MSN Messenger

MSN is the other instant messaging client from Microsoft, available at http://messenger.msn.com/. Unlike NetMeeting, it's a much "lighter weight" client and uses basic TCP ports to communicate to its central servers. It also now includes the ability to handle voice and video traffic as well as transfer files.

Connecting to Other MSN Users

Text messaging is rarely an issue with MSN Messenger; it uses standard TCP ports, and provided you are not blocking anything outbound, it is a very simple connection that "just works" as long as your NAT/Masquerading rules are set up correctly.

File, video, and voice transfers are a completely different matter, however, and to get these to work consistently, we recommend the use of a transparent proxy like ReAIM (http://reaim.sourceforge.net/) on your firewall. After it is installed and running, you will need to add in some firewall rules to ensure that your MSN connections are being routed through the proxy server transparently. This ensures that your users will not have to make any configuration changes in their desktop MSN clients.

The following rules and documentation were copied from the ReAIM website:

 # assuming eth0 is the external interface # assuming eth1 is the internal interface $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp \                    --dport 1863 -j REDIRECT --to-ports 1863 $IPTABLES -A INPUT -i eth1 -p tcp --dport 1863 \                                   -j ACCEPT 

The proxy will massage the redirected AIM and MSN messages and AIM Share so that direct connections appear to be from the external IP address, on the port range 40000-40099. However, this is not enoughthe AIM software does not honor the overrides ReAIM uses, so we also listen to ports 4443 and 5566. For good measure, we listen to the MSN port too.

So, the very basic setup, in addition to your current ruleset, is to permit connections to these ports.

 $IPTABLES -A INPUT -i eth0 -p tcp --dport 1863:1864 \                                    -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp --dport 4443 \                                    -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp --dport 5566 \                                                           -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp --dport 40000:40099\                                    -j ACCEPT 

Blocking MSN Messenger Traffic at the Firewall

The standard MSN client uses TCP port 1863; however, it has been reported that some clients will also attempt to fall back on other standard ports such as 80 (http) and 443 (https) to reestablish connections. One strategy is to block access to the login servers themselves. At the writing of this book, this was messenger.hotmail.com, which maps to 207.46.104.20although I suspect that MSN will have other login servers in that network space. Your approach here can be three-fold:

Log and Filter MSN port 1863:

 $IPTABLES -A FORWARD -p tcp --dport 1863 -m limit \       --limit 1/second -j LOG --log-level info \                     --log-prefix "Policy Violation: MSN " $IPTABLES -A FORWARD -p tcp dport 1863 -j DROP 

Log and Filter the login server:

 $IPTABLES -A FORWARD -d 207.46.104.20 -m limit \                 --limit 1/second -j LOG --log-level info \                    --log-prefix "Policy Violation: MSN " $IPTABLES -A FORWARD -d 207.46.104.20 -j DROP 

Log and Filter the messaging servers:

 $IPTABLES -A FORWARD -d 207.46.110.0/25 -m limit \                  --limit 1/second -j LOG --log-level info \                     --log-prefix "Policy Violation: MSN " $IPTABLES -A FORWARD -d 207.46.110.0/25 -j DROP