FB Twitter YouTube LinkedIn GitHub G+
Blocking Https---SOLVED

Community Forum

Resolved
1 votes
hi people
got something to share with you all...a day before i got some request of blocking a particular site using https. i tried using squid but could not get luck....on reading through different topics i realized https does not go through squid..it simply bypass squid so trying to block the https with squid was worthless.
then moving on further i tried blocking with iptables using the below pattern
iptables -I OUTPUT-d facebook.com ---dport 443 -j DROP

it didn't work either.....don't know what exactly was the problem
then later on i tried blocking before nat using the pattern below:
iptables -t nat -I PREROUTING -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP

guess what it worked...i even customized it a bit more using more commands:
iptables -t nat -I PREROUTING -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -d 66.220.147.22 --dport 80 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -d 66.220.147.22 --dport 443 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP

i even blocked port 80 using iptables rather not using the content filtering....let me add more i am not sure but i think content filtering does not work with https.please correct me if i am wrong...

finally i was able to block the whole facebook domain using both http and https requests.
and on permanently adding the above commands to
/etc/rc.d/rc.firewall.local
and restarting firewall i need not to worry about my commands to be flushed
Now i am able to block facebook like a charm...it was really fun blocking it. the same procedure can be used to block any particular domain.
for blocking https for all domain one can use a simpler method using the protocol filtering.
the above method is for blocking a particular domain
hope this thread helps to the people who are looking to block https for a particular domain.

~prahmod
Thursday, August 19 2010, 07:02 AM
Share this post:
Responses (17)
  • Accepted Answer

    Wednesday, August 13 2014, 07:31 AM - #Permalink
    Resolved
    0 votes
    Hey guys,

    I saw this video, it is about blocking facebook and unwanted sites using ClearOS. i think it may be helpfull for you people

    https://www.youtube.com/watch?v=nbt9a80cF-4&list=UUPQqSHaRYdI0iQJMzxz0h8w
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 23 2014, 10:42 AM - #Permalink
    Resolved
    0 votes
    I would advice going through the documentation, to enforce your own ruleset you will have to create or append your rule to the existing or new file which can be located in the location /etc/suricata/rules/

    And to activate that particular file containing your ruleset you will also have to provide the file name in the file suricata.yaml inside the directive: rule-files

    I hope it helps
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 23 2014, 10:36 AM - #Permalink
    Resolved
    0 votes
    Thanks for quick reply

    I am installed Suricata with all dependencies in my system
    But i don't know excatly in which file i have to change,
    So Can you please suggest me what i have to do excatly ?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 23 2014, 09:52 AM - #Permalink
    Resolved
    0 votes
    Ya you can and it works. You should give it a try but you will have to fulfill lots of dependencies
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 23 2014, 06:04 AM - #Permalink
    Resolved
    0 votes
    @Pramod Giri
    Thanks for reply

    I read Suricata installation Guide But i want to know,
    Can i install Suricata in ClearOs?

    Thanks,
    Karniv Patel
    The reply is currently minimized Show
  • Accepted Answer

    Friday, July 18 2014, 06:09 PM - #Permalink
    Resolved
    0 votes
    Hi there,
    I would suggest Suricata if you want to block https pages in a clearner way. It really provides a good way for detecting the page by looking at the digital certificate during SSL handshaking because after the SSL handshake its really tough to detect the website and also difficult to block.

    Using squid to block https is not a good idea and you often have to do some dirty stuffs like MITM which in most of the cases is not legal and can have serious privacy concerns.

    But Suricata provides a clear way of detecting and taking actions against those pages, you should have a look, its an interesting tool.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, July 18 2014, 06:02 AM - #Permalink
    Resolved
    0 votes
    Hello,

    I am really stuck here. can any one help me please ?

    Thanks
    Karniv Patel
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 15 2014, 01:49 PM - #Permalink
    Resolved
    0 votes
    Hello to all,

    Please help me to sort out in this issue.

    I want to block social networking sites like facebook,you tube,etc...

    My Setup are :-
    1)
    Gateway---Web Proxy----Setting
    Transparent Mode---Disabled
    User Authentication--- Enabled

    also i add all usefull site in Content filter-----Exception Sites
    But it's not working.

    2)
    I am also changing in /etc/squid/squid.conf file

    acl special_clients src "/etc/squid/special_client_ips.txt"
    acl facebook dstdomain .facebook.com

    Under http access

    http_access allow facebook special_clients
    http_access deny facebook
    http_access allow all

    service squid restart

    But it doesn't work.

    3)
    I have also configured Engress firewall but it block all https(443) traffic, but i want to allow some https sites.
    How it possible?

    Do i miss anything? Is there any configuration problem? Please let me know.
    Any help would be appreciated.

    Thanks in advance,

    Karniv Patel
    The reply is currently minimized Show
  • Accepted Answer

    kaustuva
    kaustuva
    Offline
    Wednesday, January 11 2012, 09:50 PM - #Permalink
    Resolved
    0 votes
    You are right...We can block or redirect 443 port for all, but in some exceptional cases like some banking site or google apps site, it is making problem. Please suggest anyone for further help.

    Thanks and regards
    kaustuva
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 29 2011, 12:32 PM - #Permalink
    Resolved
    0 votes
    somlith phouangmany wrote:
    let's try below 192.168.0.191 ( by pass ip)

    ${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP


    Hey you are just blocking the whole subnet...Not all the subnet ips are owned by the server like facebook or google. they only have some different pool without those large subnet...
    above will just block the wanted page also.
    why not just try

    $ iptables -t nat -I PREROUTING -p tcp --dport 443 -j DROP

    ~prahmod
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 29 2011, 08:39 AM - #Permalink
    Resolved
    0 votes
    let's try below 192.168.0.191 ( by pass ip)

    ${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
    ${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 29 2011, 04:05 AM - #Permalink
    Resolved
    0 votes
    somlith phouangmany wrote:
    ${TONG_D} -p tcp --dport 443 -j REDIRECT --to-port 3128 > /dev/null
    ${TONG_B} -p tcp --dport 443 -j REDIRECT --to-port 3128


    Haven't checked that without content filtering but on using content filtering and redirecting to port 8080 would cause a ssl error in most of the pages but http works fine the problem occures with most https in firefox...
    so i would not recommend that on a production environment..

    ~prahmod
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 29 2011, 01:13 AM - #Permalink
    Resolved
    0 votes
    ${TONG_D} -p tcp --dport 443 -j REDIRECT --to-port 3128 > /dev/null
    ${TONG_B} -p tcp --dport 443 -j REDIRECT --to-port 3128
    The reply is currently minimized Show
  • Accepted Answer

    Mark
    Mark
    Offline
    Sunday, December 26 2010, 09:59 PM - #Permalink
    Resolved
    0 votes
    Pramod Giri wrote:
    i am not sure but i think content filtering does not work with https.please correct me if i am wrong...



    That is correct. Because HTTPS is encrypted, Dansguardian cannot look inside of those requests and responses, so it cannot apply filtering.

    I'm on the Dansguardian email list, and this was discussed recently.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 22 2010, 12:52 PM - #Permalink
    Resolved
    0 votes
    Also, if the url is always https: / / facebook.com you could put that in your hosts file on ClearOS and point it to 127.0.0.1. You may also need entries for https: / / www.facebook.com and the http equivalents. This will cause the lookups to fail. It won't block direct IP access (or if someone is really cute they could then edit their local hosts file and add valid IP's back in to the blocked url's).

    [edit]I am getting completely different IP's for facebook.com and www.facebook.com. For www.facebook.com I am getting 66.220.149.18 and a who is gives a whole range of 66.220.144.0/20. The firewall rules posted above only picked up one IP in this range. Also note that you can use this address form with the -d so you can do "-d 69.63.176.0/20" instead of "iprange --dst-range 69.63.176.0-69.63.191.255". I would also drop any reference to the port and protocol. It simplifies the rules and makes them more encompassing. Try:
    iptables -t nat -I PREROUTING -d 69.63.176.0/20 -j DROP
    iptables -t nat -I PREROUTING -d 66.220.144.0/20 -j DROP

    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 22 2010, 12:18 PM - #Permalink
    Resolved
    0 votes
    facebook have lots of domains and above is what i queried my dns servers and found facebook domains...so may be these domains are not enough in your area...your dns server may be issuing a new facebook domain...so you should just nslookup the facebook domain and query whois..and add commands as above with the newly gained ip address...
    i am sure in your case it is blocking some facebook requests but it is still opening due to lack of unblocked new facebook domains which your dns server is issuing in your area..try blocking those ip domains

    ~prahmod
    The reply is currently minimized Show
  • Accepted Answer

    Andi Micro
    Andi Micro
    Offline
    Thursday, December 09 2010, 05:52 AM - #Permalink
    Resolved
    0 votes
    Still can access the https: / / facebook.com, despite applying iptables rules above.
    There are other solutions?
    The reply is currently minimized Show
Your Reply