1. Store
  2. Apps
  3. Hardware
  4. Support
  5. Solutions

ClearFoundation

Forums
ClearOS ClearFoundation and ClearCenter have moved to the new website ClearOS.com (https://clearos.com). We are making this change in order to improve search and exposure of ClearOS to the world. There are several improvements that are being made and some that are still on the table for development. The forums are now live on clearos.com and locked on this site until all the redirects are in place. If you have issues using the new site, feel free to ask on the #clearfoundation room in IRC chat on freenode.net or engage with a chat agent on the site if they are around. Our goal is to complete this step so that we can be properly ready for the types of communication that will be essential for the release of ClearOS 7!
Welcome, Guest
Blocking Https---SOLVED Forum is locked
(1 viewing) 1 Guest
Go to bottomPage: 12
TOPIC: Blocking Https---SOLVED
#16002
Blocking Https---SOLVED 4 Years, 8 Months ago  
hi people
got something to share with you all...a day before i got some request of blocking a particular site using https. i tried using squid but could not get luck....on reading through different topics i realized https does not go through squid..it simply bypass squid so trying to block the https with squid was worthless.
then moving on further i tried blocking with iptables using the below pattern
Code:

iptables -I OUTPUT-d facebook.com ---dport 443 -j DROP


it didn't work either.....don't know what exactly was the problem
then later on i tried blocking before nat using the pattern below:
Code:

iptables -t nat -I PREROUTING -m tcp -p tcp -d www.facebook.com --dport 443 -j DROP


guess what it worked...i even customized it a bit more using more commands:
Code:

iptables -t nat -I PREROUTING -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -d 66.220.147.22 --dport 80 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -d 66.220.147.22 --dport 443 -j DROP
iptables -t nat -I PREROUTING -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP


i even blocked port 80 using iptables rather not using the content filtering....let me add more i am not sure but i think content filtering does not work with https.please correct me if i am wrong...

finally i was able to block the whole facebook domain using both http and https requests.
and on permanently adding the above commands to
Code:

/etc/rc.d/rc.firewall.local

and restarting firewall i need not to worry about my commands to be flushed
Now i am able to block facebook like a charm...it was really fun blocking it. the same procedure can be used to block any particular domain.
for blocking https for all domain one can use a simpler method using the protocol filtering.
the above method is for blocking a particular domain
hope this thread helps to the people who are looking to block https for a particular domain.

~prahmod
Pramod Giri
Senior Boarder
Posts: 58
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
#21541
Re:Blocking Https---SOLVED 4 Years, 4 Months ago  
Still can access the https: / / facebook.com, despite applying iptables rules above.
There are other solutions?
Andi Micro
Expert Boarder
Posts: 151
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
My Personal Website : www.andimicro.com
ClearOS Indonesia Community : www.clearos.or.id
Company : PT. Netsindo Sentra Computama
 
#22069
Re:Blocking Https---SOLVED 4 Years, 4 Months ago  
facebook have lots of domains and above is what i queried my dns servers and found facebook domains...so may be these domains are not enough in your area...your dns server may be issuing a new facebook domain...so you should just nslookup the facebook domain and query whois..and add commands as above with the newly gained ip address...
i am sure in your case it is blocking some facebook requests but it is still opening due to lack of unblocked new facebook domains which your dns server is issuing in your area..try blocking those ip domains

~prahmod
Pramod Giri
Senior Boarder
Posts: 58
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
#22070
Re:Blocking Https---SOLVED 4 Years, 4 Months ago  
Also, if the url is always https: / / facebook.com you could put that in your hosts file on ClearOS and point it to 127.0.0.1. You may also need entries for https: / / www.facebook.com and the http equivalents. This will cause the lookups to fail. It won't block direct IP access (or if someone is really cute they could then edit their local hosts file and add valid IP's back in to the blocked url's).

[edit]I am getting completely different IP's for facebook.com and www.facebook.com. For www.facebook.com I am getting 66.220.149.18 and a who is gives a whole range of 66.220.144.0/20. The firewall rules posted above only picked up one IP in this range. Also note that you can use this address form with the -d so you can do "-d 69.63.176.0/20" instead of "iprange --dst-range 69.63.176.0-69.63.191.255". I would also drop any reference to the port and protocol. It simplifies the rules and makes them more encompassing. Try:
Code:

iptables -t nat -I PREROUTING -d 69.63.176.0/20 -j DROP
iptables -t nat -I PREROUTING -d 66.220.144.0/20 -j DROP


[/edit]
Nick Howitt
Moderator
Posts: 6565
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2011/01/07 07:36 By NickH.
The topic has been locked.
 
#22238
Re:Blocking Https---SOLVED 4 Years, 4 Months ago  
Pramod Giri wrote: i am not sure but i think content filtering does not work with https.please correct me if i am wrong...


That is correct. Because HTTPS is encrypted, Dansguardian cannot look inside of those requests and responses, so it cannot apply filtering.

I'm on the Dansguardian email list, and this was discussed recently.
Mark
Fresh Boarder
Posts: 8
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2010/12/26 17:00 By Kilroy.
The topic has been locked.
 
#29627
Re:Blocking Https---SOLVED 3 Years, 10 Months ago  
${TONG_D} -p tcp --dport 443 -j REDIRECT --to-port 3128 > /dev/null
${TONG_B} -p tcp --dport 443 -j REDIRECT --to-port 3128
somlith phouangmany
Fresh Boarder
Posts: 3
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
#29629
Re:Blocking Https---SOLVED 3 Years, 10 Months ago  
somlith phouangmany wrote:
${TONG_D} -p tcp --dport 443 -j REDIRECT --to-port 3128 > /dev/null
${TONG_B} -p tcp --dport 443 -j REDIRECT --to-port 3128


Haven't checked that without content filtering but on using content filtering and redirecting to port 8080 would cause a ssl error in most of the pages but http works fine the problem occures with most https in firefox...
so i would not recommend that on a production environment..

~prahmod
Pramod Giri
Senior Boarder
Posts: 58
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
#29632
Re:Blocking Https---SOLVED 3 Years, 10 Months ago  
let's try below 192.168.0.191 ( by pass ip)

${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP
somlith phouangmany
Fresh Boarder
Posts: 3
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
#29636
Re:Blocking Https---SOLVED 3 Years, 10 Months ago  
somlith phouangmany wrote:
let's try below 192.168.0.191 ( by pass ip)

${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP


Hey you are just blocking the whole subnet...Not all the subnet ips are owned by the server like facebook or google. they only have some different pool without those large subnet...
above will just block the wanted page also.
why not just try

$ iptables -t nat -I PREROUTING -p tcp --dport 443 -j DROP

~prahmod
Pramod Giri
Senior Boarder
Posts: 58
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
#36679
Re:Blocking Https---SOLVED 3 Years, 3 Months ago  
You are right...We can block or redirect 443 port for all, but in some exceptional cases like some banking site or google apps site, it is making problem. Please suggest anyone for further help.

Thanks and regards
kaustuva
kaustuva
Fresh Boarder
Posts: 3
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
Go to topPage: 12
  get the latest posts directly to your desktop