0
1
May I ask why can I not block all https traffic in iptables?
I tried:
OUTPUT --dport 443 -j DROP
And even:
OUTPUT --sport 443 -j DROP
None of this works. Https webpages are still perfectly accessible. WHY? What kind of PEBKAC have I managed to subject myself to this time?
gaazkam
Posted 2016-05-18T22:35:20.703
Reputation: 583
1
Try this
You can block access to all https based sites with iptables using the following rule:
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 443 -j DROP
To block particular sites use the -d option to specify the hostname.
iptables -t nat -I PREROUTING -m tcp -p tcp -d www.example.com --dport 443 -j DROP
Try this
iptables -A OUTPUT -p tcp --dport 443 -j DROP
Richie086
Posted 2016-05-18T22:35:20.703
Reputation: 4 299
OK but why PREROUTING? – gaazkam – 2016-05-18T23:13:33.657
I mean, I’m doing it on my PC, not on a router. – gaazkam – 2016-05-18T23:15:04.913
Also, why did my rules fail to work? – gaazkam – 2016-05-18T23:23:00.700
Also, sadly, your rule doesn’t work. Instead I am shown this: The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. – gaazkam – 2016-05-19T11:10:17.363
I edited my answer, try the 3rd example – Richie086 – 2016-05-19T12:58:05.440
Nm looks like you already figured that out – Richie086 – 2016-05-19T13:02:03.680
1
Finally. Yep, it was a PEBKAC.
The solution is to write: iptables -I OUTPUT -p tcp --dport 443 -j DROP
The way I was doing it, I was getting error: unknown option "--dports"
I didn’t see it, because I wasn’t adding the rule with the iptables command, but rather by adding it to a file that was being read by iptables at startup. Silly me.
gaazkam
Posted 2016-05-18T22:35:20.703
Reputation: 583
1Well at least you got it resolved. Next time, please post any related error messages you see like that. Seeing that error message would have been a huge red flag. – Richie086 – 2016-05-19T13:01:22.123
1How you used the lines in question should have been included in the question. – a CVn – 2016-05-19T13:01:23.237
2Just an FYI, any website with HSTS (including google) will not be downgraded to HTTP, the request will just fail. Blocking HTTPS will likely annoy many users. – Jon – 2016-05-18T23:11:43.767