1
1
-A OUTPUT -d bing.com -j DROP
– works: Block bing.com through http and https as well.
So I try to modify it so that only https is blocked:
-A OUTPUT -d bing.com --dport 443 -j DROP
– but this won’t work, bing.com is allowed through http and https as well.
What am I doing wrong?
Ah, and this is a home computer, I just want to prohibit browsing bing.com through https.
1If you want to block domain names, you need a proxy. iptables doesn’t see the
Host
header. If you block by IP address, you may inadvertently block other stuff as well. – Daniel B – 2016-05-15T14:59:22.433@DanielB Hrm, so why does
-A OUTPUT -d bing.com -j DROP
work as expected? – gaazkam – 2016-05-15T15:00:43.037Because DNS responses are cached. It’s simply not reliable this way. – Daniel B – 2016-05-15T15:05:10.820
Bing owns a lot of IP addresses and iptables doesn't do a fresh lookup each time. You need to block at least 204.79.196.0/23, 204.79.195.0/24 these 2 subnets if not even more than that. Bing may even attempt to upgrade a non SSL to SSL over port 80. – cybernard – 2016-05-15T15:11:32.540
Possible duplicate of Why can’t I block https?
– T.J.L. – 2016-05-19T12:11:31.007@T.J.L. Close, but not exactly a dupe. With this question, issues like the ones outlined by Daniel B and cybernard above would have to be considered. With the other question, no such issues show up. – gaazkam – 2016-05-19T12:13:58.470