LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-27-2008, 12:37 AM   #1
sanjee
Member
 
Registered: Jul 2008
Posts: 129

Rep: Reputation: 15
Arrow How can I block HTTPS packets with iptables/Squid?


I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .
 
Old 10-27-2008, 12:37 PM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,642

Rep: Reputation: 2574Reputation: 2574Reputation: 2574Reputation: 2574Reputation: 2574Reputation: 2574Reputation: 2574Reputation: 2574Reputation: 2574Reputation: 2574Reputation: 2574
Quote:
Originally Posted by sanjee View Post
I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .
Check Google, or the docs at http://www.squid-cache.org/. From this site:

http://www.linuxquestions.org/questi...-sites-522138/

That has instructions on how to do what you're wanting, or this http://linux.ittoolbox.com/groups/te...server-1608297, which tells you to remove port 443 (The https port), from your allowed ACL's.

You don't say what you've tried so far, so its hard to help you.
 
Old 10-29-2008, 02:49 AM   #3
mdKhan_17
LQ Newbie
 
Registered: Oct 2008
Posts: 7

Rep: Reputation: 0
How to block any https packet

Quote:
Originally Posted by sanjee View Post
I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .
There is nothing to do in squid file you have to give some command in iptables firewall file if you want to block any domain like gmail you have to know the whole ip block of gmail than give the command like this :

iptables -A INPUT -p tcp -i eth0 -s 66.249.91.83/16 --dport 443 -j DROP
iptables -A FORWARD -p udp -i eth0 -s 66.249.91.83/16 --dport 443 -j DROP

and if you want to allow just write ¨ACCEPT¨ in the place of ¨DROP¨.

from,
Tiger Khan.

Last edited by mdKhan_17; 10-29-2008 at 02:50 AM. Reason: some problems in writing.
 
Old 10-29-2008, 03:05 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mdKhan_17 View Post
if you want to block any domain like gmail you have to know the whole ip block of gmail
No, you don't - that's kind of the point of using Squid instead of iptables in these cases. Besides, it's not like you really would be able to know every single IP block used by Gmail at any specific moment in time would you? And can you imagine the amount of innocent services you might unintentionally be filtering by using such a broad approach? The simplest way IMHO to achieve what is asked by the OP is to edit the ACLs such that the CONNECT method is only allowed for sites which you want HTTPS to work with. For example, say you only want to allow HTTPS for the domain linuxquestions.org:
Code:
acl LQ dstdomain .linuxquestions.org
acl CONNECT method CONNECT
http_access allow CONNECT LQ
http_access deny CONNECT all
Whether you specify port 443 is up to you.

Stuff like this should of course be reinforced with an AUP if possible.

Also, this all implies that users are being forced to use Squid (no SNAT is being done).

Last edited by win32sux; 10-29-2008 at 03:11 AM.
 
Old 10-29-2008, 07:26 AM   #5
sanjee
Member
 
Registered: Jul 2008
Posts: 129

Original Poster
Rep: Reputation: 15
If I m forcing users to browse internet through squid port , using by iptable port redirection rules with transparent proxy.

....is it possible that will block also https packet using following rules
"acl LQ dstdomain .linuxquestions.org
acl CONNECT method CONNECT
http_access allow CONNECT LQ
http_access deny CONNECT all"
Because I have tried with iptables 443 port redirection . And its creating problem for required 'https' also . please suggest.

Last edited by sanjee; 10-29-2008 at 07:28 AM.
 
Old 10-29-2008, 04:52 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by sanjee View Post
If I m forcing users to browse internet through squid port , using by iptable port redirection rules with transparent proxy.

....is it possible that will block also https packet using following rules
"acl LQ dstdomain .linuxquestions.org
acl CONNECT method CONNECT
http_access allow CONNECT LQ
http_access deny CONNECT all"
Because I have tried with iptables 443 port redirection . And its creating problem for required 'https' also . please suggest.
Generally speaking, you can't do transparent redirection for HTTPS - only for HTTP.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to block https using iptables pavangogineni Linux - Networking 12 03-12-2012 10:31 AM
iptables rule for ftp and https through squid gr8paki Linux - Networking 1 09-12-2008 08:53 PM
how to block https using iptables pavangogineni Linux - Security 2 10-19-2006 12:49 AM
IPtables not forwarding packets to Squid. danj_fc5usr Linux - Security 9 09-16-2006 03:29 PM
Iptables/Guarddog - how to block specific outgoing packets craftybytes Linux - Security 7 05-19-2006 12:26 AM


All times are GMT -5. The time now is 07:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration