LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   iptable rules to block https://www.facebook.com (http://www.linuxquestions.org/questions/linux-newbie-8/iptable-rules-to-block-https-www-facebook-com-919096/)

mandyapenguin 12-16-2011 12:44 PM

iptable rules to block https://www.facebook.com
 
1 Attachment(s)
Hi..everybody.
I am using squid-3.1.14 as transparent proxy on ubuntu 11.10. Everything is working fine. I have blocked facebook. But the users still can access using https. I searched in google to block https with squid but ended with no use. I thought of this is the best site to discuss because many of my problems have been solved with this site. I really hats off to every member of this site.
Please find the attachment in which my current IPTable rules are given. I found this link and found the thread as solved. So I tried
Code:

iptables -t nat -I PREROUTING -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP
and got the below error
Code:

iptables v1.4.10:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

Try `iptables -h' or 'iptables --help' for more information.

So please help me to run the above command on ubuntu.

In my area the facebook is having below IP addresses.
Code:

nslookup facebook.com
Server:                192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
Name:        facebook.com
Address: 69.171.229.11
Name:        facebook.com
Address: 66.220.149.11
Name:        facebook.com
Address: 69.171.224.11

Code:

dig facebook.com
; <<>> DiG 9.7.3 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16211
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;facebook.com.                        IN        A

;; ANSWER SECTION:
facebook.com.                4092        IN        A        69.171.224.11
facebook.com.                4092        IN        A        69.171.229.11
facebook.com.                4092        IN        A        66.220.149.11

;; AUTHORITY SECTION:
facebook.com.                169687        IN        NS        ns3.facebook.com.
facebook.com.                169687        IN        NS        ns4.facebook.com.
facebook.com.                169687        IN        NS        ns5.facebook.com.
facebook.com.                169687        IN        NS        ns1.facebook.com.
facebook.com.                169687        IN        NS        ns2.facebook.com.

;; ADDITIONAL SECTION:
ns1.facebook.com.        713        IN        A        204.74.66.132
ns2.facebook.com.        713        IN        A        204.74.67.132
ns3.facebook.com.        489        IN        A        66.220.151.20
ns4.facebook.com.        487        IN        A        69.63.186.49
ns5.facebook.com.        487        IN        A        66.220.145.65

;; Query time: 27 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Dec 16 23:56:58 2011
;; MSG SIZE  rcvd: 248

I also tried
iptables -t nat -A PREROUTING -i eth0 --dst facebook.com -p tcp --dport 443 -j DNAT --to 192.168.0.1:3128
now it is blocked and gives the error as "secure connection failed" even they tries it multiple times using https://facebook.com which was accessible earlier with the same i.e https://facebook.com but again it can accessible if they use "www" i.e https://www.facebook.com
So please help me to block "https://www.facebook.com"

Cedrik 12-16-2011 01:48 PM

Make a fake facebook.com dns entry in your DNS server :p

coolsg5636 12-16-2011 01:57 PM

Hello,

I guess this might help.I just found this bash script from google.(Facebook IP Range)
Code:

iptables -N FACEBOOK
 
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j FACEBOOK
 
iptables -A FACEBOOK -j REJECT


John VV 12-16-2011 10:34 PM

why not just remap facebook.com to 127.0.0.1 in the host file

that will block all access

linuxmen 12-16-2011 10:46 PM

why dont u try 2 block facebook in squid ??

create an acl for facebook.com

Code:

acl badsite dstdomain .facebook.com
now finally block both http and https traffic

Code:

http_reply_access deny badsite
http_access deny CONNECT badsite

here 1st line block http and second line block https traffic
More details: go to http://servercomputing.blogspot.com/...xy-server.html

mandyapenguin 12-17-2011 02:32 AM

Quote:

Originally Posted by Cedrik (Post 4551894)
Make a fake facebook.com dns entry in your DNS server :p

Hi.. Thanks for the reply,
Code:

cat /etc/bind/db.facebook.com
$TTL    1d
facebook.com.  IN    SOA  ns.facebook.com. root.facebook.com. (
    20111125  ; se = serial number
    3h        ; ref = refresh
    15m        ; ret = update retry
    3w        ; ex = expiry
    3h        ; min = minimum
    )

                IN    NS    ns.facebook.com.
ns              IN    A    192.168.0.1
www            IN    A    192.168.0.1
facebook.com.        IN    A    192.168.0.1

cat /etc/bind/db.192.168.0
$TTL    1d
@  IN    SOA  ns.facebook.com. root.facebook.com. (
    20111125  ; se = serial number
    3h        ; ref = refresh
    15m        ; ret = update retry
    3w        ; ex = expiry
    3h        ; min = minimum
    )
   
      IN    NS    ns.facebook.com.
1    IN    PTR    ns.facebook.com.
1    IN    PTR    www.facebook.com.
1    IN    PTR    facebook.com.

Restarted the bind service and found, now https://www.facebook.com also has been blocked. Super, now no one can access facebook even using https://www.facebook.com apart from some bypass sites, It is okay I can monitor bypass sites and block those also. But it is affecting to everyone. I want to allow some authorized IPs to access facebook.com at all time. So could you please guide me with iptable rules instead dns.

mandyapenguin 12-17-2011 02:38 AM

Code:

acl badsite dstdomain .facebook.com
http_reply_access deny badsite
http_access deny CONNECT badsite

Thanks for your kind reply.
I don't know what is wrong, but it is not working for me in transparent mode.

mandyapenguin 12-17-2011 02:46 AM

Quote:

Originally Posted by John VV (Post 4552152)
why not just remap facebook.com to 127.0.0.1 in the host file
that will block all access

Thanks for your kind reply.
I tried it, now the https://www.facebook.com also has been blocked. But it is not enough to do this with only server's /etc/hosts file instead we should do it in each user machine's /etc/hosts file. Then only the facebook redirect to 127.0.0.1 on their PC. But since the every user is having super user permission, they can easily remove the entry from /etc/hosts file. So may I expect some iptable rules from you to block https://www.facebook.com?

mandyapenguin 12-17-2011 02:56 AM

Thanks coolsg5636,
I tried the iptable rules provided by you. Still https://www.facebook.com can accessible but when they login, again by default it redirect to http://www.facebook.com. then they will get proxy error but if they put "s" after http with same url again it works. So I think, I have not completely blocked https://facebook.com if the users are accessing it using "s" whenever they get error. So please see the IP addresses in my area that is already given and help me to block https://www.facebook.com with iptable rules.

linuxmen 12-17-2011 03:18 AM

Quote:

Thanks for your kind reply.
I don't know what is wrong, but it is not working for me in transparent mode.
dear i'm still using it with squid 3.1 in CentOS6 and Fed15
just double check it again...

mandyapenguin 12-18-2011 05:09 AM

Thanks for the reply linuxmen,
I checked it many times using
Code:

acl badsite dstdomain .facebook.com
http_reply_access deny badsite
http_access deny CONNECT badsite

and found the "https://www.facebook.com" can be blocked only then if we go through browser settings mode even proxy is working as transparent mode. Since we are using transparent mode the user can remove browser settings and can access https://www.facebook.com. So could you please guide me about IPTable rules to enable mail client and ftp access for non transparent proxy. So we can migrate to non transparent proxy only, since browser settings in each PC seems as more secure proxy. I will be waiting for your kind reply.

madjelle 07-26-2012 08:41 PM

Thank you
 
hi all

thanks guys to meet you here in linux furum. hope we can share our knowledge. thanks guys. god bless us.

sag47 07-31-2012 02:15 AM

If you use DNS poisoning (which is what other people suggested by adding a bad DNS entry for facebook.com) then you can simply manually set the DNS to google public DNS or to opendns. That way the computers you want bypass the filtering altogether. The only drawback (maybe) is that you don't get the advantages of caching from your local squid.

lhekiz007 12-07-2012 02:19 AM

hi im new in linux programming. i also want to know if blocking of https://facebook.com is possible?

adol83 12-07-2012 02:36 AM

Keep in mind that a workaround to bypass bad dns entry are tools and programs like ultrasurf that allow you to use another dns.


All times are GMT -5. The time now is 07:45 PM.