HowTo Block Facebook With Iptables
which is exactly what I expect. But if I use my browser (Firefox) to open facebook.com the site still opens, which is not what I expect. I tried reloading and opening another facebook domain (facebook.de) which I haven't tried before to rule out problems with the browser cache, but that didn't help.
HowTo block facebook with iptables
I am using Zentyal Os as a firewall, it working fine like blocking http sites and but I am not able to block https facebook site.My only aim is need to block https facebook site, like need to block 443 port.
This solution isn't perfect either. DNS is just the base of the naming system, hitting the IP address directly would win. If you own the Internal name server for your network, you could setup an entry for facebook.com to resolve somewhere else. I'd use this in conjunction with the iptables one above.
We could even go one step further. If you own all the machines in the network that you are trying to block facebook for, you could generate a Root CA certificate, install the public key on all the machines. Man-in-the-middle all SSL traffic resign all websites with your certs and actively kill facebook connections. However, this is a dangerous idea and has privacy implications (especially in a corporate environment).
As I believe zentyal comes with integrated support for the snort IDS, you could add a snort rule that detects and blocks the SSL packet which contains the server certificate based on a common name that contains facebook.com. That could also address accesses through a proxy (as long as the connection to the proxy itself is not encrypted).
Another approach could be to force all DNS traffic through your DNS server (block domain traffic except to your DNS server) and return something bogus for queries of any facebook.com domain (would not stop access through a proxy though).
This commands work so well!The command totally blocks access to facebook even its its https. But i noticed when you do this this on a large network, connections to the Internet slows. any solution?
The "right" way to do what you want is to institute a "Man-In-The-Middle" transparent HTTPS interception proxy that can filter HTTPS traffic. You then tell the proxy to block any URL with youtube.com in it.
Using domains is really not recommended with iptables due to DNS lookups, so you can get facebook's IP addresses (with dig or host commands for example) and add those IPs (you'll have to review those for updates).
In this article, you will see some useful commands that will help you manage your Linux box firewall through iptables. For the purpose of this article, I will start with simpler commands and go to more complex to the end.
Where you need to change "xxx.xxx.xxx.xxx" with the actual IP address. Be very careful when running this command as you can accidentally block your own IP address. The -A option appends the rule in the end of the selected chain.
In both examples change "xxx" with the actual port you wish to allow. If you want to block UDP traffic instead of TCP, simply change "tcp" with "udp" in the above iptables rule.
Firewalld can apply firewall rules with iptables (using the still default iptables interface) or with nftables (using the new nftables backend. If you want to use firewalld, having a basic understanding of XML is useful in understanding and customizing its configuration files.
I want to block all incoming tcp packets that contain some string in the source URL. for example, I want to block all packages where the source url contains "facebook.com".Using the commands below, I can block any package (input, output, forward) that contains the string "facebook.com". The problem is if the string "facebook.com" is inside the html body of the packet, this will be blocked as well. # iptables -A INPUT -i eth0 -m string --algo bm --string "facebook.com" -j DROP # iptables -A OUTPUT -m string --algo bm --string "facebook.com" -j DROP # iptables -A FORWARD -i eth0 -m string --algo bm --string "facebook.com" -j DROPThere is a easy way to match the string only in the source URL of the packet?
Note that Facebook uses SSL so you're not going to have anything to string match in the packets (they'll be encrypted). It probably works for ku.edu because it's HTTP traffic and not HTTPS. To do what you want with IP tables, you would need to filter based on IP address or host name. You could try something like -j DROP -d facebook.com.
Agreed with DanFromGermany that iptables is not the right tool for the job. Blocking based on IP address or host name might initially work but it could break and would be difficult to maintain. I believe that the DNS name is resolved to an IP address when the rule set is loaded by iptables. This means that if Facebook changes its external IP (perhaps due to a failover or load issue) or has more than one IP it won't work.
Second, to minimize false positives, try blocking request packets that contain facebook as the HTTP host (i.e. "Host: facebook.com" or 'Host: www.facebook.com"), I'd also limit it to tcp ("-p tcp") and port 80. The result is something like this:
In any case, this won't help against HTTPS sessions. If you need to block HTTPS sessions with facebook using iptables, you'll have to use -j DROP -d facebook.com like John suggested. Naturally, that still won't work against someone accessing facebook over HTTPS through a proxy or a tunnel, but it should be enough to block most users.
Hi,Thanks alot for the above info.However would like to know that if the blocking or allowing through iptables is possible for specific MAC address over internet, as because if my eth0 is using a local ip 10.10.10.10 which is natted via public ip eg 100.100.100.100 and connected to internet via ISP, then someone from internet with specific MAC id (allowed in iptables) should be able to ssh to my public ip (100.100.100.100) and the rest should be dropped.
The same can be said for offering employees access to Facebook. Interacting with users and customers in the online marketplace is almost a requirement for any business that wants to maintain a competitive advantage. What this means is that many companies are no longer blocking their employees from using Facebook during the workday. For the most part, employees aren't really abusing the privilege. More and more workers these days are working from remote locations with a workday that is scattered all around the clock. People are combining work lives with personal lives.
To block all Facebook apps, just go back to the Internet Access Policy page on the router, and in the section "Website Blocking by URL Address", you can add the base URL for all Facebook apps, which is "apps.facebook.com".
This will not block all of Facebook, but instead only any pages that use the base URL apps.facebook.com, which all Facebook apps do. Now, you can see below that the app I could access before - The Sims Social - is now blocked by the new rule that I just added.
if you want to block only facebook then you would have to do it by url. Doing it by mime will block all video,everywhere. If that is what you want though this like is about enabling it properly but just reverse and it will be blovked.
I have installed adblock, simple-adblock, squid & privoxy. But I'm not able to configure URL block.Also iprange is not working with iptables command.
opkg updateopkg install kmod-ipt-filter iptables-mod-filter/usr/sbin/iptables -A FORWARD -m string --algo bm --string "facebook.com" -j DROP/usr/sbin/iptables -A FORWARD -m string --algo bm --string "youtube.com" -j DROP
There are many different ways to block or allow connections depending on your settings. The examples below are using the covert blocking method of using Drop to drop connections without any interaction. iptables -A allows us to add additional caveats to the rules established by our default chain settings. You see how to use this command to block connections below:
That concludes our IPTables tutorial. As you can see IPTables is a versatile tool for blocking and allowing traffic on Linux distributions. Using the utility effectively involves setting up your default configurations effectively and building additional rules on top of that. The default configurations will allow you to outline your broad traffic intentions to allow or deny traffic; the rules will allow you to structure your approach with regards to IP addresses, ports and protocols.
If you are running Docker version 20.10.0 or higher with firewalld on your system with --iptables enabled, Docker automatically creates a firewalld zone called docker and inserts all the network interfaces it creates (for example, docker0) into the docker zone to allow seamless networking.
Cisco Meraki appliances and access points can be configured with Layer 7 firewall rules to block traffic by application or destination hostname. The MX can also perform "Content Filtering," which blocks access to websites based on their content. The MX can also redirect users to a "This website has been blocked by your network administrator" page, so a user understands why they cannot access a blocked site.
Note: While MR Access Points can be configured with Layer 7 firewall rules, they will not redirect users to a block page. To read about how to configure a Layer 7 firewall rule on an MR Access Point, please consult the following article - Creating a Layer 7 Firewall Rule
We have covered Facebook's BPF-based load balancer with DDoS protection ina previous blog post: Why is the kernel community replacing iptables with BPF?.This post provides further details on Facebook's BPF use by covering AnantDeepak's talk at the BPF/networking microconference on Facebook's BPF-basededge firewall running in production.
Anant started his talkproviding the background on the need to replace the existing iptables firewallwith BPF. At the root of the problem lies the sequential nature of the iptablespolicy engine. To demonstrate this, Anant showed a simplified version of thecode used to traverse a list of rules: