How do I set iptables so that https://bing.com is blocked, but http://bing.com is not?

1

1

-A OUTPUT -d bing.com -j DROP – works: Block bing.com through http and https as well.

So I try to modify it so that only https is blocked:

-A OUTPUT -d bing.com --dport 443 -j DROP – but this won’t work, bing.com is allowed through http and https as well.

What am I doing wrong?

Ah, and this is a home computer, I just want to prohibit browsing bing.com through https.

gaazkam

Posted 2016-05-15T14:55:04.207

Reputation: 583

1If you want to block domain names, you need a proxy. iptables doesn’t see the Host header. If you block by IP address, you may inadvertently block other stuff as well. – Daniel B – 2016-05-15T14:59:22.433

@DanielB Hrm, so why does -A OUTPUT -d bing.com -j DROP work as expected? – gaazkam – 2016-05-15T15:00:43.037

Because DNS responses are cached. It’s simply not reliable this way. – Daniel B – 2016-05-15T15:05:10.820

Bing owns a lot of IP addresses and iptables doesn't do a fresh lookup each time. You need to block at least 204.79.196.0/23, 204.79.195.0/24 these 2 subnets if not even more than that. Bing may even attempt to upgrade a non SSL to SSL over port 80. – cybernard – 2016-05-15T15:11:32.540

Possible duplicate of Why can’t I block https?

– T.J.L. – 2016-05-19T12:11:31.007

@T.J.L. Close, but not exactly a dupe. With this question, issues like the ones outlined by Daniel B and cybernard above would have to be considered. With the other question, no such issues show up. – gaazkam – 2016-05-19T12:13:58.470

Answers

0

To block particular sites use the -d option to specify the hostname.

iptables -A OUTPUT -d bing.com -p tcp --dport 443 -j DROP

Richie086

Posted 2016-05-15T14:55:04.207

Reputation: 4 299

Won’t work. I get the following error: The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. – gaazkam – 2016-05-19T11:49:49.747

I updated my answer – Richie086 – 2016-05-19T13:07:48.713

1-d specifies the destination, not the host name. The destination can be given as a host name, which is looked up at the time of rule creation, but it isn't stored that way. – a CVn – 2016-05-19T13:18:30.097

0

If I reeeaaally want to do it this way, the correct command seems to be:

iptables -I OUTPUT -d bing.com -p tcp --dport 443 -j DROP

My mistake above seems to be that I didn’t precede --dport 443 with -p tcp. That way, I was getting the following error: unknown option "--dport"

Of course, comments by @Daniel B and @cybernard they have posted to my question apply.

gaazkam

Posted 2016-05-15T14:55:04.207

Reputation: 583

Asked: 2016-05-15T14:55:04.207

Viewed: 382 times

Active: 2016-05-19T13:07:36.943