Blocking HTTPS access to facebook – Zeroshell Linux Router

This topic is empty.

Viewing 13 posts - 1 through 13 (of 13 total)

Author

Posts
November 17, 2010 at 3:12 pm #42729

JC
Member

I found a solution to my issue from

http://www.zeroshell.net/eng/forum/viewtopic.php?t=2565

but need some help putting it into action on my ZS FW. Still using ZS.B12. So this guy said this worked for him but i cannot implement it here, prolly just not completely understanding iptables on ZS.

http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,7/func,view/id,16002/

I could really use some help on this please, thanks.

JC

November 17, 2010 at 8:03 pm #51332

AtroposX
Member

Looks like they’re just taking the facebook ip block and denying 443.

I tested it with 2 rules in the web gui…

Dst. as 69.63.176.0/20 with TCP dst port 443
Dst. as 66.220.144.0/20 with TCP dst port 443

and a simple drop on both, put at the top of the firewall list

and successfully can not log into facebook, but can go to just facebook.com with just port 80

but then again, this may work for a while, until (or if) facebook uses different ip block…

November 17, 2010 at 8:08 pm #51333

AtroposX
Member

I didn’t use prerouting or anything. I got a bridge setup, and the command of iptables-save spits out:

-A FORWARD -s X -d 69.63.176.0/20 -p tcp -m tcp –dport 443 -j DROP
-A FORWARD -s X -d 66.220.144.0/20 -p tcp -m tcp –dport 443 -j DROP

you can replace X with your public ip interface side or what have you….

November 17, 2010 at 8:14 pm #51334

AtroposX
Member

C:>nslookup http://www.facebook.com

Name: http://www.facebook.com
Address: 66.220.149.18

You can use nslookup to get a starting point of the ip block, and look up that ip at arin.net, to get the entire block they use, in this case, those 2 /20 blocks, but there may be more. You could use perhaps iptraf built into Zeroshell from ssh or the console to track traffic for other ips/blocks with a single computer. Or google for known blocks used by a domain.

November 17, 2010 at 8:22 pm #51335

AtroposX
Member

C:>nslookup http://www.google.com

Name: http://www.l.google.com
Addresses: 209.85.225.104, 209.85.225.105, 209.85.225.106, 209.85.225.147
209.85.225.99, 209.85.225.103
Aliases: http://www.google.com

Looks like google lists more than one address, so perhaps facebook only uses that one block for the domain part, and the other for backend stufff? Hard to tell.

November 24, 2010 at 6:11 pm #51336

JC
Member

@AtroposX: thank you thank you thank you, when I put it on the MAIN router it worked, so far as the http://facebook that is blocked by dansguardian by IP and URL.

October 2, 2012 at 7:32 am #51337

dave_d
Member

I’ve been successful blocking HTTPS access to Facebook using release 2.0.RC1.

Chain: Forward
Policy: Accept

Click ADD

In the new window that pops-up enter values for;

Source IP <— IPs that are used in your LAN (or assigned to stations via DHCP)
Destination IP: 69.63.176/20
Protocol Matching: TCP
Dest. Port: 443
Action: DROP

Click on Confirm

Repeat the above process but changing the Destination IP to these other known facebook IPs;

66.220.144.0/20
69.171.224.0/20
204.15.20/22

I’m using Bridge Mode for LAN & WAN connections.

January 25, 2013 at 11:40 am #51338

modti
Member

Using the IP addresses is just not a solution, the name is better:
iptables -I FORWARD -m string –algo kmp –string “facebook.com” -j DROP
iptables -I OUTPUT -m string –algo kmp –string “facebook.com” -j DROP

January 25, 2013 at 7:58 pm #51339

AtroposX
Member

Yes, use the string/algo method instead, it’s a much more elegant solution. Thanks modti.

February 8, 2013 at 7:51 pm #51340

jeshini
Member

Hi! modti can you explain me how to do that please?

February 22, 2013 at 11:57 pm #51341

jeshini
Member

Hello, is there a way to block the string only from port 443?
greetings!

November 28, 2013 at 10:43 pm #51342

pddm
Member

I know that this is an older post, but some time ago a I have found a simple way to block https sites without having to generate tons of rules for iptables.
Specially in the case of facebook which constantly changes ip addresses.

So, like this you do it once and your done:

1. Under NETWORK click DNS.
2. Next to Domain click Create.
3. in the window fill in the Domain Name, in this case facebook.com, leave the Master Server, insert the E-mail Contact (@ will be replaced by .), leave Forward and Submit
4. If not already selected, choose facebook.com from the Domain select box.
5. Under Resources Commands click New and create an A pinter to any IP address you would like to open instead or even a dead one.
6. Set Status to ACTIVE

That’s it. If you need someone on your network to be able to open the site anyway, you can simply change his DNS to an external one.

November 16, 2017 at 11:03 am #51343

JohnSim
Member

@pddm wrote:

1. Under NETWORK click DNS.
2. Next to Domain click Create.
3. in the window fill in the Domain Name, in this case facebook.com, leave the Master Server, insert the E-mail Contact (@ will be replaced by .), leave Forward and Submit
4. If not already selected, choose facebook.com from the Domain select box.
5. Under Resources Commands click New and create an A pinter to any IP address you would like to open instead or even a dead one.
6. Set Status to ACTIVE

That’s it. If you need someone on your network to be able to open the site anyway, you can simply change his DNS to an external one.

I don’t see Facebook in the domain select box.
Author

Posts

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.