From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: [Help] Allow website using iptables
Date: Thu, 07 May 2020 11:40:22 +1000 [thread overview]
Message-ID: <87pnbged4p.fsf@goll.lan> (raw)
In-Reply-To: 968b51ba-41c2-518f-6019-9912fb408f68@tana.it
Sơn Đỗ, I agree with Alessandro. Here are some additional comments.
Alessandro Vesely <vesely@tana.it> writes:
> On 04/05/2020 08:53, Sơn Đỗ wrote:
>> I have a Linux router and using iptables 1.4 to configure the firewall.
Note that iptables 1.4 is *really* old - about 2015 I think.
Consider upgrading if possible.
>> And I want to permit a device to access a certain website with a
>> domain name and block other websites. So I have use some cmds in
>> iptables below:
>>
>> iptables -N allow_chain
>> iptables -A FORWARD -j allow_chain
>> iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -m string --algo bm --string youtube -j ACCEPT
>> iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -j DROP
>>
>> In this case, I want computer with MAC address 11:22:33:44:55:66
>> connected to my Linux router can only access the youtube.
>
> Quite problematic, as it has to be able to access a name server to get the
> target IP, at least. If you mean youtube.com, access to a number of ancillary
> Javascript providers (google.com, gstatic.com, and the like) may also have to
> be granted.
See also https://en.wikipedia.org/wiki/Deep_packet_inspection
> For a different approach, censorship is often applied by controlling the DNS resolver. See:
> https://en.wikipedia.org/wiki/Internet_censorship#Content_suppression_methods
Another approach is to disable routing (ip_forward) altogether, and
instead require clients to use a forward proxy (e.g. squid).
The proxy can then choose what sites to allow.
HTTPS proxies using CONNECT, so per-domain ACLs are easy.
To e.g. allow https://example.com/index.html but block https://example.com/email.php,
you need the proxy to do a MITM attack on your users, see
http://www.squid-cache.org/Doc/config/ssl_bump/
Note that your jurisdiction's privacy laws may forbid such techniques.
Both DNS and HTTP proxy methods are increasingly difficult to implement
as GUI web browsers get smarter about e.g. cert pinning and DNSSEC/DANE.
See e.g.
https://en.wikipedia.org/wiki/Certificate_Transparency
next prev parent reply other threads:[~2020-05-07 1:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-04 6:53 [Help] Allow website using iptables Sơn Đỗ
2020-05-04 8:43 ` Alessandro Vesely
2020-05-07 1:40 ` Trent W. Buck [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-05-04 8:54 Lazuardi Nasution
2020-05-04 14:00 ` John Haxby
2020-05-11 10:20 ` Sơn Đỗ
2020-05-11 11:34 ` Reindl Harald
2020-05-11 11:48 ` Mauricio Tavares
2020-05-11 12:24 ` Marc SCHAEFER
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pnbged4p.fsf@goll.lan \
--to=trentbuck@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox