Community Forum

Resolved
0 votes
hi people
got something to share with you all...a day before i got some request of blocking a particular site using https. i tried using squid but could not get luck....on reading through different topics i realized https does not go through squid..it simply bypass squid so trying to block the https with squid was worthless.
then moving on further i tried blocking with iptables using the below pattern
iptables -I OUTPUT-d facebook.com ---dport 443 -j DROP

it didn't work either.....don't know what exactly was the problem
then later on i tried blocking before nat using the pattern below:
iptables -t nat -I PREROUTING -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP

guess what it worked...i even customized it a bit more using more commands:
iptables -t nat -I PREROUTING -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -d 66.220.147.22 --dport 80 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -d 66.220.147.22 --dport 443 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP

i even blocked port 80 using iptables rather not using the content filtering....let me add more i am not sure but i think content filtering does not work with https.please correct me if i am wrong...

finally i was able to block the whole facebook domain using both http and https requests.
and on permanently adding the above commands to
/etc/rc.d/rc.firewall.local
and restarting firewall i need not to worry about my commands to be flushed
Now i am able to block facebook like a charm...it was really fun blocking it. the same procedure can be used to block any particular domain.
for blocking https for all domain one can use a simpler method using the protocol filtering.
the above method is for blocking a particular domain
hope this thread helps to the people who are looking to block https for a particular domain.

~prahmod
Thursday, August 19 2010, 07:02 AM
Share this post:
Responses (17)
  • Accepted Answer

    Wednesday, August 13 2014, 07:31 AM - #Permalink
    Resolved
    0 votes
    Hey guys,

    I saw this video, it is about blocking facebook and unwanted sites using ClearOS. i think it may be helpfull for you people

    https://www.youtube.com/watch?v=nbt9a80cF-4&list=UUPQqSHaRYdI0iQJMzxz0h8w
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 23 2014, 10:42 AM - #Permalink
    Resolved
    0 votes
    I would advice going through the documentation, to enforce your own ruleset you will have to create or append your rule to the existing or new file which can be located in the location /etc/suricata/rules/

    And to activate that particular file containing your ruleset you will also have to provide the file name in the file suricata.yaml inside the directive: rule-files

    I hope it helps
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 23 2014, 10:36 AM - #Permalink
    Resolved
    0 votes
    Thanks for quick reply

    I am installed Suricata with all dependencies in my system
    But i don't know excatly in which file i have to change,
    So Can you please suggest me what i have to do excatly ?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 23 2014, 09:52 AM - #Permalink
    Resolved
    0 votes
    Ya you can and it works. You should give it a try but you will have to fulfill lots of dependencies
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 23 2014, 06:04 AM - #Permalink
    Resolved
    0 votes
    @Pramod Giri
    Thanks for reply

    I read Suricata installation Guide But i want to know,
    Can i install Suricata in ClearOs?

    Thanks,
    Karniv Patel
    The reply is currently minimized Show
  • Accepted Answer

    Friday, July 18 2014, 06:09 PM - #Permalink
    Resolved
    0 votes
    Hi there,
    I would suggest Suricata if you want to block https pages in a clearner way. It really provides a good way for detecting the page by looking at the digital certificate during SSL handshaking because after the SSL handshake its really tough to detect the website and also difficult to block.

    Using squid to block https is not a good idea and you often have to do some dirty stuffs like MITM which in most of the cases is not legal and can have serious privacy concerns.

    But Suricata provides a clear way of detecting and taking actions against those pages, you should have a look, its an interesting tool.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, July 18 2014, 06:02 AM - #Permalink
    Resolved
    0 votes
    Hello,

    I am really stuck here. can any one help me please ?

    Thanks
    Karniv Patel
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 15 2014, 01:49 PM - #Permalink
    Resolved
    0 votes
    Hello to all,

    Please help me to sort out in this issue.

    I want to block social networking sites like facebook,you tube,etc...

    My Setup are :-
    1)
    Gateway---Web Proxy----Setting
    Transparent Mode---Disabled
    User Authentication--- Enabled

    also i add all usefull site in Content filter-----Exception Sites
    But it's not working.

    2)
    I am also changing in /etc/squid/squid.conf file

    acl special_clients src "/etc/squid/special_client_ips.txt"
    acl facebook dstdomain .facebook.com

    Under http access

    http_access allow facebook special_clients
    http_access deny facebook
    http_access allow all

    service squid restart

    But it doesn't work.

    3)
    I have also configured Engress firewall but it block all https(443) traffic, but i want to allow some https sites.
    How it possible?

    Do i miss anything? Is there any configuration problem? Please let me know.
    Any help would be appreciated.

    Thanks in advance,

    Karniv Patel
    The reply is currently minimized Show
  • Accepted Answer

    kaustuva
    kaustuva
    Offline
    Wednesday, January 11 2012, 09:50 PM - #Permalink
    Resolved
    0 votes
    You are right...We can block or redirect 443 port for all, but in some exceptional cases like some banking site or google apps site, it is making problem. Please suggest anyone for further help.

    Thanks and regards
    kaustuva
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 29 2011, 12:32 PM - #Permalink
    Resolved
    0 votes
    somlith phouangmany wrote:
    let's try below 192.168.0.191 ( by pass ip)

    ${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP


    Hey you are just blocking the whole subnet...Not all the subnet ips are owned by the server like facebook or google. they only have some different pool without those large subnet...
    above will just block the wanted page also.
    why not just try

    $ iptables -t nat -I PREROUTING -p tcp --dport 443 -j DROP

    ~prahmod
    The reply is currently minimized Show
Your Reply