ClearFoundation

hi people
got something to share with you all...a day before i got some request of blocking a particular site using https. i tried using squid but could not get luck....on reading through different topics i realized https does not go through squid..it simply bypass squid so trying to block the https with squid was worthless.
then moving on further i tried blocking with iptables using the below pattern

it didn't work either.....don't know what exactly was the problem
then later on i tried blocking before nat using the pattern below:

guess what it worked...i even customized it a bit more using more commands:

i even blocked port 80 using iptables rather not using the content filtering....let me add more i am not sure but i think content filtering does not work with https.please correct me if i am wrong...

finally i was able to block the whole facebook domain using both http and https requests.
and on permanently adding the above commands to
and restarting firewall i need not to worry about my commands to be flushed
Now i am able to block facebook like a charm...it was really fun blocking it. the same procedure can be used to block any particular domain.
for blocking https for all domain one can use a simpler method using the protocol filtering.
the above method is for blocking a particular domain
hope this thread helps to the people who are looking to block https for a particular domain.

~prahmod

Still can access the https: / / facebook.com, despite applying iptables rules above.
There are other solutions?

facebook have lots of domains and above is what i queried my dns servers and found facebook domains...so may be these domains are not enough in your area...your dns server may be issuing a new facebook domain...so you should just nslookup the facebook domain and query whois..and add commands as above with the newly gained ip address...
i am sure in your case it is blocking some facebook requests but it is still opening due to lack of unblocked new facebook domains which your dns server is issuing in your area..try blocking those ip domains

~prahmod

Also, if the url is always https: / / facebook.com you could put that in your hosts file on ClearOS and point it to 127.0.0.1. You may also need entries for https: / / www.facebook.com and the http equivalents. This will cause the lookups to fail. It won't block direct IP access (or if someone is really cute they could then edit their local hosts file and add valid IP's back in to the blocked url's).

[edit]I am getting completely different IP's for facebook.com and www.facebook.com. For www.facebook.com I am getting 66.220.149.18 and a who is gives a whole range of 66.220.144.0/20. The firewall rules posted above only picked up one IP in this range. Also note that you can use this address form with the -d so you can do "-d 69.63.176.0/20" instead of "iprange --dst-range 69.63.176.0-69.63.191.255". I would also drop any reference to the port and protocol. It simplifies the rules and makes them more encompassing. Try:
[/edit]

Pramod Giri wrote: i am not sure but i think content filtering does not work with https.please correct me if i am wrong...


That is correct. Because HTTPS is encrypted, Dansguardian cannot look inside of those requests and responses, so it cannot apply filtering.

I'm on the Dansguardian email list, and this was discussed recently.

${TONG_D} -p tcp --dport 443 -j REDIRECT --to-port 3128 > /dev/null
${TONG_B} -p tcp --dport 443 -j REDIRECT --to-port 3128

somlith phouangmany wrote:
${TONG_D} -p tcp --dport 443 -j REDIRECT --to-port 3128 > /dev/null
${TONG_B} -p tcp --dport 443 -j REDIRECT --to-port 3128

Haven't checked that without content filtering but on using content filtering and redirecting to port 8080 would cause a ssl error in most of the pages but http works fine the problem occures with most https in firefox...
so i would not recommend that on a production environment..

~prahmod

let's try below 192.168.0.191 ( by pass ip)

${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP

somlith phouangmany wrote:
let's try below 192.168.0.191 ( by pass ip)

${TONG_P} -s ! 192.168.0.191 -d 69.171.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 66.220.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 64.208.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 61.213.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 96.16.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.56.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 125.252.0.0/16 -p tcp --dport 443 -j DROP
${TONG_P} -s ! 192.168.0.191 -d 210.161.0.0/16 -p tcp --dport 443 -j DROP

Hey you are just blocking the whole subnet...Not all the subnet ips are owned by the server like facebook or google. they only have some different pool without those large subnet...
above will just block the wanted page also.
why not just try

$ iptables -t nat -I PREROUTING -p tcp --dport 443 -j DROP

~prahmod

You are right...We can block or redirect 443 port for all, but in some exceptional cases like some banking site or google apps site, it is making problem. Please suggest anyone for further help.

Thanks and regards
kaustuva