LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 11-16-2011, 01:54 PM   #1
loveulinux
Member
 
Registered: Aug 2011
Posts: 68

Rep: Reputation: Disabled
iptables rule to block https sites


Hi..All,
I am using ubuntu 11.04, the transparent proxy is working fine but the iptables rules are not saving even I run iptables-save command. And restoring the rules manually from stored file on every restart.
And I tried
Quote:
iptables -t nat -I PREROUTING -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP
to block https for facebook. But it is not accepting the rule and saying
Quote:
iptables v1.4.10:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.
So please help me how to save the rules permanently and how to block https for facebook using iptables
 
Old 11-16-2011, 02:13 PM   #2
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,246

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Quote:
The "nat" table is not intended for filtering
So, why you use "nat" table? Use default table "filter":
Code:
iptables -I OUTPUT -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP
Also you should not use domain names, as iptables translates it internally to IP, and "www.facebook.com" can have multiple IPs, and you block only one of them. Better is checking which are used and block all of them separately by IP.

iptables are not persistent, you need to reload rules on every boot, so use
Code:
iptables-restore /file/with/rules
in one of startup files, for example in /etc/rc.local.

Last edited by eSelix; 11-16-2011 at 02:18 PM.
 
1 members found this post helpful.
Old 11-16-2011, 02:59 PM   #3
loveulinux
Member
 
Registered: Aug 2011
Posts: 68

Original Poster
Rep: Reputation: Disabled
iptables rule to block https sites

Hi..Thanks for the reply. As you said I did through rc.local to restore the rule. Thank you very much, now the rules are permanently stored. But still https://facebook can accessible but when we log in, by default it will try to redirect to http://facebook.com then the user get access denied. But again if I try https he can log in. And whenever he will click anything after logging in again it will block since it is first redirecting http port but again if the user give https in the same url then the intended link gets open. Although from your help I could avoid little bit for https. But not completely. I tried droping for all of these below ip address
host facebook.com
facebook.com has address 66.220.158.11
facebook.com has address 69.171.224.11
facebook.com has address 69.171.229.11
facebook.com has address 69.171.242.11
facebook.com has address 66.220.149.11
facebook.com mail is handled by 10 smtpin.mx.facebook.com.
still https is opening. So please tell me how to block https access for the above ip addresses.
 
Old 11-16-2011, 03:52 PM   #4
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,246

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
I think more addresses are used by Facebook. To show which packets are permitted by your firewall add this rule at the end:
Code:
iptables -A OUTPUT -m tcp -p tcp --dport 443 -j LOG --log-prefix "FACEBOOK: "
in your /var/log/syslog you should get usable information after trying to visit facebook.com.

For your purpose maybe better will be using a proxy server, it can block by domain names, port numbers, etc. But I have no experience with any, so better would be starting another thread if you will have questions about it.

Last edited by eSelix; 11-16-2011 at 03:58 PM.
 
1 members found this post helpful.
Old 11-16-2011, 10:00 PM   #5
loveulinux
Member
 
Registered: Aug 2011
Posts: 68

Original Poster
Rep: Reputation: Disabled
iptables rule to block https sites

Thanks for you guidance. https sites never opens if the user goes through broowser settings with proxy server address. But not through transparent mode. Anyway you could help me in blocking https for facebook. Thank you verymuch. I let you know the status by the below command.

Code:
iptables -A OUTPUT -m tcp -p tcp --dport 443 -j LOG --log-prefix "FACEBOOK: "
 
Old 11-17-2011, 01:21 PM   #6
loveulinux
Member
 
Registered: Aug 2011
Posts: 68

Original Poster
Rep: Reputation: Disabled
Hi..Thank you very much you are guiding me a lot
I ran the below command
Code:
iptables -A OUTPUT -m tcp -p tcp --dport 443 -j LOG --log-prefix "FACEBOOK: "
and ran "grep -i FACEBOOK /var/log/syslog > facebook" then less the facebook file it is having many contents. here is the output.
Quote:
Nov 17 23:11:14 ananth kernel: [13031.952297] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12401 DF PROTO=TCP SPT=42117 DPT=443 WINDOW=1584 RES=0x00 ACK URGP=0
Nov 17 23:11:14 ananth kernel: [13031.992037] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12402 DF PROTO=TCP SPT=42117 DPT=443 WINDOW=1584 RES=0x00 ACK URGP=0
Nov 17 23:11:38 ananth kernel: [13056.614599] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21833 DF PROTO=TCP SPT=42114 DPT=443 WINDOW=1002 RES=0x00 ACK FIN URGP=0
Nov 17 23:11:38 ananth kernel: [13056.614763] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12403 DF PROTO=TCP SPT=42117 DPT=443 WINDOW=1584 RES=0x00 ACK FIN URGP=0
Nov 17 23:11:38 ananth kernel: [13056.614853] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6336 DF PROTO=TCP SPT=42113 DPT=443 WINDOW=1002 RES=0x00 ACK FIN URGP=0
Although I found only 2 IP as dst. Those are
69.171.228.40
118.214.98.110
Then I ran drop and reject both commands
Quote:
iptables -I OUTPUT -m tcp -p tcp -d 118.214.98.110 --dport 443 -j DROP
iptables -I OUTPUT -m tcp -p tcp -d 118.214.98.110 --dport 443 -j REJECT
iptables -I OUTPUT -m tcp -p tcp -d 69.171.228.40 --dport 443 -j DROP
iptables -I OUTPUT -m tcp -p tcp -d 69.171.228.40 --dport 443 -j REJECT
Here is my iptable -L output
Quote:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere a118-214.98-110.deploy.akamaitechnologies.com tcp dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere www-15-05-prn1.facebook.com tcp dpt:https reject-with icmp-port-unreachable
DROP tcp -- anywhere a118-214.98-110.deploy.akamaitechnologies.com tcp dpt:https
DROP tcp -- anywhere www-15-05-prn1.facebook.com tcp dpt:https
DROP tcp -- anywhere www-10-05-prn1.facebook.com tcp dpt:https
But still https://facebook is accessible. So please he me to block it.

Last edited by loveulinux; 11-17-2011 at 01:22 PM. Reason: correction
 
Old 11-17-2011, 01:51 PM   #7
ptrivino
Member
 
Registered: May 2008
Location: San Diego CA
Distribution: CentOS
Posts: 34

Rep: Reputation: 5
proxy w/b better

I think eSelix is right, use a more robust URL filter-slash-proxy for this. iirc Squid is used for this. I work for a major web filter company and we are able to sell our product because doing this with iptables or firewalls is waaaaay too much maintenance.

HTH - Paul
 
Old 11-17-2011, 03:14 PM   #8
arenasa
LQ Newbie
 
Registered: Oct 2000
Location: Curaçao
Distribution: Fedora, Centos
Posts: 18

Rep: Reputation: 1
You do really need a proxy like squid. Still, if you use it as a transparent proxy (Automatically redirecting http traffic to the proxy) be aware that you cannot redirect https traffic. Squid could block that traffic as a regular proxy (Proxy configuration in every browser-app).
 
Old 11-17-2011, 04:43 PM   #9
jefro
Guru
 
Registered: Mar 2008
Posts: 12,087

Rep: Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521
Opps. nevermind.

I almost suggested a proxy.pac file but a smart person could easily get past that.
Almost suggested a hosts file but I don't think that would work.


One idea. http://forums.untangle.com/21303-post20.html

Last edited by jefro; 11-17-2011 at 04:51 PM.
 
Old 11-17-2011, 05:33 PM   #10
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,246

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Returning to iptables, there should be next info in logs, and I suppose more IP adresses, it can be a lot, as Facebook is rather a big company. About your rules, if you made "-j DROP" there is no need to making "-j REJECT", iptables stop matching rules after first DROP, REJECT or ACCEPT rule match.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to block https sites through ACL in squid avi_tokade Linux - Newbie 5 04-12-2011 06:53 PM
[SOLVED] how to deny block https sites for some users Winanjaya Linux - Security 10 12-01-2009 12:36 AM
iptables: cannot access HTTPS sites socceroos Linux - Security 7 08-17-2009 11:38 PM
How to block all mail sites (https) & chat clients to particular subnet satishmali1983 Linux - Server 1 04-14-2009 10:57 AM
iptables rule for ftp and https through squid gr8paki Linux - Networking 1 09-12-2008 09:53 PM


All times are GMT -5. The time now is 08:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration