Iptables – Blocking Facebook on certain IP Addresses with iptables

iptablesrulessquid

Here's my current environment:

I have a VM running Ubuntu Server/Squid, and it is set as non-transparent. I have some IP Addresses which need to bypass Squid authentication so they have unrestricted access. In some cases it is need because some applications don't work well with the proxy.

It is currently done with the following iptables rule:

iptables -t nat -I PREROUTING -s 192.168.0.12 -p tcp --match multiport --dports 80,443  -j ACCEPT

My problem now is that I have to block Facebook for a few of those unrestricted IP Addresses.

I have searched for a long time now and tested a bunch things to implement in my current rule, with no success, so I'm hoping some of you could enlighten me on this situation.

Best Answer

To reliably filter facebook, you'd need to set up a transparent proxy (for example squid) and filter there based on the domain name.

Related Solutions

Iptables – Transparent Proxy with Squid / iptables

If I understand you correctly, what you want to do isn't going to be handled simply by configuring iptables. The REDIR target can only be used to target processes running on the local system. I believe attempting to use a DNAT target to forward the to the remote squid box would remove some of the information the remote squid box needs to properly handle the request

If you allow me to guess a bit. I think you are trying to leave the default gateway as 192.168.1.1 on your host and then send your port 80 traffic across the vpn right?

The remote squid needs some configuration so that it can actually act as a transparent proxy. If you can setup the correct iptables redirection on the squid host, and the remote host is in the network path, then it is possible to do use some advanced routing to forward all port 80 requests across the vpn.

P.S. If I am understanding your needs correctly add a comment, I can update my answer with more details about how to setup routing.

Best way to bypass Squid for certain sites

If you want to AVOID completely squid, adding exceptions to the transparent proxy iptables redirect rule is way.

You can, however, create an acl in squid for the always_direct directive. From the squid docs:

acl local-servers dstdomain my.domain.net
always_direct allow local-servers

It doesn't work in all cases, sometimes just avoiding the proxy completely will do.

EDIT: If you use something like shorewall you can create lists that make the exception for the redirect rule easier to manage, but it may be too overkill.

Best Answer

Related Solutions

Iptables – Transparent Proxy with Squid / iptables

Best way to bypass Squid for certain sites

Related Topic