AOL Instant Messenger (AIM)


AOL Instant Messenger (AIM) is probably one of the oldest and most widely used instant messaging clients in use today. It allows for text instant messaging, file transfers, and video (webcam) communication.

The ReAIM proxy (http://reaim.sourceforge.net/), discussed in the MSN section here applies directly to the AIM protocol as well.

Connecting to AIM

AIM uses very basic TCP ports for connecting into their central servers, typically TCP port 5190. If you're using a standard NAT or Masquerading configuration, this won't be a problem for you. However, like MSN, file and video traffic can get confused when traversing NAT firewalls. To get these connections to work properly, you will need to install a transparent proxy on the firewall. We recommend ReAIM (http://reaim.sourceforge.net/), which after up and running on the firewall will require some transparent proxy rules to complete the configuration. After it is in place, your users will not need to make any changes to their AIM clients.

The following firewall rules will need to be added after the ReAIM proxy is running:

 # eth0 assumes the external interface # eth1 assumes the internal interface EXTERNAL=eth0 INTERNAL=eth1 $IPTABLES -t nat -A PREROUTING -i $INTERNAL -p tcp \        --dport 5190 -j REDIRECT --to-ports 5190 # this rule allows the firewall to accept the # redirected connection, if you have a default DROP # policy. And you do have one of those right? $IPTABLES -A INPUT -i $INTERNAL -p tcp --dport 5190 \       -j ACCEPT 

Assuming your firewall is using eth0 for the external interface, you will want to modify the -i variable to be -i eth0. Further, if you are not supporting MSN traffic, remove the following line:

 $IPTABLES -A INPUT -i eth0 -p tcp --dport 1863:1864 \       -j ACCEPT 

Blocking AOL Instant Messenger Traffic

As we've discussed in reference to blocking other IM traffic, the number of servers and ports that these applications support generally involve multiple methods to consistently disable these services from the firewall. For AOL Instant Messenger, we use two separate rulesone to filter out the AIM traffic itself on port 5190

 $IPTABLES -A FORWARD -p tcp dport 5190 -m limit \       --limit 1/second -j LOG --log-level info \       --log-prefix "Policy Violation: AIM " $IPTABLES -A FORWARD -p tcp --dport 5190 -j DROP 

and traffic going to the AOL login servers at login.oscar.aol.com. At the time of this writing, AOL only uses one hostname, login.oscar.aol.com. To determine the IP addresses for this server, we again use the host command, as in the preceding Yahoo example:

  [user@firewall /tmp]$ host login.oscar.aol.com login.oscar.aol.com is an alias for login.login-grt.messaging.aol.com. login.login-grt.messaging.aol.com has address 64.12.161.153 login.login-grt.messaging.aol.com has address 64.12.161.185 login.login-grt.messaging.aol.com has address 64.12.200.89 login.login-grt.messaging.aol.com has address 205.188.179.233 

We can use the following rules to block those systems:

 $IPTABLES  -A FORWARD -d 64.12.161.153 -j DROP $IPTABLES  -A FORWARD -d 64.12.161.185 -j DROP $IPTABLES  -A FORWARD -d 64.12.200.89 -j DROP $IPTABLES  -A FORWARD -d 205.188.179.233 -j DROP 

This is a much more manageable list than the Yahoo Messenger mentioned here, so automation probably isn't needed. However, the following script would automate this process:

 #!/bin/sh IPTABLES=/sbin/iptables echo -n > /tmp/hosts for i in login.oscar.aol.com; do   host $i |grep address|awk -Faddress '{print $2 }'\         >> /tmp/hosts done for i in `cat /tmp/hosts`; do    $IPTABLES -A FORWARD -d $i -m limit \       --limit 1/second -j LOG --log-level info \       --log-prefix "Policy Violation: AIM "    $IPTABLES -A FORWARD -d $i -j DROP done 



    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net