How to block Skype on your network using IPTABLES

One way of blocking Skype on a network is to block the registration process. After the registration the communication between peers is done in several different ports and it difficult to define rules to block it.
Using a OpenWRT router and a previous list of servers I found googling, I was able to find the servers that are used in the login / registration process, and blocking the access to them I was able to block Skype to every user in the router LAN, or even to a specific user in the LAN.

Currently I have added these rules to the IP tables and was able to effectively block Skype in my network:

iptables -I FORWARD -d 63.245.217.0/24 -j DROP
iptables -I FORWARD -d 64.4.23.0/24 -j DROP
iptables -I FORWARD -d 65.54.167.0/24 -j DROP
iptables -I FORWARD -d 65.55.223.0/24 -j DROP
iptables -I FORWARD -d 91.190.216.0/24 -j DROP
iptables -I FORWARD -d 111.221.74.0/24 -j DROP
iptables -I FORWARD -d 111.221.77.0/24 -j DROP
iptables -I FORWARD -d 157.55.130.0/24 -j DROP
iptables -I FORWARD -d 157.55.133.0/24 -j DROP
iptables -I FORWARD -d 157.55.235.0/24 -j DROP
iptables -I FORWARD -d 157.55.56.0/24 -j DROP
iptables -I FORWARD -d 157.56.52.0/24 -j DROP

iptables -I FORWARD -d 157.56.116.0/24 -j DROP
iptables -I FORWARD -d 194.165.188.0/24 -j DROP
iptables -I FORWARD -d 195.46.253.0/24 -j DROP
iptables -I FORWARD -d 213.199.179.0/24 -j DROP

These servers (networks) are mostly from MSFT (since they bought Skype), and some are still from Skype. They might vary depending on the country, so if blocking these servers is not enough for you, please run the following command to locate which server is being used in your case:

cat /proc/net/nf_conntrack | grep 12350

If you have any results from the above command, you should add this server network to the above list (and please post it here to update the list above).

If you want only to block the Skype traffic for a specific user in your network, you should add the following information in each of the above lines, just after FORWARD keyword:

-s IPADDRESSTOBLOCK

Please replace IPADDRESSTOBLOCK with the IP address you want to block.

These rules should be used on a router, since they use the FORWARD chain. If you want to block traffic to the machine where IPTABLES is running, replace the FORWARD chain by the OUTPUT chain (just change the FORWARD keyword by the OUTPUT keyword in all the above lines).

Please pay also attention because we are blocking a lot of server IP addresses, so any other service that might be provided by the servers on these networks will also be blocked. In my experience this wasn’t a problem. I still am able to use many other services from MFST, like SkyDrive, etc. but your mileage may vary :-)

This entry was posted in Linux, OpenStudio. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *