iptables to filter IM clients

Discussion in 'Tech Talk' started by lomfs24, Dec 18, 2004.

  1. lomfs24


    Likes Received:
    Apr 19, 2003
    I am using iptables as a firewall on a linux box. It is actually a Linksys wrt54gs wireless router that has been converted to a linux box.

    Here's the problem, one of the machines on my network is a work machine that runs the business. The GM comes in and has no idea what she is doing, installs Yahoo IM and clicks every link she sees. I want to disable Yahoo IM and pretty much all IM's from that machine. I have the traffic to that machine isolated in iptables but I don't know how to fiter IM traffic.

    1) there are about a zillion yahoo servers to to try to filter URL's would be a nightmare and would have to be constantly updated regularly.

    2) Yahoo IM does not run on a specific port. It looks for port 5050 but if it's not there will use any port.

    Is there a few key central servers for Yahoo that you initially log onto? What other way is there to filter that traffic?

    I have found a part of packet data that is consistent with all Yahoo IM traffic. It is the string YMSG and it is in all chat and command packets. Can iptables filter for something in packet data?

    I don't want to fiter Yahoo from my whole network, just Yahoo IM traffic from one machine.
  2. Deathwind


    Likes Received:
    Aug 13, 2002
    In my pants
    This should drop everything with YMSG in it (could cause some seriously hard to diagnose issues down the line though):
    iptables -A INPUT -i eth0 -j DROP -m string --string "YMSG" -p tcp
    (your iptables has to support string matching for this to work though)

    Your best bet is blocking the login servers, another site claims these are some common ones: