iptables rule to block https sites

loveulinux · 11-16-2011, 12:54 PM

Hi..All,
I am using ubuntu 11.04, the transparent proxy is working fine but the iptables rules are not saving even I run iptables-save command. And restoring the rules manually from stored file on every restart.
And I tried

Quote:

iptables -t nat -I PREROUTING -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP

to block https for facebook. But it is not accepting the rule and saying

Quote:

iptables v1.4.10:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.

So please help me how to save the rules permanently and how to block https for facebook using iptables

eSelix · 11-16-2011, 01:13 PM

Quote:

The "nat" table is not intended for filtering

So, why you use "nat" table? Use default table "filter":

Code:

iptables -I OUTPUT -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP

Also you should not use domain names, as iptables translates it internally to IP, and "www.facebook.com" can have multiple IPs, and you block only one of them. Better is checking which are used and block all of them separately by IP.

iptables are not persistent, you need to reload rules on every boot, so use

Code:

iptables-restore /file/with/rules

in one of startup files, for example in /etc/rc.local.

loveulinux · 11-16-2011, 01:59 PM

Hi..Thanks for the reply. As you said I did through rc.local to restore the rule. Thank you very much, now the rules are permanently stored. But still https://facebook can accessible but when we log in, by default it will try to redirect to http://facebook.com then the user get access denied. But again if I try https he can log in. And whenever he will click anything after logging in again it will block since it is first redirecting http port but again if the user give https in the same url then the intended link gets open. Although from your help I could avoid little bit for https. But not completely. I tried droping for all of these below ip address
host facebook.com
facebook.com has address 66.220.158.11
facebook.com has address 69.171.224.11
facebook.com has address 69.171.229.11
facebook.com has address 69.171.242.11
facebook.com has address 66.220.149.11
facebook.com mail is handled by 10 smtpin.mx.facebook.com.
still https is opening. So please tell me how to block https access for the above ip addresses.

eSelix · 11-16-2011, 02:52 PM

I think more addresses are used by Facebook. To show which packets are permitted by your firewall add this rule at the end:

Code:

iptables -A OUTPUT -m tcp -p tcp --dport 443 -j LOG --log-prefix "FACEBOOK: "

in your /var/log/syslog you should get usable information after trying to visit facebook.com.

For your purpose maybe better will be using a proxy server, it can block by domain names, port numbers, etc. But I have no experience with any, so better would be starting another thread if you will have questions about it.

loveulinux · 11-16-2011, 09:00 PM

Thanks for you guidance. https sites never opens if the user goes through broowser settings with proxy server address. But not through transparent mode. Anyway you could help me in blocking https for facebook. Thank you verymuch. I let you know the status by the below command.

Code:

iptables -A OUTPUT -m tcp -p tcp --dport 443 -j LOG --log-prefix "FACEBOOK: "

loveulinux · 11-17-2011, 12:21 PM

Hi..Thank you very much you are guiding me a lot
I ran the below command

Code:

iptables -A OUTPUT -m tcp -p tcp --dport 443 -j LOG --log-prefix "FACEBOOK: "

and ran "grep -i FACEBOOK /var/log/syslog > facebook" then less the facebook file it is having many contents. here is the output.

Quote:

Nov 17 23:11:14 ananth kernel: [13031.952297] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12401 DF PROTO=TCP SPT=42117 DPT=443 WINDOW=1584 RES=0x00 ACK URGP=0
Nov 17 23:11:14 ananth kernel: [13031.992037] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12402 DF PROTO=TCP SPT=42117 DPT=443 WINDOW=1584 RES=0x00 ACK URGP=0
Nov 17 23:11:38 ananth kernel: [13056.614599] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21833 DF PROTO=TCP SPT=42114 DPT=443 WINDOW=1002 RES=0x00 ACK FIN URGP=0
Nov 17 23:11:38 ananth kernel: [13056.614763] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12403 DF PROTO=TCP SPT=42117 DPT=443 WINDOW=1584 RES=0x00 ACK FIN URGP=0
Nov 17 23:11:38 ananth kernel: [13056.614853] FACEBOOK: IN= OUT=eth0 SRC=192.168.1.2 DST=118.214.98.110 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6336 DF PROTO=TCP SPT=42113 DPT=443 WINDOW=1002 RES=0x00 ACK FIN URGP=0

Although I found only 2 IP as dst. Those are
69.171.228.40
118.214.98.110
Then I ran drop and reject both commands

Quote:

iptables -I OUTPUT -m tcp -p tcp -d 118.214.98.110 --dport 443 -j DROP
iptables -I OUTPUT -m tcp -p tcp -d 118.214.98.110 --dport 443 -j REJECT
iptables -I OUTPUT -m tcp -p tcp -d 69.171.228.40 --dport 443 -j DROP
iptables -I OUTPUT -m tcp -p tcp -d 69.171.228.40 --dport 443 -j REJECT

Here is my iptable -L output

Quote:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere a118-214.98-110.deploy.akamaitechnologies.com tcp dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere www-15-05-prn1.facebook.com tcp dpt:https reject-with icmp-port-unreachable
DROP tcp -- anywhere a118-214.98-110.deploy.akamaitechnologies.com tcp dpt:https
DROP tcp -- anywhere www-15-05-prn1.facebook.com tcp dpt:https
DROP tcp -- anywhere www-10-05-prn1.facebook.com tcp dpt:https

But still https://facebook is accessible. So please he me to block it.

ptrivino · 11-17-2011, 12:51 PM

I think eSelix is right, use a more robust URL filter-slash-proxy for this. iirc Squid is used for this. I work for a major web filter company and we are able to sell our product because doing this with iptables or firewalls is waaaaay too much maintenance.

HTH - Paul

arenasa · 11-17-2011, 02:14 PM

You do really need a proxy like squid. Still, if you use it as a transparent proxy (Automatically redirecting http traffic to the proxy) be aware that you cannot redirect https traffic. Squid could block that traffic as a regular proxy (Proxy configuration in every browser-app).

jefro · 11-17-2011, 03:43 PM

Opps. nevermind.

I almost suggested a proxy.pac file but a smart person could easily get past that.
Almost suggested a hosts file but I don't think that would work.

One idea. http://forums.untangle.com/21303-post20.html

eSelix · 11-17-2011, 04:33 PM

Returning to iptables, there should be next info in logs, and I suppose more IP adresses, it can be a lot, as Facebook is rather a big company. About your rules, if you made "-j DROP" there is no need to making "-j REJECT", iptables stop matching rules after first DROP, REJECT or ACCEPT rule match.