LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables to block 443 port except for partcular sites (http://www.linuxquestions.org/questions/linux-security-4/iptables-to-block-443-port-except-for-partcular-sites-774672/)

crackyblue 12-10-2009 02:28 AM
iptables to block 443 port except for partcular sites
 
Hi,

I am very frustrated on my network especially those laptops that are connected to the school wifi. Each laptop can now bypass my filtering system using ultrasurf on https tunneling to proxy sites.

Is it possible that i can block 443 except for the site i want to go through? Here is my script but it seems its not working (or perhaps none havent used ultrasurf yet thats why theres no log)

#List of valid site ip addresses allowed to use port 443 (https)
ENABLEULTRA=1
if [ $ENABLEULTRA = 1 ]; then
SITE="/etc/rc.d/validsites" #sites that are deemed valid
$IPT -N ULTRABLOCK
$IPT -I ULTRABLOCK -p tcp -m tcp --dport 443 -m state --state INVALID -j LOG --log-prefix "Suspected UltraSurf: "
$IPT -I ULTRABLOCK -p tcp -m tcp --dport 443 -j ULTRABLOCK
if [ -e $SITE ]; then
while read IP; do
$IPT -I ULTRABLOCK -p tcp -m tcp -d $IP --destination-port 443 -j ACCEPT
done < $SITE
$IPT -I ULTRABLOCK -j DROP
else
echo "No file detected for ULTRABLOCK..."
fi

fi

Thank you very much on looking at my script, please comment...

win32sux 12-10-2009 06:25 AM
Quote:
Originally Posted by crackyblue (Post 3786335)
I am very frustrated on my network especially those laptops that are connected to the school wifi. Each laptop can now bypass my filtering system using ultrasurf on https tunneling to proxy sites.

Is it possible that i can block 443 except for the site i want to go through? Here is my script but it seems its not working (or perhaps none havent used ultrasurf yet thats why theres no log)

#List of valid site ip addresses allowed to use port 443 (https)
ENABLEULTRA=1
if [ $ENABLEULTRA = 1 ]; then
SITE="/etc/rc.d/validsites" #sites that are deemed valid
$IPT -N ULTRABLOCK
$IPT -I ULTRABLOCK -p tcp -m tcp --dport 443 -m state --state INVALID -j LOG --log-prefix "Suspected UltraSurf: "
$IPT -I ULTRABLOCK -p tcp -m tcp --dport 443 -j ULTRABLOCK
if [ -e $SITE ]; then
while read IP; do
$IPT -I ULTRABLOCK -p tcp -m tcp -d $IP --destination-port 443 -j ACCEPT
done < $SITE
$IPT -I ULTRABLOCK -j DROP
else
echo "No file detected for ULTRABLOCK..."
fi

fi
Isn't that chain supposed to be the FORWARD chain instead? Otherwise, you're jumping to the same chain where the jump occurs. Also, the -I below should be an -A otherwise nothing will ever hit any of the ACCEPT rules.

BTW, this sort of stuff is usually a bad idea to do with iptables for several reasons. For example, you might not know all the IPs a site uses, and even if you did they could change at any time. Squid is a much better tool for this job.

crackyblue 12-11-2009 12:10 AM
Quote:
Originally Posted by win32sux (Post 3786560)
Isn't that chain supposed to be the FORWARD chain instead? Otherwise, you're jumping to the same chain where the jump occurs. Also, the -I below should be an -A otherwise nothing will ever hit any of the ACCEPT rules.

BTW, this sort of stuff is usually a bad idea to do with iptables for several reasons. For example, you might not know all the IPs a site uses, and even if you did they could change at any time. Squid is a much better tool for this job.
Thanks for that, its working now. Well i have already imposed it already on squid, and its perfectly blocking ultrasurf using urlfilterdb but only when proxy is in non-transparent mode. And since i am in transparent mode, so i worked a way without reconfiguring 1000 workstations.. laziness falls in for now.. :)

i managed also add sites using domain names instead of ip addresses... and it worked fine.. let you know how it is going...

win32sux 12-11-2009 04:07 AM
Quote:
Originally Posted by crackyblue (Post 3787401)
Thanks for that, its working now. Well i have already imposed it already on squid, and its perfectly blocking ultrasurf using urlfilterdb but only when proxy is in non-transparent mode. And since i am in transparent mode, so i worked a way without reconfiguring 1000 workstations.. laziness falls in for now.. :)
Heh, okay. Of course, you could always automate that if you really wanted to.

crackyblue 12-11-2009 08:58 PM
Quote:
Originally Posted by win32sux (Post 3787576)
Heh, okay. Of course, you could always automate that if you really wanted to.
Nah, done that already. ultrasurf will change your proxy settings to 127.0.0.1 port 9666. so basically it will be useless to fend off ultrasurf program.

win32sux 12-12-2009 05:15 AM
Quote:
Originally Posted by crackyblue (Post 3788455)
Nah, done that already. ultrasurf will change your proxy settings to 127.0.0.1 port 9666. so basically it will be useless to fend off ultrasurf program.
WPAD is only meant to allow you to automatically set the proxy configuration on all your clients. That way, you could have Squid run in non-transparent mode, without the need to use iptables for this. Everything would be done with Squid ACLs, and whether or not UltraSurf starts its own proxy on localhost would be irrelevant. So basically, if you did this already and failed, then you did something wrong. Like, perhaps you were still allowing unwanted packets to be forwarded, for example.

jlcerezo 03-28-2010 09:53 AM
hi win32sux! it seems that you have been able to block ultrasurf using squid, even it runs in secured port. My squid config need some tweaking to block utrasurf. I hope you can help me. I will post asap my iptables config and some part of squid.conf..


All times are GMT -5. The time now is 10:23 AM.