Blocking HTTPS access to facebook

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer Blocking HTTPS access to facebook

This topic contains 11 replies, has 0 voices, and was last updated by  JC 1 year, 11 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #42729

    JC
    Member

    I found a solution to my issue from

    http://www.zeroshell.net/eng/forum/viewtopic.php?t=2565

    but need some help putting it into action on my ZS FW. Still using ZS.B12. So this guy said this worked for him but i cannot implement it here, prolly just not completely understanding iptables on ZS.

    http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,7/func,view/id,16002/

    I could really use some help on this please, thanks.

    JC

    #51332

    AtroposX
    Member

    Looks like they’re just taking the facebook ip block and denying 443.

    I tested it with 2 rules in the web gui…

    Dst. as 69.63.176.0/20 with TCP dst port 443
    Dst. as 66.220.144.0/20 with TCP dst port 443

    and a simple drop on both, put at the top of the firewall list

    and successfully can not log into facebook, but can go to just facebook.com with just port 80

    but then again, this may work for a while, until (or if) facebook uses different ip block…

    #51333

    AtroposX
    Member

    I didn’t use prerouting or anything. I got a bridge setup, and the command of iptables-save spits out:

    -A FORWARD -s X -d 69.63.176.0/20 -p tcp -m tcp –dport 443 -j DROP
    -A FORWARD -s X -d 66.220.144.0/20 -p tcp -m tcp –dport 443 -j DROP

    you can replace X with your public ip interface side or what have you….

    #51334

    AtroposX
    Member

    C:>nslookup http://www.facebook.com

    Name: http://www.facebook.com
    Address: 66.220.149.18

    You can use nslookup to get a starting point of the ip block, and look up that ip at arin.net, to get the entire block they use, in this case, those 2 /20 blocks, but there may be more. You could use perhaps iptraf built into Zeroshell from ssh or the console to track traffic for other ips/blocks with a single computer. Or google for known blocks used by a domain.

    #51335

    AtroposX
    Member

    C:>nslookup http://www.google.com

    Name: http://www.l.google.com
    Addresses: 209.85.225.104, 209.85.225.105, 209.85.225.106, 209.85.225.147
    209.85.225.99, 209.85.225.103
    Aliases: http://www.google.com

    Looks like google lists more than one address, so perhaps facebook only uses that one block for the domain part, and the other for backend stufff? Hard to tell.

    #51336

    JC
    Member

    @atroposx: thank you thank you thank you, when I put it on the MAIN router it worked, so far as the http://facebook that is blocked by dansguardian by IP and URL.

    #51337

    dave_d
    Member

    I’ve been successful blocking HTTPS access to Facebook using release 2.0.RC1.

    Chain: Forward
    Policy: Accept

    Click ADD

    In the new window that pops-up enter values for;

    Source IP <— IPs that are used in your LAN (or assigned to stations via DHCP)
    Destination IP: 69.63.176/20
    Protocol Matching: TCP
    Dest. Port: 443
    Action: DROP

    Click on Confirm

    Repeat the above process but changing the Destination IP to these other known facebook IPs;

    66.220.144.0/20
    69.171.224.0/20
    204.15.20/22

    I’m using Bridge Mode for LAN & WAN connections.

    #51338

    modti
    Member

    Using the IP addresses is just not a solution, the name is better:
    iptables -I FORWARD -m string –algo kmp –string “facebook.com” -j DROP
    iptables -I OUTPUT -m string –algo kmp –string “facebook.com” -j DROP

    #51339

    AtroposX
    Member

    Yes, use the string/algo method instead, it’s a much more elegant solution. Thanks modti.

    #51340

    jeshini
    Member

    Hi! modti can you explain me how to do that please?

    #51341

    jeshini
    Member

    Hello, is there a way to block the string only from port 443?
    greetings!

    #51342

    pddm
    Member

    I know that this is an older post, but some time ago a I have found a simple way to block https sites without having to generate tons of rules for iptables.
    Specially in the case of facebook which constantly changes ip addresses.

    So, like this you do it once and your done:

    1. Under NETWORK click DNS.
    2. Next to Domain click Create.
    3. in the window fill in the Domain Name, in this case facebook.com, leave the Master Server, insert the E-mail Contact (@ will be replaced by .), leave Forward and Submit
    4. If not already selected, choose facebook.com from the Domain select box.
    5. Under Resources Commands click New and create an A pinter to any IP address you would like to open instead or even a dead one.
    6. Set Status to ACTIVE

    That’s it. If you need someone on your network to be able to open the site anyway, you can simply change his DNS to an external one.

    #51343

    JohnSim
    Member

    @pddm wrote:

    1. Under NETWORK click DNS.
    2. Next to Domain click Create.
    3. in the window fill in the Domain Name, in this case facebook.com, leave the Master Server, insert the E-mail Contact (@ will be replaced by .), leave Forward and Submit
    4. If not already selected, choose facebook.com from the Domain select box.
    5. Under Resources Commands click New and create an A pinter to any IP address you would like to open instead or even a dead one.
    6. Set Status to ACTIVE

    That’s it. If you need someone on your network to be able to open the site anyway, you can simply change his DNS to an external one.

    I don’t see Facebook in the domain select box.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.