SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just setup a Slackware gateway/firewall/proxy/server in a school. It has two NICs and filters all traffic using Squid and Squidguard. So far, the filter works very nice, I only have one minor problem left. Squidguard currently only filters HTTP requests, since setting up HTTPS filtering is a real PITA. Now I have only one single website left for filtering, that's https://www.facebook.com. I thought the best thing would be to block it entirely using iptables. How would I go about that?
(If you wonder why I would block Facebook for students, http://www.facebook.com is still available for all students, but only outside class hours...)
Don't. You don't need to setup https to block by IP address, which is what you'd do in iptables. Just use a dest ip acl in squid. You just need to find all the IP addresses for Facebook.
Don't. You don't need to setup https to block by IP address, which is what you'd do in iptables. Just use a dest ip acl in squid. You just need to find all the IP addresses for Facebook.
Yes but no
I could explain why, but it would be long. So let me restate my question. How can I block requests to https://www.facebook.com using iptables?
I'm not sure that you can block by name from iptables, although I could easily be wrong. But I was under the impression that squidguard could do that, and also do it inside certain time periods. You say you are in fact using squidguard - why won't you let it block that particular site ?
(note - I might be confusing squidguard with dansguardian - I have exactly what you want running on my home server, but it's going to be another 8 hours before I get home to check !)
I'm not sure that you can block by name from iptables, although I could easily be wrong. But I was under the impression that squidguard could do that, and also do it inside certain time periods. You say you are in fact using squidguard - why won't you let it block that particular site ?
(note - I might be confusing squidguard with dansguardian - I have exactly what you want running on my home server, but it's going to be another 8 hours before I get home to check !)
you can't check the destination of an https connection unless you are proxying the CONNECT http method or transparently decrypt the session.
Thanks for answering my question. I poked around a bit to follow your suggestion as well (apologies for not having explained the details), and now I wonder about the "for each IP address that Facebook uses". I would do this:
Code:
$ dig www.facebook.com
Which returns this:
Code:
;; ANSWER SECTION:
www.facebook.com. 103 IN A 66.220.158.32
;; AUTHORITY SECTION:
facebook.com. 114985 IN NS ns1.facebook.com.
facebook.com. 114985 IN NS ns4.facebook.com.
facebook.com. 114985 IN NS ns2.facebook.com.
facebook.com. 114985 IN NS ns5.facebook.com.
facebook.com. 114985 IN NS ns3.facebook.com.
;; ADDITIONAL SECTION:
ns3.facebook.com. 41 IN A 66.220.151.20
ns4.facebook.com. 1369 IN A 69.63.186.49
ns5.facebook.com. 64 IN A 66.220.145.65
I'm not sure about this, but I'd figure that something as huge as Facebook would use a lot more IP addresses. How would I go about to find all of Facebook's IP addresses?
@acid_kewpie: yeah, I guess I'll follow your advice and use Squid for that. I just figured out that my downloaded blacklist database does not only rely on domain names, but also on IP addresses. My mistake.
you can see there that this dig says that you need to go to these glb's to get an IP address for facebook which is suitable to your geographical location. You can *never* know you have all the IP addresses.
as far as your blacklist goes, check how it is being used. it would need to be used against a "dst" acl, not a "dstdomain" acl.
But then going from what you've said, what are you doing with HTTPS connections? If they are already just using a CONNECT via the proxy then you can filter on the domain. It's when you're doing transparent stuff that you're SOL.
Last edited by acid_kewpie; 09-06-2011 at 03:24 AM.
Don't. You don't need to setup https to block by IP address, which is what you'd do in iptables. Just use a dest ip acl in squid. You just need to find all the IP addresses for Facebook.
Maybe blocking DNS is simpler and less offensive, as blocking IP addresses is similarly ineffective to enthusiastic users (e.g. proxy users).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.