LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 12-16-2011, 01:44 PM   #1
mandyapenguin
Member
 
Registered: Nov 2011
Location: India
Distribution: RedHat, Cent OS, Fedora, Debian, Ubuntu
Posts: 106

Rep: Reputation: Disabled
iptable rules to block https://www.facebook.com


Hi..everybody.
I am using squid-3.1.14 as transparent proxy on ubuntu 11.10. Everything is working fine. I have blocked facebook. But the users still can access using https. I searched in google to block https with squid but ended with no use. I thought of this is the best site to discuss because many of my problems have been solved with this site. I really hats off to every member of this site.
Please find the attachment in which my current IPTable rules are given. I found this link and found the thread as solved. So I tried
Code:
iptables -t nat -I PREROUTING -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP
and got the below error
Code:
iptables v1.4.10: 
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

Try `iptables -h' or 'iptables --help' for more information.
So please help me to run the above command on ubuntu.

In my area the facebook is having below IP addresses.
Code:
nslookup facebook.com
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	facebook.com
Address: 69.171.229.11
Name:	facebook.com
Address: 66.220.149.11
Name:	facebook.com
Address: 69.171.224.11
Code:
dig facebook.com
; <<>> DiG 9.7.3 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16211
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;facebook.com.			IN	A

;; ANSWER SECTION:
facebook.com.		4092	IN	A	69.171.224.11
facebook.com.		4092	IN	A	69.171.229.11
facebook.com.		4092	IN	A	66.220.149.11

;; AUTHORITY SECTION:
facebook.com.		169687	IN	NS	ns3.facebook.com.
facebook.com.		169687	IN	NS	ns4.facebook.com.
facebook.com.		169687	IN	NS	ns5.facebook.com.
facebook.com.		169687	IN	NS	ns1.facebook.com.
facebook.com.		169687	IN	NS	ns2.facebook.com.

;; ADDITIONAL SECTION:
ns1.facebook.com.	713	IN	A	204.74.66.132
ns2.facebook.com.	713	IN	A	204.74.67.132
ns3.facebook.com.	489	IN	A	66.220.151.20
ns4.facebook.com.	487	IN	A	69.63.186.49
ns5.facebook.com.	487	IN	A	66.220.145.65

;; Query time: 27 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Dec 16 23:56:58 2011
;; MSG SIZE  rcvd: 248
I also tried
iptables -t nat -A PREROUTING -i eth0 --dst facebook.com -p tcp --dport 443 -j DNAT --to 192.168.0.1:3128
now it is blocked and gives the error as "secure connection failed" even they tries it multiple times using https://facebook.com which was accessible earlier with the same i.e https://facebook.com but again it can accessible if they use "www" i.e https://www.facebook.com
So please help me to block "https://www.facebook.com"
Attached Files
File Type: txt current_iptable_rules.txt (1.4 KB, 54 views)

Last edited by mandyapenguin; 12-16-2011 at 01:45 PM. Reason: heading correction
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 12-16-2011, 02:48 PM   #2
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 242Reputation: 242Reputation: 242
Make a fake facebook.com dns entry in your DNS server
 
1 members found this post helpful.
Old 12-16-2011, 02:57 PM   #3
coolsg5636
Member
 
Registered: Sep 2011
Location: Pune,India
Distribution: RHEL ,CentOS, Fedora
Posts: 100

Rep: Reputation: 25
Hello,

I guess this might help.I just found this bash script from google.(Facebook IP Range)
Code:
iptables -N FACEBOOK
 
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j FACEBOOK
 
iptables -A FACEBOOK -j REJECT

Last edited by coolsg5636; 12-16-2011 at 02:59 PM.
 
2 members found this post helpful.
Old 12-16-2011, 11:34 PM   #4
John VV
Guru
 
Registered: Aug 2005
Posts: 13,459

Rep: Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799Reputation: 1799
why not just remap facebook.com to 127.0.0.1 in the host file

that will block all access
 
2 members found this post helpful.
Old 12-16-2011, 11:46 PM   #5
linuxmen
Member
 
Registered: Aug 2011
Distribution: fedora14,11, RHEL5, CentOS6, win2008R2, Win7
Posts: 45

Rep: Reputation: 4
why dont u try 2 block facebook in squid ??

create an acl for facebook.com

Code:
acl badsite dstdomain .facebook.com
now finally block both http and https traffic

Code:
http_reply_access deny badsite
http_access deny CONNECT badsite
here 1st line block http and second line block https traffic
More details: go to http://servercomputing.blogspot.com/...xy-server.html
 
2 members found this post helpful.
Old 12-17-2011, 03:32 AM   #6
mandyapenguin
Member
 
Registered: Nov 2011
Location: India
Distribution: RedHat, Cent OS, Fedora, Debian, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Cedrik View Post
Make a fake facebook.com dns entry in your DNS server
Hi.. Thanks for the reply,
Code:
cat /etc/bind/db.facebook.com 
$TTL    1d
facebook.com.  IN    SOA   ns.facebook.com. root.facebook.com. (
    20111125   ; se = serial number
    3h         ; ref = refresh
    15m        ; ret = update retry
    3w         ; ex = expiry
    3h         ; min = minimum
    )

                IN    NS    ns.facebook.com.
ns              IN    A    192.168.0.1
www             IN    A    192.168.0.1
facebook.com.	IN    A    192.168.0.1

cat /etc/bind/db.192.168.0 
$TTL    1d
@   IN    SOA   ns.facebook.com. root.facebook.com. (
    20111125   ; se = serial number
    3h         ; ref = refresh
    15m        ; ret = update retry
    3w         ; ex = expiry
    3h         ; min = minimum
    )
    
      IN    NS     ns.facebook.com.
1     IN    PTR    ns.facebook.com.
1     IN    PTR    www.facebook.com.
1     IN    PTR    facebook.com.
Restarted the bind service and found, now https://www.facebook.com also has been blocked. Super, now no one can access facebook even using https://www.facebook.com apart from some bypass sites, It is okay I can monitor bypass sites and block those also. But it is affecting to everyone. I want to allow some authorized IPs to access facebook.com at all time. So could you please guide me with iptable rules instead dns.

Last edited by mandyapenguin; 12-17-2011 at 03:34 AM.
 
Old 12-17-2011, 03:38 AM   #7
mandyapenguin
Member
 
Registered: Nov 2011
Location: India
Distribution: RedHat, Cent OS, Fedora, Debian, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: Disabled
Code:
acl badsite dstdomain .facebook.com
http_reply_access deny badsite
http_access deny CONNECT badsite
Thanks for your kind reply.
I don't know what is wrong, but it is not working for me in transparent mode.
 
Old 12-17-2011, 03:46 AM   #8
mandyapenguin
Member
 
Registered: Nov 2011
Location: India
Distribution: RedHat, Cent OS, Fedora, Debian, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by John VV View Post
why not just remap facebook.com to 127.0.0.1 in the host file
that will block all access
Thanks for your kind reply.
I tried it, now the https://www.facebook.com also has been blocked. But it is not enough to do this with only server's /etc/hosts file instead we should do it in each user machine's /etc/hosts file. Then only the facebook redirect to 127.0.0.1 on their PC. But since the every user is having super user permission, they can easily remove the entry from /etc/hosts file. So may I expect some iptable rules from you to block https://www.facebook.com?
 
Old 12-17-2011, 03:56 AM   #9
mandyapenguin
Member
 
Registered: Nov 2011
Location: India
Distribution: RedHat, Cent OS, Fedora, Debian, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: Disabled
Thanks coolsg5636,
I tried the iptable rules provided by you. Still https://www.facebook.com can accessible but when they login, again by default it redirect to http://www.facebook.com. then they will get proxy error but if they put "s" after http with same url again it works. So I think, I have not completely blocked https://facebook.com if the users are accessing it using "s" whenever they get error. So please see the IP addresses in my area that is already given and help me to block https://www.facebook.com with iptable rules.

Last edited by mandyapenguin; 12-17-2011 at 04:00 AM.
 
Old 12-17-2011, 04:18 AM   #10
linuxmen
Member
 
Registered: Aug 2011
Distribution: fedora14,11, RHEL5, CentOS6, win2008R2, Win7
Posts: 45

Rep: Reputation: 4
Quote:
Thanks for your kind reply.
I don't know what is wrong, but it is not working for me in transparent mode.
dear i'm still using it with squid 3.1 in CentOS6 and Fed15
just double check it again...
 
1 members found this post helpful.
Old 12-18-2011, 06:09 AM   #11
mandyapenguin
Member
 
Registered: Nov 2011
Location: India
Distribution: RedHat, Cent OS, Fedora, Debian, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: Disabled
Thanks for the reply linuxmen,
I checked it many times using
Code:
acl badsite dstdomain .facebook.com
http_reply_access deny badsite
http_access deny CONNECT badsite
and found the "https://www.facebook.com" can be blocked only then if we go through browser settings mode even proxy is working as transparent mode. Since we are using transparent mode the user can remove browser settings and can access https://www.facebook.com. So could you please guide me about IPTable rules to enable mail client and ftp access for non transparent proxy. So we can migrate to non transparent proxy only, since browser settings in each PC seems as more secure proxy. I will be waiting for your kind reply.

Last edited by mandyapenguin; 12-18-2011 at 06:10 AM.
 
Old 07-26-2012, 09:41 PM   #12
madjelle
LQ Newbie
 
Registered: Jul 2012
Posts: 2

Rep: Reputation: Disabled
Thumbs up Thank you

hi all

thanks guys to meet you here in linux furum. hope we can share our knowledge. thanks guys. god bless us.
 
Old 07-31-2012, 03:15 AM   #13
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,505
Blog Entries: 35

Rep: Reputation: 383Reputation: 383Reputation: 383Reputation: 383
If you use DNS poisoning (which is what other people suggested by adding a bad DNS entry for facebook.com) then you can simply manually set the DNS to google public DNS or to opendns. That way the computers you want bypass the filtering altogether. The only drawback (maybe) is that you don't get the advantages of caching from your local squid.
 
Old 12-07-2012, 03:19 AM   #14
lhekiz007
LQ Newbie
 
Registered: Dec 2012
Posts: 2

Rep: Reputation: Disabled
hi im new in linux programming. i also want to know if blocking of https://facebook.com is possible?
 
Old 12-07-2012, 03:36 AM   #15
adol83
Member
 
Registered: Jul 2012
Location: Rome
Distribution: RHEL6, CentOs
Posts: 92

Rep: Reputation: 1
Keep in mind that a workaround to bypass bad dns entry are tools and programs like ultrasurf that allow you to use another dns.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to block https using iptables pavangogineni Linux - Networking 12 03-12-2012 11:31 AM
iptables rule to block https sites loveulinux Linux - Newbie 9 11-17-2011 05:33 PM
squid server how to block https:www.website.com aliabbass Linux - Server 4 10-01-2011 02:45 PM
How can I block HTTPS packets with iptables/Squid? sanjee Linux - Security 5 10-29-2008 05:52 PM
how to block https using iptables pavangogineni Linux - Security 2 10-19-2006 01:49 AM


All times are GMT -5. The time now is 05:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration