Skype

wescley1
(usa Ubuntu)

Enviado em 08/08/2013 - 15:53h

Depois de uma semana procurando desisti. Não achei nada que pudesse me ajudar de forma eficiente.
Afinal, é possível bloquear o maldito do skype usando squid e iptables?
Se algum de vocês estiver conseguindo, por favor, me dêem uma luz D:

Buckminster
(usa Debian)

Enviado em 08/08/2013 - 16:01h

Veja isto:
http://wiki.squid-cache.org/ConfigExamples/Chat/Skype

wescley1
(usa Ubuntu)

Enviado em 08/08/2013 - 16:15h

é, não deu certo pra mim

Buckminster
(usa Debian)

Enviado em 08/08/2013 - 16:36h

Então você fez alguma coisa errada.

Tenta assim no Iptables:

iptables -I FORWARD -m string --algo bm --string "skype.com" -j DROP
iptables -I FORWARD -s 111.221.74.0/24 -j DROP
iptables -I FORWARD -s 111.221.77.0/24 -j DROP
iptables -I FORWARD -s 157.55.130.0/24 -j DROP
iptables -I FORWARD -s 157.55.235.0/24 -j DROP
iptables -I FORWARD -s 157.55.56.0/24 -j DROP
iptables -I FORWARD -s 157.56.52.0/24 -j DROP
iptables -I FORWARD -s 194.165.188.0/24 -j DROP
iptables -I FORWARD -s 195.46.253.0/24 -j DROP
iptables -I FORWARD -s 213.199.179.0/24 -j DROP
iptables -I FORWARD -s 63.245.217.0/24 -j DROP
iptables -I FORWARD -s 64.4.23.0/24 -j DROP
iptables -I FORWARD -s 65.55.223.0/24 -j DROP

wescley1
(usa Ubuntu)

Enviado em 08/08/2013 - 16:44h

como eu posso ter feito alguma coisa errada sendo que é só colocar o negócio no .conf? D:

olha só

#Porta padrao para acessar o proxy

#esta porta deve ser configurada em todos os computadores que farao 

#requisicoes no proxy

http_port 3128





#pasta com as mensagens de erro do squid

error_directory /etc/squid/error_pages









#cache internet

cache_dir ufs /cache/ 7000 16 256

cache_mem 100 MB



visible_hostname Server





#criacao de acls



#acl SSL_ports port 443 		#https

acl SSL_ports port 563		# snews

acl SSL_ports port 873		# rsync

#acl SSL_ports port 443		#https

#acl Safe_ports port 80		# http

acl Safe_ports port 21		# ftp

acl Safe_ports port 70		# gopher

acl Safe_ports port 210		# wais

acl Safe_ports port 1025-65535	# unregistered ports

acl Safe_ports port 280		# http-mgmt

acl Safe_ports port 488		# gss-http

acl Safe_ports port 591		# filemaker

acl Safe_ports port 777		# multiling http

acl Safe_ports port 631		# cups

acl Safe_ports port 873		# rsync

acl Safe_ports port 901		# SWAT

acl Safe_ports port 465         #email diviaco

acl Safe_ports port 587         #email diviaco

acl Safe_ports port 993         #imap gmail

acl Safe_ports port 3128        #squid

acl Safe_ports port 8245        #noip 

acl Safe_ports port 25          #noip 

acl Safe_ports port 8125	#noip

acl Safe_ports port 1604	#noip

acl Safe_ports port 25          #noip

acl Safe_ports port 3389        #noip

acl Safe_ports port 4751	#noip

#acl Safe_ports port 80		#noip

acl Safe_ports port 8080        #noip

acl Safe_ports port 8223        #noip

acl purge method PURGE

acl CONNECT method CONNECT



##########################################################

###

###

###		Teste das rejeições

###

###

########################################################



#toda a rede interna

acl localnet src 10.1.1.0/24

acl all src all



acl fiscal3 src 10.1.1.132



# Bloquear Skype

acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443

acl Skype_UA browser ^skype



http_access deny numeric_IPS

http_access deny Skype_UA





acl validUserAgent browser \S+

http_access deny !validUserAgent



	



acl permitidos url_regex "/etc/squid/permitidos"

acl email url_regex "/etc/squid/email"





acl apontador dstdomain .apontador.

acl apontador dstdomain .maplink.





#http_access deny fiscal3 !permitidos !email





#http_access allow localnet permitidos

#http_access allow localnet email

#http_access allow localnet apontador







############################################################

###

###

###

###

################################################################

















acl manager proto cache_object



acl localhost src 127.0.0.1/32









#######################################################

###							

###

###		ACL DE LIBERACAO POR PEDIDO

###

###

######################################################

 

acl sites_pedidos dstdomain .funedi.edu.br  #pedido feito pela Caroline de Telefonista em 18/06/2013

acl sites_pedidos dstdomain .emccamp.com.br  #pedido feito pela Grasiele de Vendas5 em 18/06/2013

acl sites_pedidos dstdomain .contrutoraemccamp.com.br  #pedido feito pela Grasiele de Vendas5 em 18/06/2013





#######################################################

###							

###

###		FIM DE ACL DE LIBERACAO

###

###

#########################################################









###########################################################################

###										  ###

###			CRIACAO DAS ACLs INDIVIDUAIS			  ###

###			PARA TODOS OS COMPUTADORES				  ### 

###				DA REDE					  ###

###										  ###

### toda vez que for adicionado um computador na rede, deve adiciona-lo ###

### aqui tambem								  ###

###										  ###

###										  ###

### a lista esta dividida de acordo com o setor e em ordem afabetica    ###

###										  ###

###										  ###

###########################################################################





acl departamentopes src 10.1.1.137





acl dppessoal src 10.1.1.117





acl evani src 10.1.1.138





acl fat2 src 10.1.1.113

acl fat3 src 10.1.1.114

acl fat4 src 10.1.1.135





acl gilmar src 10.1.1.102





acl financ1 src 10.1.1.103

acl financ2 src 10.1.1.104

acl financ3 src 10.1.1.105

acl financ4 src 10.1.1.106

acl financ5 src 10.1.1.107

acl financ6 src 10.1.1.108

acl financ7 src 10.1.1.109

acl financ8 src 10.1.1.110

acl financ9 src 10.1.1.136

acl financ10 src 10.1.1.131





acl fiscal1 src 10.1.1.112

acl fiscal2 src 10.1.1.130







acl nfe src 10.1.1.116

acl nfe2 src 10.1.1.128





acl oxcorte src 10.1.1.111





acl telefonista src  10.1.1.115





acl servidor src 10.1.1.240

acl servidor_s2 src 10.1.1.241





acl telemarketing3 src 10.1.1.141

acl telemarketing5 src 10.1.1.123





acl vendas1 src 10.1.1.118

acl vendas2 src 10.1.1.119

acl vendas3 src 10.1.1.120

acl vendas4 src 10.1.1.121

acl vendas5 src 10.1.1.122

acl vendas6 src 10.1.1.101

acl vendas7 src 10.1.1.124

acl vendas9 src 10.1.1.126







###########################################################################

###										  ###

###										  ###

###		    FIM DA LISTA DE ACLs INDIVIDUAIS			  ###

###										  ###

###										  ###

###########################################################################







acl sitesEvani dstdomain .inpi.gov.br

acl sitesEvani dstdomain .uol.com.br

acl sitesEvani dstdomain .hotmail.com

acl sitesEvani dstdomain .ricardoeletro.com.br

acl sitesEvani dstdomain .contadorperito.com







http_access allow evani sitesEvani









acl to_localhost dst 127.0.0.0/8 0.0.0.0/32





############################################################

###

###

###	ACL de bloqueio comum

###

###

##############################################################







acl siteFB dstdomain 31.13.85.16

http_access deny localnet siteFB	





acl blocked url_regex "/etc/squid/bloqueio"

deny_info ERR_ACCESS_DENIED blocked



http_access allow localnet !blocked















#########################################################

###

###

###	fim da ACL de bloqueio comum

###

###

#########################################################







############################################################

###

###

###		COAD

###

###

############################################################





acl coad url_regex "/etc/squid/coad"



#http_access allow fiscal3 coad	

http_access allow fiscal1 coad

http_access allow vendas7 coad

http_access allow fiscal2 coad

http_access allow departamentopes coad

http_access allow evani coad





############################################################

###

###

###		FIM COAD

###

###

############################################################













###################################################################

###								###

###								###

###		LIBERACAO DO ACESSO NO HORARIO			###

###			DE ALMOCO				###

###								###

###								###

###								###

###								###

###################################################################



acl h_almoco time MTWHF 11:29-13:00

http_access allow localnet h_almoco







###########################################################

###								###

###								###

###        fim liberacao horario de almoco		###

###								###

###								###

###########################################################











###########################################################################

###									###

###									###

###                         LIBERACAO MANUAL				###

###									###

###		USAR APENAS QUANDO NECESSARIO E AUTORIZADO		###

###									###

###									###

###########################################################################











http_access allow telefonista sites_pedidos

http_access allow vendas5 sites_pedidos

http_access allow financ1







###########################################################################

###									###

###									###

###			FIM DA LIBERACAO MANUAL				###

###									###

###									###

###########################################################################



#local log

access_log /var/log/squid/access.log squid





################################################################################

###											###

###											###

###		Parte q eu ainda não mexi						###

###											###

###											###

################################################################################



















#tempo maximo de tentativa de retorno de um IP 

#echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout



#Valida Bloqueio MSN

#http_access deny msn





#http_access deny localnet mp3

#http_access deny localnet exe



#http_access allow manager localhost

#http_access deny manager  



#http_access allow purge localhost

#http_access deny purge



#negar todo acesso as portas que nao liberadas

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports



#http_access allow localhost

#http_access deny all



#icp_access allow localnet

#icp_access deny all



#porta usada squid

#http_port 3128



#hierarchy_stoplist cgi-bin ?





#configuracoes proxy transparente

#httpd_accel_port 80

#httpd_accel_host virtual



#httpd_accel_with_proxy on

#httpd_accel_uses_host_header on

#echo 1 > /proc/sys/net/ipv4/ip_forward









refresh_pattern ^ftp:		1440	20%	10080

refresh_pattern ^gopher:	1440	0%	1440

refresh_pattern -i (/cgi-bin/|\?) 0	0%	0

refresh_pattern (Release|Packages(.gz)*)$	0	20%	2880

refresh_pattern .		0	20%	4320



acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]



upgrade_http0.9 deny shoutcast



acl apache rep_header Server ^Apache



broken_vary_encoding allow apache



#extension_methods REPORT MERGE MKACTIVITY CHECKOUT



hosts_file /etc/hosts



#coredump_dir /var/spool/squid



 

Buckminster
(usa Debian)

Enviado em 08/08/2013 - 16:55h

# Bloquear Skype
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype

http_access deny numeric_IPS <<< aqui não é numeric_IPS, é numeric_IPs.
http_access deny Skype_UA

Faça a alteração, reinicie o Squid e teste.

wescley1
(usa Ubuntu)

Enviado em 09/08/2013 - 10:56h

ainda assim não deu. mesmo fechando todas as portas do computador



o skype ainda connecta. como? porque?

souzacarlos
(usa Outra)

Enviado em 09/08/2013 - 14:07h

Já tentou usar o tcpdump para monitorar as conexões passante para o skype? ex tcpdump -i eth0 src host 192.168.0.1

onde:

ETH0 é a interface onde está agrupado o host em questão

192.168.0.1 é o host que vc quer monitorar

aguardo,

wescley1
(usa Ubuntu)

Enviado em 09/08/2013 - 14:49h

isso eu não fiz.
pq o cenário é o seguinte:
1 servidor ubuntu com squid e 43 pc com windows xp

esse tcpdump eu teria que usar no squid (ip 10.1.1.133) ou no "cliente" que é o computador de teste (10.1.1.132)?

souzacarlos
(usa Outra)

Enviado em 09/08/2013 - 15:21h

TCPDUMP é uma aplicação que irá monitorar o tráfego "entrante" ou "passante" por uma interface do servidor logo teria que ser executado no servidor...

Buckminster
(usa Debian)

Enviado em 10/08/2013 - 05:02h

Você fez isso abaixo que eu disse antes?

# Bloquear Skype
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype

http_access deny numeric_IPS <<< AQUI NÃO É numeric_IPS, É numeric_IPs.
http_access deny Skype_UA

Faça a alteração, reinicie o Squid e teste.


E tentou isso abaixo?

Tenta assim no Iptables:

iptables -I FORWARD 1 -m string --algo bm --string "skype.com" -j DROP
iptables -I FORWARD 2 -s 111.221.74.0/24 -j DROP
iptables -I FORWARD 3 -s 111.221.77.0/24 -j DROP
iptables -I FORWARD 4 -s 157.55.130.0/24 -j DROP
iptables -I FORWARD 5 -s 157.55.235.0/24 -j DROP
iptables -I FORWARD 6 -s 157.55.56.0/24 -j DROP
iptables -I FORWARD 7 -s 157.56.52.0/24 -j DROP
iptables -I FORWARD 8 -s 194.165.188.0/24 -j DROP
iptables -I FORWARD 9 -s 195.46.253.0/24 -j DROP
iptables -I FORWARD 10 -s 213.199.179.0/24 -j DROP
iptables -I FORWARD 11 -s 63.245.217.0/24 -j DROP
iptables -I FORWARD 12 -s 64.4.23.0/24 -j DROP
iptables -I FORWARD 13 -s 65.55.223.0/24 -j DROP