From: Andrew Savchenko <bircoph@gentoo.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] blocking facebook
Date: Sat, 12 Dec 2015 17:33:53 +0300 [thread overview]
Message-ID: <20151212173353.1bde059b6b3d43b768f6adf8@gentoo.org> (raw)
In-Reply-To: <20151212062920.GA31075@waltdnes.org>
[-- Attachment #1: Type: text/plain, Size: 2514 bytes --]
On Sat, 12 Dec 2015 01:29:20 -0500 waltdnes@waltdnes.org wrote:
> On Fri, Dec 11, 2015 at 08:03:14PM -0700, thelma@sys-concept.com wrote
> > Does anybody have an idea how to block facebook?
> >
> > I'm using dd-wrt. The "access restriction" can block http but not https
> > and I'm not good in iptables :-/
> > In addition users are using VirtualBox on the network as well.
>
> An excerpt from my /var/lib/iptables/rules-save ruleset...
>
> [0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK
> [154:11168] -A INPUT -s 31.13.64.0/18 -j FECESBOOK
> [0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
> [0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK
> [0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK
> [0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK
> [0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK
>
> [0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK
> [3763325:225839770] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
> [56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK
> [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
> [874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
> [0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK
> [0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK
> [3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK
> [0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK
>
> [3767715:226105098] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
> [3767715:226105098] -A FECESBOOK -j DROP
+1. Just block their CIDR ranges. No need to do DPI like was
suggested here. Of course smart users can use proxies or tunneling,
so this is not 100% solution, but for the majority it will work.
Just a tip here: use ipset hash:net for all this ranges and just a
few iptables rules to check src and dst in FORWARD and/or
INPUT/OUTPUT depending on whether host is router or target system,
e.g. for dd-wrt will be sufficient:
iptables -A FORWARD -m set --match-set facebook src -j DROP
iptables -A FORWARD -m set --match-set facebook dst -j DROP
A set can be created like this:
ipset create facebook hash:net
ipset add facebook 31.13.24.0/21
...
Of course logging may be enabled as above if desired.
This way filtering will be much faster and blocklist may be updated
without touching iptables rules. Gentoo init script support ipset
rules save/load as well as iptables.
Do not forget about ipv6 if it is enabled on your network.
Best regards,
Andrew Savchenko
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2015-12-12 14:34 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-12 3:03 [gentoo-user] blocking facebook thelma
2015-12-12 3:29 ` Willie M
2015-12-12 3:37 ` thelma
2015-12-12 3:54 ` Willie M
2015-12-14 16:52 ` pc0147 Sistemas Will_ecg
2015-12-12 4:05 ` Simon Thelen
2015-12-12 4:12 ` Simon Thelen
2015-12-12 4:23 ` thelma
2015-12-12 4:41 ` Dale
2015-12-12 6:29 ` waltdnes
2015-12-12 14:33 ` Andrew Savchenko [this message]
2015-12-12 10:45 ` Michael Schwartzkopff
2015-12-12 12:01 ` Alan McKinnon
-- strict thread matches above, loose matches on Subject: below --
2015-12-12 6:16 John Runyon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151212173353.1bde059b6b3d43b768f6adf8@gentoo.org \
--to=bircoph@gentoo.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox