How can I block HTTPS packets with iptables/Squid?

sanjee · 10-27-2008, 01:37 AM

I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .

TB0ne · 10-27-2008, 01:37 PM

Quote:

Originally Posted by sanjee

I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .

Check Google, or the docs at http://www.squid-cache.org/. From this site:

http://www.linuxquestions.org/questi...-sites-522138/

That has instructions on how to do what you're wanting, or this http://linux.ittoolbox.com/groups/te...server-1608297, which tells you to remove port 443 (The https port), from your allowed ACL's.

You don't say what you've tried so far, so its hard to help you.

mdKhan_17 · 10-29-2008, 03:49 AM

Quote:

Originally Posted by sanjee

I have tried with squid & IPTABLES . But unable to block 'https' packate like gmail .Please help me regarding the matter . And also if I want to allow few urls for few systems among blocked https packates , how to do this .

There is nothing to do in squid file you have to give some command in iptables firewall file if you want to block any domain like gmail you have to know the whole ip block of gmail than give the command like this :

iptables -A INPUT -p tcp -i eth0 -s 66.249.91.83/16 --dport 443 -j DROP
iptables -A FORWARD -p udp -i eth0 -s 66.249.91.83/16 --dport 443 -j DROP

and if you want to allow just write ¨ACCEPT¨ in the place of ¨DROP¨.

from,
Tiger Khan.

win32sux · 10-29-2008, 04:05 AM

Quote:

Originally Posted by mdKhan_17

if you want to block any domain like gmail you have to know the whole ip block of gmail

No, you don't - that's kind of the point of using Squid instead of iptables in these cases. Besides, it's not like you really would be able to know every single IP block used by Gmail at any specific moment in time would you? And can you imagine the amount of innocent services you might unintentionally be filtering by using such a broad approach? The simplest way IMHO to achieve what is asked by the OP is to edit the ACLs such that the CONNECT method is only allowed for sites which you want HTTPS to work with. For example, say you only want to allow HTTPS for the domain linuxquestions.org:

Code:

acl LQ dstdomain .linuxquestions.org
acl CONNECT method CONNECT
http_access allow CONNECT LQ
http_access deny CONNECT all

Whether you specify port 443 is up to you.

Stuff like this should of course be reinforced with an AUP if possible.

Also, this all implies that users are being forced to use Squid (no SNAT is being done).

sanjee · 10-29-2008, 08:26 AM

If I m forcing users to browse internet through squid port , using by iptable port redirection rules with transparent proxy.

....is it possible that will block also https packet using following rules
"acl LQ dstdomain .linuxquestions.org
acl CONNECT method CONNECT
http_access allow CONNECT LQ
http_access deny CONNECT all"
Because I have tried with iptables 443 port redirection . And its creating problem for required 'https' also . please suggest.

win32sux · 10-29-2008, 05:52 PM

Quote:

Originally Posted by sanjee

If I m forcing users to browse internet through squid port , using by iptable port redirection rules with transparent proxy.

....is it possible that will block also https packet using following rules
"acl LQ dstdomain .linuxquestions.org
acl CONNECT method CONNECT
http_access allow CONNECT LQ
http_access deny CONNECT all"
Because I have tried with iptables 443 port redirection . And its creating problem for required 'https' also . please suggest.

Generally speaking, you can't do transparent redirection for HTTPS - only for HTTP.