Re: [gentoo-user] blocking facebook

[Andrew Savchenko]

On Sat, 12 Dec 2015 01:29:20 -0500 waltd...@waltdnes.org wrote:
> On Fri, Dec 11, 2015 at 08:03:14PM -0700, the...@sys-concept.com wrote
> > Does anybody have an idea how to block facebook?
> > 
> > I'm using dd-wrt.  The "access restriction" can block http but not https
> > and I'm not good in iptables :-/
> > In addition users are using VirtualBox on the network as well.
> 
>   An excerpt from my /var/lib/iptables/rules-save ruleset...
> 
> [0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK
> [154:11168] -A INPUT -s 31.13.64.0/18 -j FECESBOOK
> [0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
> [0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK
> [0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK
> [0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK
> [0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK
> 
> [0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK
> [3763325:225839770] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
> [56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK
> [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
> [874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
> [0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK
> [0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK
> [3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK
> [0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK
> 
> [3767715:226105098] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 
> 6
> [3767715:226105098] -A FECESBOOK -j DROP

+1. Just block their CIDR ranges. No need to do DPI like was
suggested here. Of course smart users can use proxies or tunneling,
so this is not 100% solution, but for the majority it will work.

Just a tip here: use ipset hash:net for all this ranges and just a
few iptables rules to check src and dst in FORWARD and/or
INPUT/OUTPUT depending on whether host is router or target system,
e.g. for dd-wrt will be sufficient:

iptables -A FORWARD -m set --match-set facebook src -j DROP
iptables -A FORWARD -m set --match-set facebook dst -j DROP

A set can be created like this:

ipset create facebook hash:net
ipset add facebook 31.13.24.0/21
...

Of course logging may be enabled as above if desired.

This way filtering will be much faster and blocklist may be updated
without touching iptables rules. Gentoo init script support ipset
rules save/load as well as iptables.

Do not forget about ipv6 if it is enabled on your network.

Best regards,
Andrew Savchenko

pgp4gZGYmgNxX.pgp
Description: PGP signature