1 |
On Sat, 12 Dec 2015 01:29:20 -0500 waltdnes@××××××××.org wrote: |
2 |
> On Fri, Dec 11, 2015 at 08:03:14PM -0700, thelma@×××××××××××.com wrote |
3 |
> > Does anybody have an idea how to block facebook? |
4 |
> > |
5 |
> > I'm using dd-wrt. The "access restriction" can block http but not https |
6 |
> > and I'm not good in iptables :-/ |
7 |
> > In addition users are using VirtualBox on the network as well. |
8 |
> |
9 |
> An excerpt from my /var/lib/iptables/rules-save ruleset... |
10 |
> |
11 |
> [0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK |
12 |
> [154:11168] -A INPUT -s 31.13.64.0/18 -j FECESBOOK |
13 |
> [0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK |
14 |
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
15 |
> [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK |
16 |
> [0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK |
17 |
> [0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK |
18 |
> [0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK |
19 |
> [0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK |
20 |
> |
21 |
> [0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK |
22 |
> [3763325:225839770] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK |
23 |
> [56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK |
24 |
> [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK |
25 |
> [874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK |
26 |
> [0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK |
27 |
> [0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK |
28 |
> [3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK |
29 |
> [0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK |
30 |
> |
31 |
> [3767715:226105098] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 |
32 |
> [3767715:226105098] -A FECESBOOK -j DROP |
33 |
|
34 |
+1. Just block their CIDR ranges. No need to do DPI like was |
35 |
suggested here. Of course smart users can use proxies or tunneling, |
36 |
so this is not 100% solution, but for the majority it will work. |
37 |
|
38 |
Just a tip here: use ipset hash:net for all this ranges and just a |
39 |
few iptables rules to check src and dst in FORWARD and/or |
40 |
INPUT/OUTPUT depending on whether host is router or target system, |
41 |
e.g. for dd-wrt will be sufficient: |
42 |
|
43 |
iptables -A FORWARD -m set --match-set facebook src -j DROP |
44 |
iptables -A FORWARD -m set --match-set facebook dst -j DROP |
45 |
|
46 |
A set can be created like this: |
47 |
|
48 |
ipset create facebook hash:net |
49 |
ipset add facebook 31.13.24.0/21 |
50 |
... |
51 |
|
52 |
Of course logging may be enabled as above if desired. |
53 |
|
54 |
This way filtering will be much faster and blocklist may be updated |
55 |
without touching iptables rules. Gentoo init script support ipset |
56 |
rules save/load as well as iptables. |
57 |
|
58 |
Do not forget about ipv6 if it is enabled on your network. |
59 |
|
60 |
Best regards, |
61 |
Andrew Savchenko |