It has been seen that various offices have social networking websites like Facebook, Twitter and so on blocked. Also the offices need to block the chat or communications based messengers or softwares like Skype and Google Talk in office. For blocking these messengers and websites, various softwares are available in the market. But the problem is that there is at least one smart person in office who finds a walk around way or breakthrough these security measures. So protecting the access to certain websites and domain is needed to be done in a foolproof manner. I am writing this guide to help you in knowing way in which you can block access to certain IP directly from the router. Let me explain you the process in context with Skype. Let us assume you have to block Skype in your office.
The big challenge when blocking the websites is that of blocking the P2P protocols from both the sides in the router. If you try to block the http or https protocols, then it would be a lengthy process of detecting them and then blocking them. So you have to avoid it. Also to block the http and https protocols, you will need to have the UTM enabled modems which many people won’t have. But as we are focusing on blocking Skype from being used, it is no use of blocking the website completely. We can even block the login to Skype using the P2P protocols.
The basic working of Skype’s call and chat services depend upon the client to client model. This is the model that uses P2P protocol. Blocking the login of Skype at IP level will surely help to block the access to Skype. One can use tcpdump or wireshark to achieve this on their modems. This method will create a database of hosts to which the connection will be denied by the modem. To achieve this type of blocking you should know certain things about the working of Skype and the modem. Here it is how Skype and modem work along with each other,
- When a user tries to log into Skype, a centralized host is set into action. This centralized host does not issue any DNS request.
- The first thing that Skype does when log in name and password is inserted, it authenticates the user with help of UDP packets that have high destination ports.
- If the firewall or the settings of the modem doesn’t let the UDP packet pass, then same thing is attempted using TCP ports.
- Even if the TCP ports don’t allow access, then the authentication will then go to the Http(s) ports.
- The first two protocols, which are DNS request and UDP packet, can be blocked. But blocking the TCP port and the http(s) for Skype will be like blacklisting the domain.
Thus, to block the login of Skype from a certain modem, you can block the following IP addresses. If access to this IP addresses are blocked, the data can neither be receive or sent to Skype’s login. Thus it will not let the user get into Skype. Here is the list of IP addresses,
- 111.221.74.0/24
- 111.221.77.0/24
- 157.55.130.0/24
- 157.55.235.0/24
- 157.55.56.0/24
- 157.56.52.0/24
- 194.165.188.0/24
- 195.46.253.0/24
- 213.199.179.0/24
- 63.245.217.0/24
- 64.4.23.0/24
- 65.55.223.0/24
The /24 is denoted that you can use IP addresses from the sub net masks to assign various computers from accessing and getting into Skype.
The hosts used by Skype can be changed at anytime, so if any new host appears using which the access to Skype might be enabled, then I am not sure. But these hosts are those which I am confirmed about.
Bookmarks