Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Andrew Savchenko <bircoph@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] blocking facebook
Date: Sat, 12 Dec 2015 14:34:28
Message-Id: 20151212173353.1bde059b6b3d43b768f6adf8@gentoo.org
In Reply to: Re: [gentoo-user] blocking facebook by waltdnes@waltdnes.org
1 On Sat, 12 Dec 2015 01:29:20 -0500 waltdnes@××××××××.org wrote:
2 > On Fri, Dec 11, 2015 at 08:03:14PM -0700, thelma@×××××××××××.com wrote
3 > > Does anybody have an idea how to block facebook?
4 > >
5 > > I'm using dd-wrt. The "access restriction" can block http but not https
6 > > and I'm not good in iptables :-/
7 > > In addition users are using VirtualBox on the network as well.
8 >
9 > An excerpt from my /var/lib/iptables/rules-save ruleset...
10 >
11 > [0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK
12 > [154:11168] -A INPUT -s 31.13.64.0/18 -j FECESBOOK
13 > [0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK
14 > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
15 > [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
16 > [0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK
17 > [0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK
18 > [0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK
19 > [0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK
20 >
21 > [0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK
22 > [3763325:225839770] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
23 > [56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK
24 > [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
25 > [874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
26 > [0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK
27 > [0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK
28 > [3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK
29 > [0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK
30 >
31 > [3767715:226105098] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
32 > [3767715:226105098] -A FECESBOOK -j DROP
33
34 +1. Just block their CIDR ranges. No need to do DPI like was
35 suggested here. Of course smart users can use proxies or tunneling,
36 so this is not 100% solution, but for the majority it will work.
37
38 Just a tip here: use ipset hash:net for all this ranges and just a
39 few iptables rules to check src and dst in FORWARD and/or
40 INPUT/OUTPUT depending on whether host is router or target system,
41 e.g. for dd-wrt will be sufficient:
42
43 iptables -A FORWARD -m set --match-set facebook src -j DROP
44 iptables -A FORWARD -m set --match-set facebook dst -j DROP
45
46 A set can be created like this:
47
48 ipset create facebook hash:net
49 ipset add facebook 31.13.24.0/21
50 ...
51
52 Of course logging may be enabled as above if desired.
53
54 This way filtering will be much faster and blocklist may be updated
55 without touching iptables rules. Gentoo init script support ipset
56 rules save/load as well as iptables.
57
58 Do not forget about ipv6 if it is enabled on your network.
59
60 Best regards,
61 Andrew Savchenko
Report Message
Find on MARC Find on Google Groups