0

Here's my current environment:

I have a VM running Ubuntu Server/Squid, and it is set as non-transparent. I have some IP Addresses which need to bypass Squid authentication so they have unrestricted access. In some cases it is need because some applications don't work well with the proxy.

It is currently done with the following iptables rule:

iptables -t nat -I PREROUTING -s 192.168.0.12 -p tcp --match multiport --dports 80,443  -j ACCEPT

My problem now is that I have to block Facebook for a few of those unrestricted IP Addresses.

I have searched for a long time now and tested a bunch things to implement in my current rule, with no success, so I'm hoping some of you could enlighten me on this situation.

rafarlp
  • 1
  • 1
  • 1

2 Answers2

1

To reliably filter facebook, you'd need to set up a transparent proxy (for example squid) and filter there based on the domain name.

Craig
  • 560
  • 3
  • 13
0

You can add to your iptables rules blocking of domains, for example:

iptables -t nat -I OUTPUT -p tcp -d www.facebook.com -j DROP iptables -t nat -I -p tcp -d facebook.com -j DROP

Using domains is really not recommended with iptables due to DNS lookups, so you can get facebook's IP addresses (with dig or host commands for example) and add those IPs (you'll have to review those for updates).

Or you can use a tool specialized in web content filtering.

LinuxDevOps
  • 1,754
  • 9
  • 14
  • 1
    This will not actually do what you want. It will resolve `www.facebook.com` once and store that in the config, rather than check if the destination IP matches one that is resolved by `www.facebook.com` – gparent Sep 26 '14 at 14:10