hi people
got something to share with you all...a day before i got some request of blocking a particular site using https. i tried using squid but could not get luck....on reading through different topics i realized https does not go through squid..it simply bypass squid so trying to block the https with squid was worthless.
then moving on further i tried blocking with iptables using the below pattern
it didn't work either.....don't know what exactly was the problem
then later on i tried blocking before nat using the pattern below:
guess what it worked...i even customized it a bit more using more commands:
i even blocked port 80 using iptables rather not using the content filtering....let me add more i am not sure but i think content filtering does not work with https.please correct me if i am wrong...
finally i was able to block the whole facebook domain using both http and https requests.
and on permanently adding the above commands to
Now i am able to block facebook like a charm...it was really fun blocking it. the same procedure can be used to block any particular domain.
for blocking https for all domain one can use a simpler method using the protocol filtering.
the above method is for blocking a particular domain
hope this thread helps to the people who are looking to block https for a particular domain.
~prahmod
got something to share with you all...a day before i got some request of blocking a particular site using https. i tried using squid but could not get luck....on reading through different topics i realized https does not go through squid..it simply bypass squid so trying to block the https with squid was worthless.
then moving on further i tried blocking with iptables using the below pattern
iptables -I OUTPUT-d facebook.com ---dport 443 -j DROPit didn't work either.....don't know what exactly was the problem
then later on i tried blocking before nat using the pattern below:
iptables -t nat -I PREROUTING -m tcp -p tcp -d www.facebook.com --dport 443 -j DROPguess what it worked...i even customized it a bit more using more commands:
iptables -t nat -I PREROUTING -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -d 66.220.147.22 --dport 80 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -d 66.220.147.22 --dport 443 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROPi even blocked port 80 using iptables rather not using the content filtering....let me add more i am not sure but i think content filtering does not work with https.please correct me if i am wrong...
finally i was able to block the whole facebook domain using both http and https requests.
and on permanently adding the above commands to
/etc/rc.d/rc.firewall.localNow i am able to block facebook like a charm...it was really fun blocking it. the same procedure can be used to block any particular domain.
for blocking https for all domain one can use a simpler method using the protocol filtering.
the above method is for blocking a particular domain
hope this thread helps to the people who are looking to block https for a particular domain.
~prahmod
In Firewall
Share this post:
Responses (17)
-
Accepted Answer
Hey guys,
I saw this video, it is about blocking facebook and unwanted sites using ClearOS. i think it may be helpfull for you people
https://www.youtube.com/watch?v=nbt9a80cF-4&list=UUPQqSHaRYdI0iQJMzxz0h8w -
Accepted Answer
I would advice going through the documentation, to enforce your own ruleset you will have to create or append your rule to the existing or new file which can be located in the location /etc/suricata/rules/
And to activate that particular file containing your ruleset you will also have to provide the file name in the file suricata.yaml inside the directive: rule-files
I hope it helps -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hi there,
I would suggest Suricata if you want to block https pages in a clearner way. It really provides a good way for detecting the page by looking at the digital certificate during SSL handshaking because after the SSL handshake its really tough to detect the website and also difficult to block.
Using squid to block https is not a good idea and you often have to do some dirty stuffs like MITM which in most of the cases is not legal and can have serious privacy concerns.
But Suricata provides a clear way of detecting and taking actions against those pages, you should have a look, its an interesting tool. -
Accepted Answer
-
Accepted Answer
Hello to all,
Please help me to sort out in this issue.
I want to block social networking sites like facebook,you tube,etc...
My Setup are :-
1)
Gateway---Web Proxy----Setting
Transparent Mode---Disabled
User Authentication--- Enabled
also i add all usefull site in Content filter-----Exception Sites
But it's not working.
2)
I am also changing in /etc/squid/squid.conf file
acl special_clients src "/etc/squid/special_client_ips.txt"
acl facebook dstdomain .facebook.com
Under http access
http_access allow facebook special_clients
http_access deny facebook
http_access allow all
service squid restart
But it doesn't work.
3)
I have also configured Engress firewall but it block all https(443) traffic, but i want to allow some https sites.
How it possible?
Do i miss anything? Is there any configuration problem? Please let me know.
Any help would be appreciated.
Thanks in advance,
Karniv Patel -
Accepted Answer
-
Accepted Answer
somlith phouangmany wrote:
let's try below 192.168.0.191 ( by pass ip)
${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP
Hey you are just blocking the whole subnet...Not all the subnet ips are owned by the server like facebook or google. they only have some different pool without those large subnet...
above will just block the wanted page also.
why not just try
$ iptables -t nat -I PREROUTING -p tcp --dport 443 -j DROP
~prahmod -
Accepted Answer
let's try below 192.168.0.191 ( by pass ip)
${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP -
Accepted Answer
somlith phouangmany wrote:
${TONG_D} -p tcp --dport 443 -j REDIRECT --to-port 3128 > /dev/null
${TONG_B} -p tcp --dport 443 -j REDIRECT --to-port 3128
Haven't checked that without content filtering but on using content filtering and redirecting to port 8080 would cause a ssl error in most of the pages but http works fine the problem occures with most https in firefox...
so i would not recommend that on a production environment..
~prahmod -
Accepted Answer
-
Accepted Answer
Pramod Giri wrote:i am not sure but i think content filtering does not work with https.please correct me if i am wrong...
That is correct. Because HTTPS is encrypted, Dansguardian cannot look inside of those requests and responses, so it cannot apply filtering.
I'm on the Dansguardian email list, and this was discussed recently. -
Accepted Answer
Also, if the url is always https: / / facebook.com you could put that in your hosts file on ClearOS and point it to 127.0.0.1. You may also need entries for https: / / www.facebook.com and the http equivalents. This will cause the lookups to fail. It won't block direct IP access (or if someone is really cute they could then edit their local hosts file and add valid IP's back in to the blocked url's).
[edit]I am getting completely different IP's for facebook.com and www.facebook.com. For www.facebook.com I am getting 66.220.149.18 and a who is gives a whole range of 66.220.144.0/20. The firewall rules posted above only picked up one IP in this range. Also note that you can use this address form with the -d so you can do "-d 69.63.176.0/20" instead of "iprange --dst-range 69.63.176.0-69.63.191.255". I would also drop any reference to the port and protocol. It simplifies the rules and makes them more encompassing. Try:iptables -t nat -I PREROUTING -d 69.63.176.0/20 -j DROP
iptables -t nat -I PREROUTING -d 66.220.144.0/20 -j DROP
[/edit] -
Accepted Answer
facebook have lots of domains and above is what i queried my dns servers and found facebook domains...so may be these domains are not enough in your area...your dns server may be issuing a new facebook domain...so you should just nslookup the facebook domain and query whois..and add commands as above with the newly gained ip address...
i am sure in your case it is blocking some facebook requests but it is still opening due to lack of unblocked new facebook domains which your dns server is issuing in your area..try blocking those ip domains
~prahmod -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »