Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi..All,
I am using ubuntu 11.04, the transparent proxy is working fine but the iptables rules are not saving even I run iptables-save command. And restoring the rules manually from stored file on every restart.
And I tried
to block https for facebook. But it is not accepting the rule and saying
Quote:
iptables v1.4.10:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.
So please help me how to save the rules permanently and how to block https for facebook using iptables
Also you should not use domain names, as iptables translates it internally to IP, and "www.facebook.com" can have multiple IPs, and you block only one of them. Better is checking which are used and block all of them separately by IP.
iptables are not persistent, you need to reload rules on every boot, so use
Code:
iptables-restore /file/with/rules
in one of startup files, for example in /etc/rc.local.
Hi..Thanks for the reply. As you said I did through rc.local to restore the rule. Thank you very much, now the rules are permanently stored. But still https://facebook can accessible but when we log in, by default it will try to redirect to http://facebook.com then the user get access denied. But again if I try https he can log in. And whenever he will click anything after logging in again it will block since it is first redirecting http port but again if the user give https in the same url then the intended link gets open. Although from your help I could avoid little bit for https. But not completely. I tried droping for all of these below ip address
host facebook.com
facebook.com has address 66.220.158.11
facebook.com has address 69.171.224.11
facebook.com has address 69.171.229.11
facebook.com has address 69.171.242.11
facebook.com has address 66.220.149.11
facebook.com mail is handled by 10 smtpin.mx.facebook.com.
still https is opening. So please tell me how to block https access for the above ip addresses.
in your /var/log/syslog you should get usable information after trying to visit facebook.com.
For your purpose maybe better will be using a proxy server, it can block by domain names, port numbers, etc. But I have no experience with any, so better would be starting another thread if you will have questions about it.
Thanks for you guidance. https sites never opens if the user goes through broowser settings with proxy server address. But not through transparent mode. Anyway you could help me in blocking https for facebook. Thank you verymuch. I let you know the status by the below command.
I think eSelix is right, use a more robust URL filter-slash-proxy for this. iirc Squid is used for this. I work for a major web filter company and we are able to sell our product because doing this with iptables or firewalls is waaaaay too much maintenance.
You do really need a proxy like squid. Still, if you use it as a transparent proxy (Automatically redirecting http traffic to the proxy) be aware that you cannot redirect https traffic. Squid could block that traffic as a regular proxy (Proxy configuration in every browser-app).
Returning to iptables, there should be next info in logs, and I suppose more IP adresses, it can be a lot, as Facebook is rather a big company. About your rules, if you made "-j DROP" there is no need to making "-j REJECT", iptables stop matching rules after first DROP, REJECT or ACCEPT rule match.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.