Block Facebook with Layer7

Block Facebook with Layer7

[Usuário do Sistema]

Hello everyone,

it's possible to drop traffic to facebook with iptables Layer7 ? I
have done some test with Squid but I found some difficult because I'm
using Transparent Proxy so maybe it been  more easy to drop with
iptables layer7.

any tips is welcome......as well as some how to....


thanks.

Re: Block Facebook with Layer7

[Julien Vehent]

On 2012-09-17 18:30, Usuário do Sistema wrote:
> Hello everyone,
>
> it's possible to drop traffic to facebook with iptables Layer7 ? I
> have done some test with Squid but I found some difficult because I'm
> using Transparent Proxy so maybe it been  more easy to drop with
> iptables layer7.
>
> any tips is welcome......as well as some how to....
>
>

iptables -t filter -I FORWARD -p tcp --dport 80 -m string --string "host: 
facebook.com" --icase --algo bm -j DROP

Of course, this won't work with HTTPS connections.

-- 
Julien Vehent - http://jve.linuxwall.info

Re: Block Facebook with Layer7

[Usuário do Sistema]

Hi, thank you Julien.

iptables -t filter -I FORWARD -p tcp --dport 80 -m string --string "host:
facebook.com" --icase --algo bm -j DROP

Of course, this won't work with HTTPS connections.

sorry, but to work with HTTPS just add an new rule with --dport 443 right ??








2012/9/17 Julien Vehent <julien@linuxwall.info>:
> On 2012-09-17 18:30, Usuário do Sistema wrote:
>>
>> Hello everyone,
>>
>> it's possible to drop traffic to facebook with iptables Layer7 ? I
>> have done some test with Squid but I found some difficult because I'm
>> using Transparent Proxy so maybe it been  more easy to drop with
>> iptables layer7.
>>
>> any tips is welcome......as well as some how to....
>>
>>
>
> iptables -t filter -I FORWARD -p tcp --dport 80 -m string --string "host:
> facebook.com" --icase --algo bm -j DROP
>
> Of course, this won't work with HTTPS connections.
>
> --
> Julien Vehent - http://jve.linuxwall.info

Re: Block Facebook with Layer7

[Julien Vehent]

On 2012-09-17 22:53, Usuário do Sistema wrote:
> sorry, but to work with HTTPS just add an new rule with --dport 443 right 
> ??

You cannot* inspect the content of a HTTPS connection because it's 
encrypted. That includes the entire HTTP communication, thus the Host header 
as well.

http://en.wikipedia.org/wiki/Secure_Sockets_Layer


* well, you *can*, but that requires using ssl proxies and organized MITM. 
Not something easy to deploy.

-- 
Julien Vehent - http://jve.linuxwall.info

Re: Block Facebook with Layer7

[Jan Engelhardt]

On Tuesday 2012-09-18 03:54, Julien Vehent wrote:

> On 2012-09-17 18:30, Usuário do Sistema wrote:
>> Hello everyone,
>>
>> it's possible to drop traffic to facebook with iptables Layer7 ? I
>> have done some test with Squid but I found some difficult because I'm
>> using Transparent Proxy so maybe it been  more easy to drop with
>> iptables layer7.
>>
>> any tips is welcome......as well as some how to....
>>
>>
>
> iptables -t filter -I FORWARD -p tcp --dport 80 -m string --string "host:
> facebook.com" --icase --algo bm -j DROP
>
> Of course, this won't work with HTTPS connections.

And easily kills the connection whenever there's "host: facebook.com" in 
the payload. Like... this mail, when read through a web archive.

Re: Block Facebook with Layer7

[John A. Sullivan III]

On Tue, 2012-09-18 at 07:32 +0200, Jan Engelhardt wrote:
> On Tuesday 2012-09-18 03:54, Julien Vehent wrote:
> 
> > On 2012-09-17 18:30, Usuário do Sistema wrote:
> >> Hello everyone,
> >>
> >> it's possible to drop traffic to facebook with iptables Layer7 ? I
> >> have done some test with Squid but I found some difficult because I'm
> >> using Transparent Proxy so maybe it been  more easy to drop with
> >> iptables layer7.
> >>
> >> any tips is welcome......as well as some how to....
> >>
> >>
> >
> > iptables -t filter -I FORWARD -p tcp --dport 80 -m string --string "host:
> > facebook.com" --icase --algo bm -j DROP
> >
> > Of course, this won't work with HTTPS connections.
> 
> And easily kills the connection whenever there's "host: facebook.com" in 
> the payload. Like... this mail, when read through a web archive.
<snip>
Isn't that where one would specify the offsets - not to mention more
efficient parsing?

Re: Block Facebook with Layer7

[Humberto Jucá]

Try this (filtering facebook.com DNS request):
/sbin/iptables -t mangle -A POSTROUTING -m string --hex-string
"|66616365626f6f6b03636f6d|" --algo bm -p udp --dport 53 -j DROP

**** All sites with facebook plugin will be slowly! ****


IMHO, with proxy applications (like Squid/Dansguardian) you have best results.
With TCP/443 open, you greatly facilitates the use of tools such as UltraSurf.

Change your proxy config to WPAD and deny tcp/443 FORWARD chain.


2012/9/18 John A. Sullivan III <jsullivan@opensourcedevel.com>:
> On Tue, 2012-09-18 at 07:32 +0200, Jan Engelhardt wrote:
>> On Tuesday 2012-09-18 03:54, Julien Vehent wrote:
>>
>> > On 2012-09-17 18:30, Usuário do Sistema wrote:
>> >> Hello everyone,
>> >>
>> >> it's possible to drop traffic to facebook with iptables Layer7 ? I
>> >> have done some test with Squid but I found some difficult because I'm
>> >> using Transparent Proxy so maybe it been  more easy to drop with
>> >> iptables layer7.
>> >>
>> >> any tips is welcome......as well as some how to....
>> >>
>> >>
>> >
>> > iptables -t filter -I FORWARD -p tcp --dport 80 -m string --string "host:
>> > facebook.com" --icase --algo bm -j DROP
>> >
>> > Of course, this won't work with HTTPS connections.
>>
>> And easily kills the connection whenever there's "host: facebook.com" in
>> the payload. Like... this mail, when read through a web archive.
> <snip>
> Isn't that where one would specify the offsets - not to mention more
> efficient parsing?
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html