Results 1 to 5 of 5

Thread: IPTable Rules to allow one domain and block all other HTTPS Traffic

  1. #1
    Join Date
    Mar 2015
    Beans
    3

    IPTable Rules to allow one domain and block all other HTTPS Traffic

    Hi!
    I am using two Lans card in my proxy to route and filter traffic. One eth0 is connected to Internet and eth1 connected to internal network.

    I use the following code to block the HTTPS facebook. It's working fine.
    iptables -A FORWARD -i eth1 -s 192.168.1.100 -p tcp --dport 443 -d www.facebook.com -j DROP

    I use this rule to block all HTTPS traffic for specific host.
    iptables -A FORWARD -i eth1 -s 192.168.1.100 -p tcp --dport 443 -j DROP

    What I want to do to allow only the destination gmail.com or www.gmail.com and block all other https traffic?

    Please help, Thanks

  2. #2
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: IPTable Rules to allow one domain and block all other HTTPS Traffic

    First we need to find the host's IP addresses:
    Code:
    $ host www.gmail.com
    www.gmail.com is an alias for mail.google.com.
    mail.google.com is an alias for googlemail.l.google.com.
    googlemail.l.google.com has address 74.125.226.54
    googlemail.l.google.com has address 74.125.226.53
    googlemail.l.google.com has IPv6 address 2607:f8b0:4006:80e::2005
    I'd go ahead and permit the entire 74.125.226.0/24 "subnet" in case Google adds more servers to that range in the future. The rules look like this:
    Code:
    /sbin/iptables -A FORWARD -d 74.125.226.0/24 -p tcp --dport 443 -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp --dport 443 -j REJECT
    The second rule matches all destinations.

    You should avoid using hostnames in iptables rules. Usually the ruleset is loaded before domain name resolution has been set up, so only IP addresses work in that situation.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Mar 2015
    Beans
    3

    Re: IPTable Rules to allow one domain and block all other HTTPS Traffic

    Hi!
    Thanks for your reply.
    I have tested the code.
    Code:
    /sbin/iptables -A FORWARD -i eth1 -s 192.168.10.100 -d 74.125.226.0/24 -p tcp --dport 443 -j ACCEPT
    /sbin/iptables -A FORWARD -i eth1 -s 192.168.10.100 -p tcp --dport 443 -j REJECT
    I am unable to open the gmail and all https traffic blocked. I tried to put the ip address of gmail.com (74.125.226.54) in browser it opens the google.com.
    Last edited by The Cog; March 11th, 2015 at 03:38 PM. Reason: Add code tags

  4. #4
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: IPTable Rules to allow one domain and block all other HTTPS Traffic

    Well, the fact that you can connect to https://74.125.226.54/ means that the iptables rules are working as advertised. Maybe you have a DNS problem? What does the command "host www.gmail.com" return for you?
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Mar 2015
    Beans
    3

    Re: IPTable Rules to allow one domain and block all other HTTPS Traffic

    by doing host www.gmail.com, it replied with details of gmail alias and ip addresses. DNS is working.

    It's like same
    host www.gmail.com
    www.gmail.com is an alias for mail.google.com.
    mail.google.com is an alias for googlemail.l.google.com.
    googlemail.l.google.com has address 74.125.226.54
    googlemail.l.google.com has address 74.125.226.53
    googlemail.l.google.com has IPv6 address 2607:f8b0:4006:80e::2005
    Last edited by aamir3; March 13th, 2015 at 06:03 AM.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •