www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Blocking HTTPS access to facebook

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Firewall, Traffic Shaping and Net Balancer
View previous topic :: View next topic  
Author Message
JC



Joined: 21 Apr 2008
Posts: 89

PostPosted: Wed Nov 17, 2010 3:12 pm    Post subject: Blocking HTTPS access to facebook Reply with quote

I found a solution to my issue from

http://www.zeroshell.net/eng/forum/viewtopic.php?t=2565

but need some help putting it into action on my ZS FW. Still using ZS.B12. So this guy said this worked for him but i cannot implement it here, prolly just not completely understanding iptables on ZS.

http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,7/func,view/id,16002/

I could really use some help on this please, thanks.

JC
Back to top
View user's profile Send private message
AtroposX



Joined: 26 Nov 2008
Posts: 158
Location: USA

PostPosted: Wed Nov 17, 2010 8:03 pm    Post subject: Reply with quote

Looks like they're just taking the facebook ip block and denying 443.

I tested it with 2 rules in the web gui...

Dst. as 69.63.176.0/20 with TCP dst port 443
Dst. as 66.220.144.0/20 with TCP dst port 443

and a simple drop on both, put at the top of the firewall list

and successfully can not log into facebook, but can go to just facebook.com with just port 80

but then again, this may work for a while, until (or if) facebook uses different ip block...


Last edited by AtroposX on Wed Nov 17, 2010 8:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
AtroposX



Joined: 26 Nov 2008
Posts: 158
Location: USA

PostPosted: Wed Nov 17, 2010 8:08 pm    Post subject: Reply with quote

I didn't use prerouting or anything. I got a bridge setup, and the command of iptables-save spits out:


-A FORWARD -s X -d 69.63.176.0/20 -p tcp -m tcp --dport 443 -j DROP
-A FORWARD -s X -d 66.220.144.0/20 -p tcp -m tcp --dport 443 -j DROP

you can replace X with your public ip interface side or what have you....
Back to top
View user's profile Send private message
AtroposX



Joined: 26 Nov 2008
Posts: 158
Location: USA

PostPosted: Wed Nov 17, 2010 8:14 pm    Post subject: Reply with quote

C:\>nslookup www.facebook.com

Name: www.facebook.com
Address: 66.220.149.18

You can use nslookup to get a starting point of the ip block, and look up that ip at arin.net, to get the entire block they use, in this case, those 2 /20 blocks, but there may be more. You could use perhaps iptraf built into Zeroshell from ssh or the console to track traffic for other ips/blocks with a single computer. Or google for known blocks used by a domain.
Back to top
View user's profile Send private message
AtroposX



Joined: 26 Nov 2008
Posts: 158
Location: USA

PostPosted: Wed Nov 17, 2010 8:22 pm    Post subject: Reply with quote

C:\>nslookup www.google.com

Name: www.l.google.com
Addresses: 209.85.225.104, 209.85.225.105, 209.85.225.106, 209.85.225.147
209.85.225.99, 209.85.225.103
Aliases: www.google.com


Looks like google lists more than one address, so perhaps facebook only uses that one block for the domain part, and the other for backend stufff? Hard to tell.
Back to top
View user's profile Send private message
JC



Joined: 21 Apr 2008
Posts: 89

PostPosted: Wed Nov 24, 2010 6:11 pm    Post subject: Reply with quote

@AtroposX: thank you thank you thank you, when I put it on the MAIN router it worked, so far as the http://facebook that is blocked by dansguardian by IP and URL.
Back to top
View user's profile Send private message
dave_d



Joined: 21 Sep 2012
Posts: 2

PostPosted: Tue Oct 02, 2012 7:32 am    Post subject: Update 10/1/2012 Reply with quote

I've been successful blocking HTTPS access to Facebook using release 2.0.RC1.

Chain: Forward
Policy: Accept

Click ADD

In the new window that pops-up enter values for;

Source IP <--- IPs that are used in your LAN (or assigned to stations via DHCP)
Destination IP: 69.63.176/20
Protocol Matching: TCP
Dest. Port: 443
Action: DROP

Click on Confirm

Repeat the above process but changing the Destination IP to these other known facebook IPs;

66.220.144.0/20
69.171.224.0/20
204.15.20/22

I'm using Bridge Mode for LAN & WAN connections.
Back to top
View user's profile Send private message
modti



Joined: 12 Nov 2012
Posts: 3

PostPosted: Fri Jan 25, 2013 11:40 am    Post subject: Reply with quote

Using the IP addresses is just not a solution, the name is better:
iptables -I FORWARD -m string --algo kmp --string "facebook.com" -j DROP
iptables -I OUTPUT -m string --algo kmp --string "facebook.com" -j DROP
Back to top
View user's profile Send private message
AtroposX



Joined: 26 Nov 2008
Posts: 158
Location: USA

PostPosted: Fri Jan 25, 2013 7:58 pm    Post subject: Reply with quote

Yes, use the string/algo method instead, it's a much more elegant solution. Thanks modti.
Back to top
View user's profile Send private message
jeshini



Joined: 08 Feb 2013
Posts: 2

PostPosted: Fri Feb 08, 2013 7:51 pm    Post subject: Can you explain me? Reply with quote

Hi! modti can you explain me how to do that please?
Back to top
View user's profile Send private message
jeshini



Joined: 08 Feb 2013
Posts: 2

PostPosted: Fri Feb 22, 2013 11:57 pm    Post subject: help Reply with quote

Hello, is there a way to block the string only from port 443?
greetings!
Back to top
View user's profile Send private message
pddm



Joined: 20 Nov 2013
Posts: 3

PostPosted: Thu Nov 28, 2013 10:43 pm    Post subject: DNS Method Reply with quote

I know that this is an older post, but some time ago a I have found a simple way to block https sites without having to generate tons of rules for iptables.
Specially in the case of facebook which constantly changes ip addresses.

So, like this you do it once and your done:

1. Under NETWORK click DNS.
2. Next to Domain click Create.
3. in the window fill in the Domain Name, in this case facebook.com, leave the Master Server, insert the E-mail Contact (@ will be replaced by .), leave Forward and Submit
4. If not already selected, choose facebook.com from the Domain select box.
5. Under Resources Commands click New and create an A pinter to any IP address you would like to open instead or even a dead one.
6. Set Status to ACTIVE

That's it. If you need someone on your network to be able to open the site anyway, you can simply change his DNS to an external one.
Back to top
View user's profile Send private message
JohnSim



Joined: 14 Nov 2017
Posts: 1

PostPosted: Thu Nov 16, 2017 11:03 am    Post subject: Re: DNS Method Reply with quote

pddm wrote:


1. Under NETWORK click DNS.
2. Next to Domain click Create.
3. in the window fill in the Domain Name, in this case facebook.com, leave the Master Server, insert the E-mail Contact (@ will be replaced by .), leave Forward and Submit
4. If not already selected, choose facebook.com from the Domain select box.
5. Under Resources Commands click New and create an A pinter to any IP address you would like to open instead or even a dead one.
6. Set Status to ACTIVE

That's it. If you need someone on your network to be able to open the site anyway, you can simply change his DNS to an external one.


I don't see Facebook in the domain select box.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Firewall, Traffic Shaping and Net Balancer All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group