How to block Skype - working script

Discussion in 'Tomato Firmware' started by Elfew, Sep 8, 2013.

  1. Elfew

    Elfew Network Guru Member

    Just add this to your firewall script tab and reboot:

    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    iptables -I FORWARD -s -j DROP
    if you wanna block only skype on br1 or br2 etc add this:
    iptables -I FORWARD -i br1 -d -j DROP
  2. haarp

    haarp LI Guru Member

    Skype employs a P2P protocol. Are you sure this works?
  3. PetervdM

    PetervdM Network Guru Member

    i have outgoing connections to and as well.
    maybe it blocks in your region, but i don't think in all regions, certainly not in pasadena CA.
    since the last big services disruption it seemed there were not enough supernodes anymore to start communication again because most people are behind routers nowadays. so they set up their own network of supernodes. i don't know if they still rely on "customer" supernodes, but if that's the case, your script will never be able to work reliable.
    afaik only dpi can block skype.
  4. koitsu

    koitsu Network Guru Member

    Those network ranges are not what's advertised on the Internet via BGP as of this writing. A more accurate (and significantly larger, especially the /16 and /14) list would be:

    What this would impact is outside of the scope of my post here (meaning more than just Skype could be impacted by blocking these). I'm simply stating that the list you provided is not what's actually advertised on the Internet at this time.

    I cannot help past this point.
  5. Elfew

    Elfew Network Guru Member

    No, you are wrong... just try it.

    This script is fully working -> Skype cannot connect (login) to Skype servers
  6. ryzhov_al

    ryzhov_al LI Guru Member

    I've got similar task on last winter: block all traffic with Microsoft sites except Skype. The task was devided into two parts:
    • blocking MS sites with ipset, ip list:
    wget -q -O - "" | \
        gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > microsoft.lst
    • enabling Skype with ipset, ip list:
    for ip in $(for i in {0..20} ; do dig +short dsn$; done | sort -u | grep -E "^[1-9]")
      echo $ip >> skype.lst
    With this rules SkypeKit connects immediately, a new version of Desktop Skype client — with some delay.
    Last edited: Sep 9, 2013
  7. koitsu

    koitsu Network Guru Member

    No, I'm not wrong, and technically neither are you (please note I did not say you were wrong in the first place).

    The network ranges you've chosen are smaller subsets of what I listed; they may be too small compared to what's advertised on the Internet via BGP, which means given load balancer configurations and so on it may be very possible that what works for you may not work for someone else or may stop working for you in the future. It's chance.

    Please use and the command show ip route x.x.x.x to examine what the ideal CIDRs should be. These are what are advertised by Microsoft and are what are seen by the Internet routers as a whole. Sometimes querying ARIN (i.e. WHOIS) is not enough.
  8. Elfew

    Elfew Network Guru Member

    OK, but it is working for me without problem... so I dont need change anything for now... Skype cannot log in, so it is good ;)
  9. Toastman

    Toastman Super Moderator Staff Member Member

    This whole thread is very useful, not only for Skype but as an example of how other things may be blocked too. So I have added it to "Common Tomato Topics".
  10. jimford

    jimford Serious Server Member

    Looks a useful script that I might be able to use for blocking the streaming app Periscope.

    The problem I've had is finding the IPs associated with Periscope. Reading the thread, I understand that they might be found using 'BGP'. I had no idea of the existence of BGP, but taking one look at it on the 'net, it shall forever remain a closed book to me!

    Any ideas, please?

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice