How can I block HTTPS packets with iptables/Squid?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can I block HTTPS packets with iptables/Squid?
I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .
I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .
I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .
There is nothing to do in squid file you have to give some command in iptables firewall file if you want to block any domain like gmail you have to know the whole ip block of gmail than give the command like this :
iptables -A INPUT -p tcp -i eth0 -s 66.249.91.83/16 --dport 443 -j DROP
iptables -A FORWARD -p udp -i eth0 -s 66.249.91.83/16 --dport 443 -j DROP
and if you want to allow just write ¨ACCEPT¨ in the place of ¨DROP¨.
from,
Tiger Khan.
Last edited by mdKhan_17; 10-29-2008 at 02:50 AM.
Reason: some problems in writing.
if you want to block any domain like gmail you have to know the whole ip block of gmail
No, you don't - that's kind of the point of using Squid instead of iptables in these cases. Besides, it's not like you really would be able to know every single IP block used by Gmail at any specific moment in time would you? And can you imagine the amount of innocent services you might unintentionally be filtering by using such a broad approach? The simplest way IMHO to achieve what is asked by the OP is to edit the ACLs such that the CONNECT method is only allowed for sites which you want HTTPS to work with. For example, say you only want to allow HTTPS for the domain linuxquestions.org:
If I m forcing users to browse internet through squid port , using by iptable port redirection rules with transparent proxy.
....is it possible that will block also https packet using following rules
"acl LQ dstdomain .linuxquestions.org
acl CONNECT method CONNECT
http_access allow CONNECT LQ
http_access deny CONNECT all"
Because I have tried with iptables 443 port redirection . And its creating problem for required 'https' also . please suggest.
If I m forcing users to browse internet through squid port , using by iptable port redirection rules with transparent proxy.
....is it possible that will block also https packet using following rules
"acl LQ dstdomain .linuxquestions.org
acl CONNECT method CONNECT
http_access allow CONNECT LQ
http_access deny CONNECT all"
Because I have tried with iptables 443 port redirection . And its creating problem for required 'https' also . please suggest.
Generally speaking, you can't do transparent redirection for HTTPS - only for HTTP.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.