This document explains how to effectively block MSN and P2P at your home or work network provided you're using a linux gateway for internet connectivity.
These blocks can be disabled for some computers based on its network card MAC address. Keep reading to know how.
Several approach exists for blocking MSN/P2P networks. Some of these are:
- blocking incoming/outgoing ports (using both IP-based and program-based firewalls)
- prevent users from installing the software (using Windows access rights, for example)
- blocking access to some websites using a proxy server
Each one of them has its advantages and disadvantages. Unfortunately there is no fail-proof method to block P2P/MSN. Yet, you can combine several mothods to achieve a very high level of protection.
That being said, I will provide here the steps to setup a MSN/P2P block using shorewall (an iptables frontend) and a squid transparent proxy. For this guide will suppose your LAN (192.168.1.0/24) interface is eth1 and your Internet interface is eth0.
What you'll need:
- a linux NAT gateway (a very common method to provide internet connectivity for private networks)
- shorewall, which is platform-independant (made in base) so very easy to install. Universal RPMs provided in the main page
- squid, which is a very common web proxy and comes bundled in most linux distribution nowadays
Using only a firewall approach doesn't work because both MSN and P2P clients can use connect using port 80, which is the same port used for HTTP transport (web pages) and hence, it can't be blocked. Plus, there are now dozens of free web clients for MSN which can be used only with your browser and doesn't requiere any program at all to be installed.
Download and install shorewall, and disable any other iptables firewall you're using.
Shorewall will take care of the following issues:
- provide internet connectivity to the LAN using NAT
- block all incoming / outgoing ports by default, except for those which are really used like ssh (22), ftp (21), smtp (25) and such
- allow some machines to have unblocked access to the internet based on their network card MAC address
- redirect all outgoing http request to our internal squid proxy (to implement the transparent proxy)
Step 1. Define the network interfaces in /etc/shorewall/interfaces:
net eth0 detect tcpflags loc eth1 detect tcpflags
Step 2. Setup NAT for internet connectivity in /etc/shorewall/masq
Step 3. Define default policies in /etc/shorewall/policy
loc net REJECT net loc REJECT loc fw ACCEPT
Step 4. Define the rules in /etc/shorewall/rules
# transparent proxy REDIRECT loc 3128 tcp 80 - !192.168.1.0/24 # open outgoing ports ACCEPT loc net tcp 21,22,443,5222,5223 # computer with free unrestricted access to the internet # boss PC #ACCEPT loc:~00-0d-93-3d-e5-6c net all # boss wife PC #ACCEPT loc:~00-33-21-dd-3d-e4 net all
The procedure for installing squid will depend on your linux distribution. There is even a high probability that squid is already installed in your system if you choose a "default server installation" or something like that. Squid installation is outside the scope of this article. You may find more information in the squid home page.
Squid will take care of the following:
- block access using the MSN HTTP gateway protocol
- block access to certain know websites that provide MSN web clients
- keep a of every PC visited websites to track other potential MSN web sites you may be missing
All squid configuration goes in /etc/squid/squid.conf.
The following lines setup the transparent proxy mode:
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
And the following lines allows using the squid proxy from PCs in your LAN and provides the blocking mecanism for MSN.
### rules to block msn, aim and other web IMs. # block msn url regexs acl msnregex url_regex -i gateway\.dll # block msn/aim/icq domains acl msndomains dstdomain webmessenger.msn.com messenger.hotmail.com acl msndomains dstdomain messenger.net msn2go.com msnger.com iloveim.com acl msndomains dstdomain piglet-im.com wbmsn.com aimexpress.aol.com meebo.com acl msndomains dstdomain toc.oscar.aol.com webaim.net go.icq.com # block msn mime type (thanks ramon for this tip!) acl msnmime req_mime_type -i ^application/x-msn-messenger$ http_access deny msndomains http_access deny msnregex http_access deny msnmime # finally allow access to proxy from LAN (these lines must be the last ones) acl lan src 192.168.1.0/24 http_access allow lan
Although this is a somewhat strong method to block MSN/P2P access, it is not fail-proof. Ways to circumvent it are:
- using third-party HTTP proxies to connect to MSN
- using newborn web MSN client not yet blocked. in order to keep these ones restricted you can take a look from time to time to the squid access log (/var/log/squid/access_log in some systems and keep your MSN web clients list up to date
However, this method should be enough for discouraging web users to use MSN/P2P services.
Any comments, corrections, suggestions and improvements to this guide will be greatly appreciated. Just drop them below.