HowTo Block Facebook With Iptables
Everardo Laboy
which is exactly what I expect. But if I use my browser (Firefox) to open facebook.com the site still opens, which is not what I expect. I tried reloading and opening another facebook domain (facebook.de) which I haven't tried before to rule out problems with the browser cache, but that didn't help.
I am using Zentyal Os as a firewall, it working fine like blocking http sites and but I am not able to block https facebook site.My only aim is need to block https facebook site, like need to block 443 port.
This solution isn't perfect either. DNS is just the base of the naming system, hitting the IP address directly would win. If you own the Internal name server for your network, you could setup an entry for facebook.com to resolve somewhere else. I'd use this in conjunction with the iptables one above.
We could even go one step further. If you own all the machines in the network that you are trying to block facebook for, you could generate a Root CA certificate, install the public key on all the machines. Man-in-the-middle all SSL traffic resign all websites with your certs and actively kill facebook connections. However, this is a dangerous idea and has privacy implications (especially in a corporate environment).
As I believe zentyal comes with integrated support for the snort IDS, you could add a snort rule that detects and blocks the SSL packet which contains the server certificate based on a common name that contains facebook.com. That could also address accesses through a proxy (as long as the connection to the proxy itself is not encrypted).
Another approach could be to force all DNS traffic through your DNS server (block domain traffic except to your DNS server) and return something bogus for queries of any facebook.com domain (would not stop access through a proxy though).
I'm trying to block Facebook access from my home system (Ubuntu). I could add facebook.com to /etc/hosts, but that would only prevent accessing facebook.com. There are many other ways I could use facebook, like mbasic.facebook.com, m.facebook.com, touch.facebook.com, the IP address, and so on.
I guess I could use a browser extension to block this, but I'd much prefer a sytem-wide block. I had a look at this question that attempts to solve this using iptables, but that didn't work out - I could still access facebook.com after running this command (I got the range from whois 173.252.120.6 grep CID):
The easiest way to block access to an entire domain is to set up a local DNS "recursive resolver" and configure those domains specifically. Basically, you set up a DNS server (this can certainly run on the same host), point your local system to it, and tell that DNS server to return crafted responses for, for example, the facebook.com domain (or zone, as it is known in DNS parlace). For those, you set up no address records, which will cause any attempt to resolve any host name under facebook.com to return a "host not found".
This gives you a very basic forwarding DNS resolver setup. To block access to specific domains, which in DNS terms means that you for those names authoritatively serve an empty zone, add zone stanzas to your BIND configuration file, pointing at the db.empty file which is provided for convenience by the bind9 package. For example, to block everything under facebook.com (including the bare name), add:
A simple method that will work sufficiently well for casual users is toblock the IP addresses that the DNS lookup returns. Lets assume you have minors that should not access facebook. Use ping -4 facebook.com and ping -6 facebook.com to find out the IP and IPv6 addresses you need to filter. Then
The "right" way to do what you want is to institute a "Man-In-The-Middle" transparent HTTPS interception proxy that can filter HTTPS traffic. You then tell the proxy to block any URL with youtube.com in it.
Using domains is really not recommended with iptables due to DNS lookups, so you can get facebook's IP addresses (with dig or host commands for example) and add those IPs (you'll have to review those for updates).
I'm developing a framework for Android SO. I need to block a hostname, i.e. if I block a hostname, no connection is allowed to this hostname. The user will not be allowed to access this hostname by browser, terminal (shell) or any application.I was planning to use iptables for this task, but there are some hostnames with dynamic IP address, like www.facebook.com. And I'm afraid that dynamic IP changes can affect the iptables power to block hostnames.
I've got a Netgear R7000 flashed to DD-WRT, so I have pretty granular control over my firewall and am familiar with iptables. In looking at a few online guides, they simply state to block facebook.com and m.facebook.com, but I have to believe those aren't the only domains/subdomains that are used. I'm especially concerned with ones that are associated in remotely listening to their users.
Does anyone have experience and know which firewall rules to create to block the entirety of facebook and all of its ancillary services? And by that, I mean every single domain and subdomain facebook could potentially use for any purpose. Facebook is no longer welcome in my house again. Ever.
I have installed adblock, simple-adblock, squid & privoxy. But I'm not able to configure URL block.
Also iprange is not working with iptables command.
This commands work so well!
The command totally blocks access to facebook even its its https. But i noticed when you do this this on a large network, connections to the Internet slows. any solution?
I want to block some url's to the second computer using iptables, because I think it's the appropriate tool to do this. I have followed instructions in a few sites but neither of them works. The most common sentences are:
What you really want in this case is an HTTP proxy, like squid or privoxy (altough I only have experience with squid, and experience is kinda a big word). And then, you'll want to use iptables to make sure every HTTP requests is passing through your proxy.
if you want to block only facebook then you would have to do it by url. Doing it by mime will block all video,everywhere. If that is what you want though this like is about enabling it properly but just reverse and it will be blovked.
Hello we bought a cheap router and we installed it with openwrt 20.01. we are a small company but several departaments.
I would like to block certains pc (by MAC Address ) to youtube and facebook and others have acess.
Modern Linux kernels come with a packet-filtering framework named Netfilter. Netfilter enables you to allow, drop, and modify traffic coming in and going out of a system. The iptables userspace command-line tool builds upon this functionality to provide a powerful firewall, which you can configure by adding rules to form a firewall policy. iptables can be very daunting with its rich set of capabilities and baroque command syntax. Let's explore some of them and develop a set of iptables tips and tricks for many situations a system administrator might encounter.
You would like to monitor what's going on with iptables in real time, like with top. Use this command to monitor the activity of iptables activity dynamically and show only the rules that are actively being traversed:
We've covered many facets of iptables, all the way from making sure you don't lock yourself out when working with iptables to monitoring iptables to visualizing the activity of an iptables firewall. These will get you started down the path to realizing even more iptables tips and tricks.
Many options can be used with the iptables command. As stated above, iptables sets the rules that control network traffic. You can define different tables to handle these rules through chains, lists of rules that match a subset of packets. The table contains a variety of built-in chains, but you can add your own.
iptables rules are enforced top down, so the first rule in the ruleset is applied to traffic in the chain, then the second, third and so on. This means that rules cannot necessarily be added to a ruleset with iptables -A or ip6tables -A. Instead, rules must be inserted with iptables -I or ip6tables -I.
You can use iptables to block all traffic and then only allow traffic from certain IP addresses. These firewall rules limit access to specific resources at the network layer. Below is an example sequence of commands:
For anyone dealing with this issue, Meraki and Umbrella were unable to provide a complete solution, due to the heavy integration with Facebook. Umbrella and Meraki can block the web version, but the mobile app continued to work. I had to use a layer 3 firewall rule to block the Facebook IP ranges associated with Whatsapp. You can find them here: -requirements/
under the IP addresses section. It was a complete pain to create 230 objects and 2 object groups (remember object groups only be 150 objects max) but I have successfully blocked whatsapp completely. I know that the ip addresses may change in the future, but that is something I will just have to deal with when it comes along.
As I wrote "Perhaps the INPUT chain is not where I need to add this" I decided to look more closely at the output of the iptables -L -nv command. Sure enough, I found a chain called "wanin" that has all my port forwarding rules. Aha moment - I want to block some port forwarding!
In this article, you will see some useful commands that will help you manage your Linux box firewall through iptables. For the purpose of this article, I will start with simpler commands and go to more complex to the end.
Where you need to change "xxx.xxx.xxx.xxx" with the actual IP address. Be very careful when running this command as you can accidentally block your own IP address. The -A option appends the rule in the end of the selected chain.
In both examples change "xxx" with the actual port you wish to allow. If you want to block UDP traffic instead of TCP, simply change "tcp" with "udp" in the above iptables rule.
e2b47a7662