topic Re: squid deny every thing except skype in Operating System - Linux

squid deny every thing except skype

Maaz — Tue, 18 Aug 2009 10:36:49 GMT

Squid Cache: Version 2.7.STABLE5

'allowed_websites.txt' is a text file, contains some websites that every one can access.

'ipes.txt' is a text file, contains my LAN IPes.

'skype_servers_ip.txt' is a text file, contains almost 65 IPes of skype servers. I found the skype IPes from squid log, and as per squid log, skype connect to these server via 'CONNECT skype_server_ip:443'

I just want to allow 'allowed_websites' and skype to my lan

acl allowed_websites url_regex -i "/etc/squid/allowed_websites.txt"
http_access allow allowed_websites

acl skype_servers_ip dst "/etc/squid/skype_servers_ip.txt"
http_access allow skype_servers_ip

acl mynet src "/etc/squid/ipes.txt"
http_access deny mynet

skype is not working on client side.. and the reason is clear, as per squid logs, every time skype connects to a different/another server(which is obviously not listed in 'skype_servers_ip.txt'), and then I have to add those servers into 'skype_servers_ip.txt', so its a never-ending excercise.

In short, skype connects to its servers via IPes, and not via domains(e.g MSN-Messenger connects to .live.messenger.com
or .live.hotmail.com', so by allowing these domains, MSN-Messenger can work)

please advise/suggest, how can I acheive my target.

Regards
Maaz

Re: squid deny every thing except skype

Steven E. Protter — Tue, 18 Aug 2009 10:51:16 GMT

Shalom Maaz,

If you want to work with skype by IP:

Contact them for support and see if they will release an IP address range.

You can then configure these addresses in /etc/hosts and then configure Skype the way you do MSN Messenger.

But without the range of IP addresses Skype uses, you will either need to know the default port. Problem there is other services will be available other than Skype.

It might be possible to use the dig command to get this information via a shell script.

yevka@lappy:~$ dig any skype.com

; <<>> DiG 9.5.1-P2 <<>> any skype.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14520
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;skype.com. IN ANY

;; ANSWER SECTION:
skype.com. 345588 IN NS ns1.skype.net.
skype.com. 345588 IN NS ns3.skype.net.
skype.com. 345588 IN NS ns2.skype.net.
skype.com. 345588 IN NS ns5.skype.net.

;; Query time: 15 msec
;; SERVER: 192.115.106.31#53(192.115.106.31)
;; WHEN: Tue Aug 18 14:48:46 2009
;; MSG SIZE rcvd: 108

yevka@lappy:~$ dig a skype.net

; <<>> DiG 9.5.1-P2 <<>> a skype.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52136
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;skype.net. IN A

;; ANSWER SECTION:
skype.net. 3591 IN A 78.141.177.7
skype.net. 3591 IN A 204.9.163.162

;; Query time: 11 msec
;; SERVER: 192.115.106.31#53(192.115.106.31)
;; WHEN: Tue Aug 18 14:49:24 2009
;; MSG SIZE rcvd: 59

Might be useful to do a tcpdump on one of those ip addresses and see what the traffic looks like.

The right dig command can be turned into the IP address list you desire.

SEP
hpuxconsulting on Yahoo Messenger
hpuxadmin on gtalk
Talk to me, I'm chatty.

Re: squid deny every thing except skype

Matti_Kurkela — Tue, 18 Aug 2009 11:39:35 GMT

Skype uses peer-to-peer style networking and encrypts its traffic.

Any Skype user can become a "supernode" (effectively, a "local branch exchange" for Skype traffic) if certain conditions are fulfilled. So the list of Skype "servers" is not fixed: there is a certain group of core servers maintained by the Skype company, but the supernodes are determined dynamically.

This makes it rather difficult to allow skype while blocking any other traffic.

MK

Re: squid deny every thing except skype

Ivan Ferreira — Tue, 18 Aug 2009 12:30:59 GMT

Try something like this:

acl CONNECT method CONNECT
acl skype url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
.
http_access allow CONNECT skype
http_access deny all

Re: squid deny every thing except skype

Maaz — Wed, 19 Aug 2009 10:48:58 GMT

Thanks SEP for reply

>So the list of Skype "servers" is not fixed: there is a certain group
>of core servers maintained by the Skype company, but the supernodes
>are determined dynamically.
>This makes it rather difficult to allow skype while blocking any other traffic.
Thanks Matti Kurkela for help and sharing the information

and Ivan Ferreira thanks for reply, I believe your solution will work, but I cant check it till day-after-tomorrow ;(. I will be back with the result.

Regards
Maaz