Some routers can block Facebook (or any other page) with an URL keyword. Yet, this becomes a problem when the page reverts to a secure connection (https).
Lately, iptables supports so called Layer 7 protocol, to adress issues like this, and it would look something like down below. Let’s suppose that you have a Linux router, in which case you will be using the FORWARD chain to control which packets are allowed to which users.
Generally, this is how it looks:
-A FORWARD -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm -j DROP -A FORWARD -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm -j DROP -A FORWARD -p tcp -m tcp --dport 443 -m string --string "facebook" --algo bm -j DROP -A FORWARD -p tcp -m tcp --dport 80 -m string --string "facebook" --algo bm -j DROP
The rules above will litterally “eat” every packet comming in and out from ports 80 and 443 that contains the word “facebook”. I limited the rules to the ports 80 and 443 deliberately, because otherwise – in a general case it could also block mails that contais the word “facebook” and this way you won’t have any log about it.
Furthermore, you can create a special chain instead of using just DROP, that filters out users IP addresses that you want to allow to access Facebook and then log and drop all the others. It is good to log what you’re doing all the time, just in case.
8 thoughts on “Blocking facebook with iptables (https too)”
This commands work so well!
The command totally blocks access to facebook even its its https. But i noticed when you do this this on a large network, connections to the Internet slows. any solution?
These rules work at layer 7, or more exactly it’s actually sniffing traffic for keywords and making a decision upon that. That means that, basically CPU power is what it counts. An average i3 based box should do it quite flawlessly.
Installing Squid or some content proxy on it could also help mitigating the processing issue, but can also complicate your life further (not necessary)
Hello, I want to subscribe for this blog to get latest updates,
so where can i do it please assist.
I don’t send mail notifications, sorry. You can use RSS for even better effect. Hope that helped
Hmm is anyone else having problems with the pictures on this blog loading?
I’m trying to find out if its a problem on my end
or if it’s the blog. Any feedback would be greatly
Noone else complained so far. Do you have this issue will all your devices/browsers?
this work very well ,but how about allow facebook with the same way
If you wish to do the oppoisite, you have to make a blocking policy in the FORWARD chain – iptables -P FORWARD DROP
and then allow facebook:
-A FORWARD -p tcp -m tcp –sport 443 -m string –string “facebook” –algo bm -j ALLOW
-A FORWARD -p tcp -m tcp –sport 80 -m string –string “facebook” –algo bm -j ALLOW
-A FORWARD -p tcp -m tcp –dport 443 -m string –string “facebook” –algo bm -j ALLOW
-A FORWARD -p tcp -m tcp –dport 80 -m string –string “facebook” –algo bm -j ALLOW
You can also usefully allow (or block it) for some IP adresses in the LAN only:
-A FORWARD -s 192.168.1.3 -p tcp -m tcp –sport 443 -m string –string “facebook” –algo bm -j ALLOW
will allow facebook to 192.168.1.3 only