› Forums › Network Management › Firewall, Traffic Shaping and Net Balancer › Blocking HTTPS access to facebook
- This topic is empty.
-
AuthorPosts
-
November 17, 2010 at 3:12 pm #42729
JC
MemberI found a solution to my issue from
http://www.zeroshell.net/eng/forum/viewtopic.php?t=2565
but need some help putting it into action on my ZS FW. Still using ZS.B12. So this guy said this worked for him but i cannot implement it here, prolly just not completely understanding iptables on ZS.
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,7/func,view/id,16002/
I could really use some help on this please, thanks.
JC
November 17, 2010 at 8:03 pm #51332AtroposX
MemberLooks like they’re just taking the facebook ip block and denying 443.
I tested it with 2 rules in the web gui…
Dst. as 69.63.176.0/20 with TCP dst port 443
Dst. as 66.220.144.0/20 with TCP dst port 443and a simple drop on both, put at the top of the firewall list
and successfully can not log into facebook, but can go to just facebook.com with just port 80
but then again, this may work for a while, until (or if) facebook uses different ip block…
November 17, 2010 at 8:08 pm #51333AtroposX
MemberI didn’t use prerouting or anything. I got a bridge setup, and the command of iptables-save spits out:
-A FORWARD -s X -d 69.63.176.0/20 -p tcp -m tcp –dport 443 -j DROP
-A FORWARD -s X -d 66.220.144.0/20 -p tcp -m tcp –dport 443 -j DROPyou can replace X with your public ip interface side or what have you….
November 17, 2010 at 8:14 pm #51334AtroposX
MemberC:>nslookup http://www.facebook.com
Name: http://www.facebook.com
Address: 66.220.149.18You can use nslookup to get a starting point of the ip block, and look up that ip at arin.net, to get the entire block they use, in this case, those 2 /20 blocks, but there may be more. You could use perhaps iptraf built into Zeroshell from ssh or the console to track traffic for other ips/blocks with a single computer. Or google for known blocks used by a domain.
November 17, 2010 at 8:22 pm #51335AtroposX
MemberC:>nslookup http://www.google.com
Name: http://www.l.google.com
Addresses: 209.85.225.104, 209.85.225.105, 209.85.225.106, 209.85.225.147
209.85.225.99, 209.85.225.103
Aliases: http://www.google.comLooks like google lists more than one address, so perhaps facebook only uses that one block for the domain part, and the other for backend stufff? Hard to tell.
November 24, 2010 at 6:11 pm #51336JC
Member@AtroposX: thank you thank you thank you, when I put it on the MAIN router it worked, so far as the http://facebook that is blocked by dansguardian by IP and URL.
October 2, 2012 at 7:32 am #51337dave_d
MemberI’ve been successful blocking HTTPS access to Facebook using release 2.0.RC1.
Chain: Forward
Policy: AcceptClick ADD
In the new window that pops-up enter values for;
Source IP <— IPs that are used in your LAN (or assigned to stations via DHCP)
Destination IP: 69.63.176/20
Protocol Matching: TCP
Dest. Port: 443
Action: DROPClick on Confirm
Repeat the above process but changing the Destination IP to these other known facebook IPs;
66.220.144.0/20
69.171.224.0/20
204.15.20/22I’m using Bridge Mode for LAN & WAN connections.
January 25, 2013 at 11:40 am #51338modti
MemberUsing the IP addresses is just not a solution, the name is better:
iptables -I FORWARD -m string –algo kmp –string “facebook.com” -j DROP
iptables -I OUTPUT -m string –algo kmp –string “facebook.com” -j DROPJanuary 25, 2013 at 7:58 pm #51339AtroposX
MemberYes, use the string/algo method instead, it’s a much more elegant solution. Thanks modti.
February 8, 2013 at 7:51 pm #51340jeshini
MemberHi! modti can you explain me how to do that please?
February 22, 2013 at 11:57 pm #51341jeshini
MemberHello, is there a way to block the string only from port 443?
greetings!November 28, 2013 at 10:43 pm #51342pddm
MemberI know that this is an older post, but some time ago a I have found a simple way to block https sites without having to generate tons of rules for iptables.
Specially in the case of facebook which constantly changes ip addresses.So, like this you do it once and your done:
1. Under NETWORK click DNS.
2. Next to Domain click Create.
3. in the window fill in the Domain Name, in this case facebook.com, leave the Master Server, insert the E-mail Contact (@ will be replaced by .), leave Forward and Submit
4. If not already selected, choose facebook.com from the Domain select box.
5. Under Resources Commands click New and create an A pinter to any IP address you would like to open instead or even a dead one.
6. Set Status to ACTIVEThat’s it. If you need someone on your network to be able to open the site anyway, you can simply change his DNS to an external one.
November 16, 2017 at 11:03 am #51343JohnSim
Member@pddm wrote:
1. Under NETWORK click DNS.
2. Next to Domain click Create.
3. in the window fill in the Domain Name, in this case facebook.com, leave the Master Server, insert the E-mail Contact (@ will be replaced by .), leave Forward and Submit
4. If not already selected, choose facebook.com from the Domain select box.
5. Under Resources Commands click New and create an A pinter to any IP address you would like to open instead or even a dead one.
6. Set Status to ACTIVEThat’s it. If you need someone on your network to be able to open the site anyway, you can simply change his DNS to an external one.
I don’t see Facebook in the domain select box.
-
AuthorPosts
- You must be logged in to reply to this topic.