1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block Skype - working script

Discussion in 'Tomato Firmware' started by Elfew, Sep 8, 2013.

  1. Elfew

    Elfew Addicted to LI Member

    Just add this to your firewall script tab and reboot:

    Code:
    iptables -I FORWARD -s 111.221.74.0/24 -j DROP
    iptables -I FORWARD -s 111.221.77.0/24 -j DROP
    iptables -I FORWARD -s 157.55.130.0/24 -j DROP
    iptables -I FORWARD -s 157.55.235.0/24 -j DROP
    iptables -I FORWARD -s 157.55.56.0/24 -j DROP
    iptables -I FORWARD -s 157.56.52.0/24 -j DROP
    iptables -I FORWARD -s 194.165.188.0/24 -j DROP
    iptables -I FORWARD -s 195.46.253.0/24 -j DROP
    iptables -I FORWARD -s 213.199.179.0/24 -j DROP
    iptables -I FORWARD -s 63.245.217.0/24 -j DROP
    iptables -I FORWARD -s 64.4.23.0/24 -j DROP
    iptables -I FORWARD -s 65.55.223.0/24 -j DROP
    if you wanna block only skype on br1 or br2 etc add this:
    Code:
    iptables -I FORWARD -i br1 -d 111.221.74.0/24 -j DROP
    etc
     
  2. haarp

    haarp LI Guru Member

    Skype employs a P2P protocol. Are you sure this works?
     
  3. PetervdM

    PetervdM Network Guru Member

    i have outgoing connections to 134.170.24.126 and 193.120.199.17 as well.
    maybe it blocks in your region, but i don't think in all regions, certainly not in pasadena CA.
    since the last big services disruption it seemed there were not enough supernodes anymore to start communication again because most people are behind routers nowadays. so they set up their own network of supernodes. i don't know if they still rely on "customer" supernodes, but if that's the case, your script will never be able to work reliable.
    afaik only dpi can block skype.
     
  4. koitsu

    koitsu Network Guru Member

    Those network ranges are not what's advertised on the Internet via BGP as of this writing. A more accurate (and significantly larger, especially the /16 and /14) list would be:

    111.221.64.0/18
    157.55.0.0/16
    194.165.160.0/19
    195.46.224.0/19
    213.199.128.0/18
    63.245.216.0/22
    64.4.0.0/18
    65.52.0.0/14

    What this would impact is outside of the scope of my post here (meaning more than just Skype could be impacted by blocking these). I'm simply stating that the list you provided is not what's actually advertised on the Internet at this time.

    I cannot help past this point.
     
  5. Elfew

    Elfew Addicted to LI Member

    No, you are wrong... just try it.

    This script is fully working -> Skype cannot connect (login) to Skype servers
     
  6. ryzhov_al

    ryzhov_al Networkin' Nut Member

    I've got similar task on last winter: block all traffic with Microsoft sites except Skype. The task was devided into two parts:
    • blocking MS sites with ipset, ip list:
    Code:
    wget -q -O - "http://list.iblocklist.com/?list=bt_microsoft&fileformat=p2p&archiveformat=gz" | \
        gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > microsoft.lst
    • enabling Skype with ipset, ip list:
    Code:
    for ip in $(for i in {0..20} ; do dig +short dsn$i.d.skype.net; done | sort -u | grep -E "^[1-9]")
    do
      echo $ip >> skype.lst
    done
    With this rules SkypeKit connects immediately, a new version of Desktop Skype client — with some delay.
     
    Last edited: Sep 9, 2013
  7. koitsu

    koitsu Network Guru Member

    No, I'm not wrong, and technically neither are you (please note I did not say you were wrong in the first place).

    The network ranges you've chosen are smaller subsets of what I listed; they may be too small compared to what's advertised on the Internet via BGP, which means given load balancer configurations and so on it may be very possible that what works for you may not work for someone else or may stop working for you in the future. It's chance.

    Please use route-views.routeviews.org and the command show ip route x.x.x.x to examine what the ideal CIDRs should be. These are what are advertised by Microsoft and are what are seen by the Internet routers as a whole. Sometimes querying ARIN (i.e. WHOIS) is not enough.
     
  8. Elfew

    Elfew Addicted to LI Member

    OK, but it is working for me without problem... so I dont need change anything for now... Skype cannot log in, so it is good ;)
     
  9. Toastman

    Toastman Super Moderator Staff Member Member

    This whole thread is very useful, not only for Skype but as an example of how other things may be blocked too. So I have added it to "Common Tomato Topics".
     

Share This Page