|
AOL Instant Messenger (AIM) is probably one of the oldest and most widely used instant messaging clients in use today. It allows for text instant messaging, file transfers, and video (webcam) communication. The ReAIM proxy (http://reaim.sourceforge.net/), discussed in the MSN section here applies directly to the AIM protocol as well. Connecting to AIMAIM uses very basic TCP ports for connecting into their central servers, typically TCP port 5190. If you're using a standard NAT or Masquerading configuration, this won't be a problem for you. However, like MSN, file and video traffic can get confused when traversing NAT firewalls. To get these connections to work properly, you will need to install a transparent proxy on the firewall. We recommend ReAIM (http://reaim.sourceforge.net/), which after up and running on the firewall will require some transparent proxy rules to complete the configuration. After it is in place, your users will not need to make any changes to their AIM clients. The following firewall rules will need to be added after the ReAIM proxy is running: # eth0 assumes the external interface # eth1 assumes the internal interface EXTERNAL=eth0 INTERNAL=eth1 $IPTABLES -t nat -A PREROUTING -i $INTERNAL -p tcp \ --dport 5190 -j REDIRECT --to-ports 5190 # this rule allows the firewall to accept the # redirected connection, if you have a default DROP # policy. And you do have one of those right? $IPTABLES -A INPUT -i $INTERNAL -p tcp --dport 5190 \ -j ACCEPT Assuming your firewall is using eth0 for the external interface, you will want to modify the -i variable to be -i eth0. Further, if you are not supporting MSN traffic, remove the following line: $IPTABLES -A INPUT -i eth0 -p tcp --dport 1863:1864 \ -j ACCEPT Blocking AOL Instant Messenger TrafficAs we've discussed in reference to blocking other IM traffic, the number of servers and ports that these applications support generally involve multiple methods to consistently disable these services from the firewall. For AOL Instant Messenger, we use two separate rulesone to filter out the AIM traffic itself on port 5190 $IPTABLES -A FORWARD -p tcp dport 5190 -m limit \ --limit 1/second -j LOG --log-level info \ --log-prefix "Policy Violation: AIM " $IPTABLES -A FORWARD -p tcp --dport 5190 -j DROP and traffic going to the AOL login servers at login.oscar.aol.com. At the time of this writing, AOL only uses one hostname, login.oscar.aol.com. To determine the IP addresses for this server, we again use the host command, as in the preceding Yahoo example: [user@firewall /tmp]$ host login.oscar.aol.com login.oscar.aol.com is an alias for login.login-grt.messaging.aol.com. login.login-grt.messaging.aol.com has address 64.12.161.153 login.login-grt.messaging.aol.com has address 64.12.161.185 login.login-grt.messaging.aol.com has address 64.12.200.89 login.login-grt.messaging.aol.com has address 205.188.179.233 We can use the following rules to block those systems: $IPTABLES -A FORWARD -d 64.12.161.153 -j DROP $IPTABLES -A FORWARD -d 64.12.161.185 -j DROP $IPTABLES -A FORWARD -d 64.12.200.89 -j DROP $IPTABLES -A FORWARD -d 205.188.179.233 -j DROP This is a much more manageable list than the Yahoo Messenger mentioned here, so automation probably isn't needed. However, the following script would automate this process: #!/bin/sh IPTABLES=/sbin/iptables echo -n > /tmp/hosts for i in login.oscar.aol.com; do host $i |grep address|awk -Faddress '{print $2 }'\ >> /tmp/hosts done for i in `cat /tmp/hosts`; do $IPTABLES -A FORWARD -d $i -m limit \ --limit 1/second -j LOG --log-level info \ --log-prefix "Policy Violation: AIM " $IPTABLES -A FORWARD -d $i -j DROP done |
|