How to block https website with iptables

Solution 1

What you are doing will have an effect, but there are several problems:

• Browsers and operating systems cache DNS lookups. They don't necessarily cause a full DNS lookup each time a site is loaded.

• Some browsers may try alternate things if DNS appears blocked (such as contact its own DNS server), because they think there is a network issue. Google Chrome may do this.

• Google Chrome and other browsers may soon implement "DNS over HTTPS" which means doing anything to port 53 would not have any effect, as it wouldn't be using that for DNS at all.

• Blocking by IP address will work for awhile until Youtube's IP address changes for some reason.

• Savvy users may change DNS servers unless you've blocked that ability administratively on your systems.

How I can force youtube to be blocked immediately?

The "right" way to do what you want is to institute a "Man-In-The-Middle" transparent HTTPS interception proxy that can filter HTTPS traffic. You then tell the proxy to block any URL with youtube.com in it.

You can't just simply look for youtube.com on 443 as it's encrypted, as you probably figured out.

One you can play with on a local machine to see how it works is Burp Proxy - it's meant for testing, not managing the traffic of many users though. But will enable you to learn the concepts.

You will have to install the proxy's SSL certificate on every machine that uses the proxy to avoid security warnings.

Solution 2

Your command is:

iptables -A OUTPUT -p udp --dport 53 -m string --domain yahoo.com -j DROP

First your blocking only udp and port 53

iptables -I INPUT 1 -s 172.217.0.0/16 -j DROP
iptables -I FORWARD 1 -s 172.217.0.0/16 -j DROP

iptables -I INPUT 2 -s 157.240.0.0/16 -j DROP
iptables -I FORWARD 2 -s 157.240.0.0/16 -j DROP

First you need to block the INPUT chain as that is where the data comes in. The FORWARD chain may be un-neccesary for your needs. Then I did a ping on youtube, and then I did a whois on that IP to see what block they owned.

Finally, I blocked all there IP so we don't need to bother with dns lookups.

Solution 3

#nslookup youtube.com

Non-authoritative answer:
Name:   youtube.com
Address: 172.217.16.46
Name:   youtube.com
Address: 172.217.20.206

iptables -t filter -A FORWARD -p tcp -s 192.168.1.0/24 -d 172.217.16.46 --dport 80 -j DROP
iptables -t filter -A FORWARD -p tcp -s 192.168.1.0/24 -d 172.217.20.206 --dport 80 -j DROP

source: http://forum.oszone.net/post-692775-5.html

or

iptables -I FORWARD -s 10.0.0.0/24 -p tcp -m string --algo bm --string ".youtube.com" -j DROP

source: http://moshelpers.ru/?q=node/71

or The first example, we have a machine-gateway for the local network, there we create a rule for blocking for example the resource youtube.com it will look like this code:

iptables -A FORWARD -m string --string "youtube.com" --algo kmp --to 65535 -j DROP

To block addresses on the Linux machine, edit the rule a little code:

iptables -A INPUT -m string --string "youtube.com" --algo kmp --to 65535 -j DROP

source: http://sudouser.com/blokirovka-nezhelatelnyx-url-s-pomoshhyu-iptables.html

and that would break tcp connection at once and without timeout only for -p tcp you can try the following

-j REJECT --reject-with tcp-reset

source: http://forum.ixbt.com/topic.cgi?id=76:10833

I'm sorry, all sources - russian sites:)

$ service nscd reload

$ service dnsmasq restart

$ rndc restart

Related videos on Youtube

09 : 41

Centos 7. How to Block Website using iptables rules

Johnson Udobong

623

02 : 46

Unix & Linux: How to block https facebook site using iptables? (3 Solutions!!)

Roel Van de Paar

138

04 : 15

How to block https website with iptables? (4 Solutions!!)

Roel Van de Paar

18

03 : 31

Unix & Linux: iptables to block https websites (6 Solutions!!)

Roel Van de Paar

10

01 : 46

Unix & Linux: How to block https website with iptables?

Roel Van de Paar

4

Author by

Mohamed KALLEL

Contact me on LinkedIn.

Updated on September 18, 2022