HPE Community
Operating System - Linux
1820592 Members
1773 Online
109626 Solutions
New Discussion юеВ

squid deny every thing except skype

 
Maaz
Valued Contributor

тАО08-18-2009 03:36 AM

тАО08-18-2009 03:36 AM

squid deny every thing except skype

Squid Cache: Version 2.7.STABLE5

'allowed_websites.txt' is a text file, contains some websites that every one can access.

'ipes.txt' is a text file, contains my LAN IPes.

'skype_servers_ip.txt' is a text file, contains almost 65 IPes of skype servers. I found the skype IPes from squid log, and as per squid log, skype connect to these server via 'CONNECT skype_server_ip:443'

I just want to allow 'allowed_websites' and skype to my lan

acl allowed_websites url_regex -i "/etc/squid/allowed_websites.txt"
http_access allow allowed_websites

acl skype_servers_ip dst "/etc/squid/skype_servers_ip.txt"
http_access allow skype_servers_ip

acl mynet src "/etc/squid/ipes.txt"
http_access deny mynet

skype is not working on client side.. and the reason is clear, as per squid logs, every time skype connects to a different/another server(which is obviously not listed in 'skype_servers_ip.txt'), and then I have to add those servers into 'skype_servers_ip.txt', so its a never-ending excercise.

In short, skype connects to its servers via IPes, and not via domains(e.g MSN-Messenger connects to .live.messenger.com
or .live.hotmail.com', so by allowing these domains, MSN-Messenger can work)

please advise/suggest, how can I acheive my target.

Regards
Maaz
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО08-18-2009 03:51 AM

тАО08-18-2009 03:51 AM

Re: squid deny every thing except skype

Shalom Maaz,

If you want to work with skype by IP:

Contact them for support and see if they will release an IP address range.

You can then configure these addresses in /etc/hosts and then configure Skype the way you do MSN Messenger.

But without the range of IP addresses Skype uses, you will either need to know the default port. Problem there is other services will be available other than Skype.

It might be possible to use the dig command to get this information via a shell script.

yevka@lappy:~$ dig any skype.com

; <<>> DiG 9.5.1-P2 <<>> any skype.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14520
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;skype.com. IN ANY

;; ANSWER SECTION:
skype.com. 345588 IN NS ns1.skype.net.
skype.com. 345588 IN NS ns3.skype.net.
skype.com. 345588 IN NS ns2.skype.net.
skype.com. 345588 IN NS ns5.skype.net.

;; Query time: 15 msec
;; SERVER: 192.115.106.31#53(192.115.106.31)
;; WHEN: Tue Aug 18 14:48:46 2009
;; MSG SIZE rcvd: 108

yevka@lappy:~$ dig a skype.net

; <<>> DiG 9.5.1-P2 <<>> a skype.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52136
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;skype.net. IN A

;; ANSWER SECTION:
skype.net. 3591 IN A 78.141.177.7
skype.net. 3591 IN A 204.9.163.162

;; Query time: 11 msec
;; SERVER: 192.115.106.31#53(192.115.106.31)
;; WHEN: Tue Aug 18 14:49:24 2009
;; MSG SIZE rcvd: 59


Might be useful to do a tcpdump on one of those ip addresses and see what the traffic looks like.

The right dig command can be turned into the IP address list you desire.

SEP
hpuxconsulting on Yahoo Messenger
hpuxadmin on gtalk
Talk to me, I'm chatty.


Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО08-18-2009 04:39 AM

тАО08-18-2009 04:39 AM

Re: squid deny every thing except skype

Skype uses peer-to-peer style networking and encrypts its traffic.

Any Skype user can become a "supernode" (effectively, a "local branch exchange" for Skype traffic) if certain conditions are fulfilled. So the list of Skype "servers" is not fixed: there is a certain group of core servers maintained by the Skype company, but the supernodes are determined dynamically.

This makes it rather difficult to allow skype while blocking any other traffic.

MK
MK
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО08-18-2009 05:30 AM

тАО08-18-2009 05:30 AM

Re: squid deny every thing except skype

Try something like this:

acl CONNECT method CONNECT
acl skype url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
.
http_access allow CONNECT skype
http_access deny all
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Maaz
Valued Contributor

тАО08-19-2009 03:48 AM

тАО08-19-2009 03:48 AM

Re: squid deny every thing except skype

Thanks SEP for reply

>So the list of Skype "servers" is not fixed: there is a certain group
>of core servers maintained by the Skype company, but the supernodes
>are determined dynamically.
>This makes it rather difficult to allow skype while blocking any other traffic.
Thanks Matti Kurkela for help and sharing the information

and Ivan Ferreira thanks for reply, I believe your solution will work, but I cant check it till day-after-tomorrow ;(. I will be back with the result.

Regards
Maaz
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.