.162.0/24 -j DENY
-A output -s 0/0 -d 64.12.163.0/24 -j DENY
-A output -s 0/0 -d 64.12.200.0/24 -j DENY

Beware these subnets are for ICQ only AOL uses even other subnets.

Yours,
Tonton.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7924092
for a iptables solution, just read my very first suggestion where you omit the --dport
;-)
0
 

Expert Comment

by:SpideyMod
ID: 8276265
Force Accepted

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question