Some routers can block Facebook (or any other page) with an URL keyword. Yet, this becomes a problem when the page reverts to a secure connection (https).

Lately, iptables supports so called Layer 7 protocol, to adress issues like this, and it would look something like down below. Let’s suppose that you have a Linux router, in which case you will be using the FORWARD chain to control which packets are allowed to which users.
Generally, this is how it looks:

-A FORWARD -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm -j DROP
-A FORWARD -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm -j DROP
-A FORWARD -p tcp -m tcp --dport 443 -m string --string "facebook" --algo bm -j DROP
-A FORWARD -p tcp -m tcp --dport 80 -m string --string "facebook" --algo bm -j DROP

The rules above will litterally “eat” every packet comming in and out from ports 80 and 443 that contains the word “facebook”. I limited the rules to the ports 80 and 443 deliberately, because otherwise – in a general case it could also block mails that contais the word “facebook” and this way you won’t have any log about it.

Furthermore, you can create a special chain instead of using just DROP, that filters out users IP addresses that you want to allow to access Facebook and then log and drop all the others. It is good to log what you’re doing all the time, just in case.

6 thoughts on “Blocking facebook with iptables (https too)

  1. This commands work so well!
    The command totally blocks access to facebook even its its https. But i noticed when you do this this on a large network, connections to the Internet slows. any solution?

    1. These rules work at layer 7, or more exactly it’s actually sniffing traffic for keywords and making a decision upon that. That means that, basically CPU power is what it counts. An average i3 based box should do it quite flawlessly.
      Installing Squid or some content proxy on it could also help mitigating the processing issue, but can also complicate your life further (not necessary)

Leave a Reply

Your email address will not be published. Required fields are marked *