Effectively Blocking Msn And P2P

Introduction

This document explains how to effectively block MSN and P2P at your home or work network provided you're using a linux gateway for internet connectivity.

These blocks can be disabled for some computers based on its network card MAC address. Keep reading to know how.

Several approach exists for blocking MSN/P2P networks. Some of these are:

  • blocking incoming/outgoing ports (using both IP-based and program-based firewalls)
  • prevent users from installing the software (using Windows access rights, for example)
  • blocking access to some websites using a proxy server

Each one of them has its advantages and disadvantages. Unfortunately there is no fail-proof method to block P2P/MSN. Yet, you can combine several mothods to achieve a very high level of protection.

That being said, I will provide here the steps to setup a MSN/P2P block using shorewall (an iptables frontend) and a squid transparent proxy. For this guide will suppose your LAN (192.168.1.0/24) interface is eth1 and your Internet interface is eth0.

Requisites

What you'll need:

  • a linux NAT gateway (a very common method to provide internet connectivity for private networks)
  • shorewall, which is platform-independant (made in base) so very easy to install. Universal RPMs provided in the main page
  • squid, which is a very common web proxy and comes bundled in most linux distribution nowadays

Using only a firewall approach doesn't work because both MSN and P2P clients can use connect using port 80, which is the same port used for HTTP transport (web pages) and hence, it can't be blocked. Plus, there are now dozens of free web clients for MSN which can be used only with your browser and doesn't requiere any program at all to be installed.

Configuring shorewall

Download and install shorewall, and disable any other iptables firewall you're using.

Shorewall will take care of the following issues:

  • provide internet connectivity to the LAN using NAT
  • block all incoming / outgoing ports by default, except for those which are really used like ssh (22), ftp (21), smtp (25) and such
  • allow some machines to have unblocked access to the internet based on their network card MAC address
  • redirect all outgoing http request to our internal squid proxy (to implement the transparent proxy)

Step 1. Define the network interfaces in /etc/shorewall/interfaces:

net     eth0            detect          tcpflags
loc     eth1            detect          tcpflags

Step 2. Setup NAT for internet connectivity in /etc/shorewall/masq

eth0   eth1

Step 3. Define default policies in /etc/shorewall/policy

loc             net             REJECT
net             loc             REJECT
loc             fw              ACCEPT

Step 4. Define the rules in /etc/shorewall/rules

# transparent proxy
REDIRECT        loc             3128            tcp     80      -       !192.168.1.0/24
# open outgoing ports
ACCEPT          loc             net             tcp     21,22,443,5222,5223

# computer with free unrestricted access to the internet 
# boss PC
#ACCEPT                 loc:~00-0d-93-3d-e5-6c          net             all
# boss wife PC
#ACCEPT                 loc:~00-33-21-dd-3d-e4          net             all

Configuring squid

The procedure for installing squid will depend on your linux distribution. There is even a high probability that squid is already installed in your system if you choose a "default server installation" or something like that. Squid installation is outside the scope of this article. You may find more information in the squid home page.

Squid will take care of the following:

  • block access using the MSN HTTP gateway protocol
  • block access to certain know websites that provide MSN web clients
  • keep a of every PC visited websites to track other potential MSN web sites you may be missing

All squid configuration goes in /etc/squid/squid.conf.

The following lines setup the transparent proxy mode:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

And the following lines allows using the squid proxy from PCs in your LAN and provides the blocking mecanism for MSN.

### rules to block msn, aim and other web IMs.

# block msn url regexs
acl msnregex url_regex -i gateway\.dll

# block msn/aim/icq domains
acl msndomains dstdomain webmessenger.msn.com messenger.hotmail.com
acl msndomains dstdomain messenger.net msn2go.com msnger.com iloveim.com
acl msndomains dstdomain piglet-im.com wbmsn.com aimexpress.aol.com meebo.com
acl msndomains dstdomain toc.oscar.aol.com webaim.net go.icq.com

# block msn mime type (thanks ramon for this tip!)
acl msnmime req_mime_type -i ^application/x-msn-messenger$

http_access deny msndomains 
http_access deny msnregex
http_access deny msnmime

# finally allow access to proxy from LAN (these lines must be the last ones)
acl lan src 192.168.1.0/24
http_access allow lan

Drawbacks

Although this is a somewhat strong method to block MSN/P2P access, it is not fail-proof. Ways to circumvent it are:

  • using third-party HTTP proxies to connect to MSN
  • using newborn web MSN client not yet blocked. in order to keep these ones restricted you can take a look from time to time to the squid access log (/var/log/squid/access_log in some systems and keep your MSN web clients list up to date

However, this method should be enough for discouraging web users to use MSN/P2P services.

Comments?

Any comments, corrections, suggestions and improvements to this guide will be greatly appreciated. Just drop them below.

3 responses

I like your solution, in fact it's pretty much identical to mine, maybe i can give you a small pointer. This rule acl msnmime req_mime_type -i ^application/x-msn-messenger$ you can use it with rep_mime_type and http_reply_access. This will effectivaly catch the msn messenger traffic traveling under the http protocol. Since you are blocking any url that contains gateway.dll you able to still block with the old common req_mime_type rule for x-msn-messenger. The only drawback i see from gateway.dll is that it will also block a google search for gateway.dll.

great!! works fine on my network… but how can make a exception to an IP??

Exception


acl joe src 192.168.1.23 #You IP


http_access deny msndomains !joe
http_access deny msnregex !joe
http_access deny msnmime !joe


Note character ! meaning except0