LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-10-2009, 02:28 AM   #1
crackyblue
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Rep: Reputation: 15
Question iptables to block 443 port except for partcular sites


Hi,

I am very frustrated on my network especially those laptops that are connected to the school wifi. Each laptop can now bypass my filtering system using ultrasurf on https tunneling to proxy sites.

Is it possible that i can block 443 except for the site i want to go through? Here is my script but it seems its not working (or perhaps none havent used ultrasurf yet thats why theres no log)

#List of valid site ip addresses allowed to use port 443 (https)
ENABLEULTRA=1
if [ $ENABLEULTRA = 1 ]; then
SITE="/etc/rc.d/validsites" #sites that are deemed valid
$IPT -N ULTRABLOCK
$IPT -I ULTRABLOCK -p tcp -m tcp --dport 443 -m state --state INVALID -j LOG --log-prefix "Suspected UltraSurf: "
$IPT -I ULTRABLOCK -p tcp -m tcp --dport 443 -j ULTRABLOCK
if [ -e $SITE ]; then
while read IP; do
$IPT -I ULTRABLOCK -p tcp -m tcp -d $IP --destination-port 443 -j ACCEPT
done < $SITE
$IPT -I ULTRABLOCK -j DROP
else
echo "No file detected for ULTRABLOCK..."
fi

fi

Thank you very much on looking at my script, please comment...
 
Old 12-10-2009, 06:25 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by crackyblue View Post
I am very frustrated on my network especially those laptops that are connected to the school wifi. Each laptop can now bypass my filtering system using ultrasurf on https tunneling to proxy sites.

Is it possible that i can block 443 except for the site i want to go through? Here is my script but it seems its not working (or perhaps none havent used ultrasurf yet thats why theres no log)

#List of valid site ip addresses allowed to use port 443 (https)
ENABLEULTRA=1
if [ $ENABLEULTRA = 1 ]; then
SITE="/etc/rc.d/validsites" #sites that are deemed valid
$IPT -N ULTRABLOCK
$IPT -I ULTRABLOCK -p tcp -m tcp --dport 443 -m state --state INVALID -j LOG --log-prefix "Suspected UltraSurf: "
$IPT -I ULTRABLOCK -p tcp -m tcp --dport 443 -j ULTRABLOCK
if [ -e $SITE ]; then
while read IP; do
$IPT -I ULTRABLOCK -p tcp -m tcp -d $IP --destination-port 443 -j ACCEPT
done < $SITE
$IPT -I ULTRABLOCK -j DROP
else
echo "No file detected for ULTRABLOCK..."
fi

fi
Isn't that chain supposed to be the FORWARD chain instead? Otherwise, you're jumping to the same chain where the jump occurs. Also, the -I below should be an -A otherwise nothing will ever hit any of the ACCEPT rules.

BTW, this sort of stuff is usually a bad idea to do with iptables for several reasons. For example, you might not know all the IPs a site uses, and even if you did they could change at any time. Squid is a much better tool for this job.

Last edited by win32sux; 12-10-2009 at 06:31 AM.
 
Old 12-11-2009, 12:10 AM   #3
crackyblue
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Isn't that chain supposed to be the FORWARD chain instead? Otherwise, you're jumping to the same chain where the jump occurs. Also, the -I below should be an -A otherwise nothing will ever hit any of the ACCEPT rules.

BTW, this sort of stuff is usually a bad idea to do with iptables for several reasons. For example, you might not know all the IPs a site uses, and even if you did they could change at any time. Squid is a much better tool for this job.
Thanks for that, its working now. Well i have already imposed it already on squid, and its perfectly blocking ultrasurf using urlfilterdb but only when proxy is in non-transparent mode. And since i am in transparent mode, so i worked a way without reconfiguring 1000 workstations.. laziness falls in for now..

i managed also add sites using domain names instead of ip addresses... and it worked fine.. let you know how it is going...
 
Old 12-11-2009, 04:07 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by crackyblue View Post
Thanks for that, its working now. Well i have already imposed it already on squid, and its perfectly blocking ultrasurf using urlfilterdb but only when proxy is in non-transparent mode. And since i am in transparent mode, so i worked a way without reconfiguring 1000 workstations.. laziness falls in for now..
Heh, okay. Of course, you could always automate that if you really wanted to.

Last edited by win32sux; 12-11-2009 at 04:30 AM.
 
Old 12-11-2009, 08:58 PM   #5
crackyblue
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Heh, okay. Of course, you could always automate that if you really wanted to.
Nah, done that already. ultrasurf will change your proxy settings to 127.0.0.1 port 9666. so basically it will be useless to fend off ultrasurf program.
 
Old 12-12-2009, 05:15 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by crackyblue View Post
Nah, done that already. ultrasurf will change your proxy settings to 127.0.0.1 port 9666. so basically it will be useless to fend off ultrasurf program.
WPAD is only meant to allow you to automatically set the proxy configuration on all your clients. That way, you could have Squid run in non-transparent mode, without the need to use iptables for this. Everything would be done with Squid ACLs, and whether or not UltraSurf starts its own proxy on localhost would be irrelevant. So basically, if you did this already and failed, then you did something wrong. Like, perhaps you were still allowing unwanted packets to be forwarded, for example.

Last edited by win32sux; 12-12-2009 at 05:19 AM.
 
Old 03-28-2010, 09:53 AM   #7
jlcerezo
LQ Newbie
 
Registered: Dec 2009
Location: Manila, Philippines
Distribution: Fedora, RHL, Ubuntu, Debian
Posts: 10

Rep: Reputation: 0
hi win32sux! it seems that you have been able to block ultrasurf using squid, even it runs in secured port. My squid config need some tweaking to block utrasurf. I hope you can help me. I will post asap my iptables config and some part of squid.conf..
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to block ALL traffic except port 443 carlozrox Linux - Security 2 03-11-2009 05:15 AM
how to block port 139 using iptables bkcreddy17 Linux - Security 22 09-29-2008 11:18 PM
How can I block all traffic to port 110 to and IP using IPtables? abefroman Linux - Networking 8 11-16-2005 07:26 PM
iptables, block port 80? frank2 Linux - Security 4 09-12-2004 09:14 AM
Block incoming port Iptables cli_man Linux - Networking 5 08-11-2003 08:32 PM


All times are GMT -5. The time now is 04:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration