| 1 |
On Mon, Dec 15, 2014 at 07:14:26PM +0100, meino.cramer@×××.de wrote |
| 2 |
|
| 3 |
> But it does not work as exspected: With wireshark I still see |
| 4 |
> the crypted traffic for example to secure.informaction com and |
| 5 |
> s3-1.amazonaws.com by starting firefox and doing nothing more |
| 6 |
> (homepage is a blank page...). |
| 7 |
> |
| 8 |
> So I need bigger weapons... |
| 9 |
|
| 10 |
First, get the IP addresses... |
| 11 |
|
| 12 |
[d531][waltdnes][~] nslookup s3-1.amazonaws.com |
| 13 |
Server: 208.67.222.222 |
| 14 |
Address: 208.67.222.222#53 |
| 15 |
|
| 16 |
Non-authoritative answer: |
| 17 |
Name: s3-1.amazonaws.com |
| 18 |
Address: 54.231.1.0 |
| 19 |
|
| 20 |
[d531][waltdnes][~] nslookup secure.informaction.com |
| 21 |
Server: 208.67.222.222 |
| 22 |
Address: 208.67.222.222#53 |
| 23 |
|
| 24 |
Non-authoritative answer: |
| 25 |
Name: secure.informaction.com |
| 26 |
Address: 82.103.140.40 |
| 27 |
Name: secure.informaction.com |
| 28 |
Address: 82.103.140.42 |
| 29 |
Name: secure.informaction.com |
| 30 |
Address: 69.195.141.179 |
| 31 |
Name: secure.informaction.com |
| 32 |
Address: 69.195.141.178 |
| 33 |
|
| 34 |
With that info in hand, add the following at the top of your iptables |
| 35 |
"OUTPUT" chain... |
| 36 |
|
| 37 |
-A OUTPUT -d 69.195.141.178/31 -j DROP |
| 38 |
-A OUTPUT -d 82.103.140.40/30 -j DROP |
| 39 |
-A OUTPUT -d 54.231.1.0/32 - j DROP |
| 40 |
|
| 41 |
The first one drops 69.195.141.178 and 69.195.141.179. The second one |
| 42 |
drops 82.103.140.40, 82.103.140.41, 82.103.140.42, and 82.103.140.43. |
| 43 |
The third one drops 54.231.1.0. |
| 44 |
|
| 45 |
The Amazon cloud service covers 54.230.0.0/15. If s3-1.amazonaws.com |
| 46 |
is "dynamic", you may have to block that entire range. |
| 47 |
|
| 48 |
For those of you who are interested, I'm attaching a copy of my |
| 49 |
/var/lib/iptables/rules-save which is tweaked for my LAN. Note the |
| 50 |
following... |
| 51 |
* this is a paranoid ruleset for general client end-users only. It will |
| 52 |
*NOT* work for a server |
| 53 |
* the 192.168.x.y addresses are for my internal LAN |
| 54 |
* the 169.254.0.0/16 range is for my HDHomerun OTA TV tuner |
| 55 |
* "the "FECESBOOK" rules block Facebook, coming and going. Firefox |
| 56 |
spins its wheels for several seconds "Connecting to facebook.com", |
| 57 |
before giving up. |
| 58 |
|
| 59 |
-- |
| 60 |
Walter Dnes <waltdnes@××××××××.org> |
| 61 |
I don't run "desktop environments"; I run useful applications |
Archives