www.zeroshell.org

[JC]

I found a solution to my issue from

http://www.zeroshell.net/eng/forum/viewtopic.php?t=2565

but need some help putting it into action on my ZS FW. Still using ZS.B12. So this guy said this worked for him but i cannot implement it here, prolly just not completely understanding iptables on ZS.

http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,7/func,view/id,16002/

I could really use some help on this please, thanks.

JC

[AtroposX]

Looks like they're just taking the facebook ip block and denying 443.

I tested it with 2 rules in the web gui...

Dst. as 69.63.176.0/20 with TCP dst port 443
Dst. as 66.220.144.0/20 with TCP dst port 443

and a simple drop on both, put at the top of the firewall list

and successfully can not log into facebook, but can go to just facebook.com with just port 80

but then again, this may work for a while, until (or if) facebook uses different ip block...

[AtroposX]

I didn't use prerouting or anything. I got a bridge setup, and the command of iptables-save spits out:


-A FORWARD -s X -d 69.63.176.0/20 -p tcp -m tcp --dport 443 -j DROP
-A FORWARD -s X -d 66.220.144.0/20 -p tcp -m tcp --dport 443 -j DROP

you can replace X with your public ip interface side or what have you....

[AtroposX]

C:\>nslookup www.facebook.com

Name: www.facebook.com
Address: 66.220.149.18

You can use nslookup to get a starting point of the ip block, and look up that ip at arin.net, to get the entire block they use, in this case, those 2 /20 blocks, but there may be more. You could use perhaps iptraf built into Zeroshell from ssh or the console to track traffic for other ips/blocks with a single computer. Or google for known blocks used by a domain.

[AtroposX]

C:\>nslookup www.google.com

Name: www.l.google.com
Addresses: 209.85.225.104, 209.85.225.105, 209.85.225.106, 209.85.225.147
209.85.225.99, 209.85.225.103
Aliases: www.google.com


Looks like google lists more than one address, so perhaps facebook only uses that one block for the domain part, and the other for backend stufff? Hard to tell.

[JC]

@AtroposX: thank you thank you thank you, when I put it on the MAIN router it worked, so far as the http://facebook that is blocked by dansguardian by IP and URL.

[dave_d]

I've been successful blocking HTTPS access to Facebook using release 2.0.RC1.

Chain: Forward
Policy: Accept

Click ADD

In the new window that pops-up enter values for;

Source IP <--- IPs that are used in your LAN (or assigned to stations via DHCP)
Destination IP: 69.63.176/20
Protocol Matching: TCP
Dest. Port: 443
Action: DROP

Click on Confirm

Repeat the above process but changing the Destination IP to these other known facebook IPs;

66.220.144.0/20
69.171.224.0/20
204.15.20/22

I'm using Bridge Mode for LAN & WAN connections.

[modti]

Using the IP addresses is just not a solution, the name is better:
iptables -I FORWARD -m string --algo kmp --string "facebook.com" -j DROP
iptables -I OUTPUT -m string --algo kmp --string "facebook.com" -j DROP

[AtroposX]

Yes, use the string/algo method instead, it's a much more elegant solution. Thanks modti.

[jeshini]

Hi! modti can you explain me how to do that please?

[jeshini]

Hello, is there a way to block the string only from port 443?
greetings!