Some routers can block Facebook (or any other page) with an URL keyword. Yet, this becomes a problem when the page reverts to a secure connection (https).

Lately, iptables supports so called Layer 7 protocol, to adress issues like this, and it would look something like down below. Let’s suppose that you have a Linux router, in which case you will be using the FORWARD chain to control which packets are allowed to which users.
Generally, this is how it looks:

-A FORWARD -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm -j DROP
-A FORWARD -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm -j DROP
-A FORWARD -p tcp -m tcp --dport 443 -m string --string "facebook" --algo bm -j DROP
-A FORWARD -p tcp -m tcp --dport 80 -m string --string "facebook" --algo bm -j DROP

The rules above will litterally “eat” every packet comming in and out from ports 80 and 443 that contains the word “facebook”. I limited the rules to the ports 80 and 443 deliberately, because otherwise – in a general case it could also block mails that contais the word “facebook” and this way you won’t have any log about it.

Furthermore, you can create a special chain instead of using just DROP, that filters out users IP addresses that you want to allow to access Facebook and then log and drop all the others. It is good to log what you’re doing all the time, just in case.

8 thoughts on “Blocking facebook with iptables (https too)

  1. This commands work so well!
    The command totally blocks access to facebook even its its https. But i noticed when you do this this on a large network, connections to the Internet slows. any solution?

    1. These rules work at layer 7, or more exactly it’s actually sniffing traffic for keywords and making a decision upon that. That means that, basically CPU power is what it counts. An average i3 based box should do it quite flawlessly.
      Installing Squid or some content proxy on it could also help mitigating the processing issue, but can also complicate your life further (not necessary)

    1. If you wish to do the oppoisite, you have to make a blocking policy in the FORWARD chain – iptables -P FORWARD DROP
      and then allow facebook:

      -A FORWARD -p tcp -m tcp –sport 443 -m string –string “facebook” –algo bm -j ALLOW
      -A FORWARD -p tcp -m tcp –sport 80 -m string –string “facebook” –algo bm -j ALLOW
      -A FORWARD -p tcp -m tcp –dport 443 -m string –string “facebook” –algo bm -j ALLOW
      -A FORWARD -p tcp -m tcp –dport 80 -m string –string “facebook” –algo bm -j ALLOW

      You can also usefully allow (or block it) for some IP adresses in the LAN only:
      -A FORWARD -s 192.168.1.3 -p tcp -m tcp –sport 443 -m string –string “facebook” –algo bm -j ALLOW



      will allow facebook to 192.168.1.3 only

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.