Re: [Help] Allow website using iptables

Re: [Help] Allow website using iptables

[Lazuardi Nasution]

Hi,

YouTube use SSL. So you can't match strings inside the packet, it is
encrypted.

Best regards,

On Mon, May 4, 2020, 15:40 Sơn Đỗ <sondd1096@gmail.com> wrote:

> I have a Linux router and using iptables 1.4 to configure the firewall.
>
> And I want to permit a device to access a certain website with a
> domain name and block other websites. So I have use some cmds in
> iptables below:
>
>
>
> iptables -N allow_chain
> iptables -A FORWARD -j allow_chain
> iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -m
> string --algo bm --string youtube -j ACCEPT
> iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -j DROP
>
>
> In this case, I want computer with MAC address 11:22:33:44:55:66
> connected to my Linux router can only access the youtube . But the
> result was not my expectation, after I apply those rules , my computer
> cannot access to youtube and other web also, it drop all internet
> connection . In my understanding, the rule with ACCEPT target was not
> apply even the package match with the condition, and all packages are
> handled in the rule with DROP target.
>
> So is there any thing wrong with my cmd? What was the problem ?
>
> Please help me, Thanks.
>

Re: [Help] Allow website using iptables

[John Haxby]

[-- Attachment #1: Type: text/plain, Size: 296 bytes --]



> On 4 May 2020, at 09:54, Lazuardi Nasution <mrxlazuardin@gmail.com> wrote:
> 
> YouTube use SSL. So you can't match strings inside the packet, it is
> encrypted.

Actually, in most cases you can: the first packet set will usually have the hostname in the SNI extension header.

jch

[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 268 bytes --]

Re: [Help] Allow website using iptables

[Sơn Đỗ]

hi,
Do you guys have any idea to allow a certain website with a specific
MAC address ?
Thanks.

Vào Th 2, 4 thg 5, 2020 vào lúc 21:00 John Haxby
<john.haxby@oracle.com> đã viết:
>
>
>
> > On 4 May 2020, at 09:54, Lazuardi Nasution <mrxlazuardin@gmail.com> wrote:
> >
> > YouTube use SSL. So you can't match strings inside the packet, it is
> > encrypted.
>
> Actually, in most cases you can: the first packet set will usually have the hostname in the SNI extension header.
>
> jch

Re: [Help] Allow website using iptables

[Reindl Harald]

Am 11.05.20 um 12:20 schrieb Sơn Đỗ:
> Do you guys have any idea to allow a certain website with a specific
> MAC address ?

that's not how the ip layer works
you don't have any MAC adress after a router

don#t get me wrong but you need to learn the absolute basics about
networking: https://en.wikipedia.org/wiki/OSI_model

> Vào Th 2, 4 thg 5, 2020 vào lúc 21:00 John Haxby
> <john.haxby@oracle.com> đã viết:
>>
>>
>>
>>> On 4 May 2020, at 09:54, Lazuardi Nasution <mrxlazuardin@gmail.com> wrote:
>>>
>>> YouTube use SSL. So you can't match strings inside the packet, it is
>>> encrypted.
>>
>> Actually, in most cases you can: the first packet set will usually have the hostname in the SNI extension header

Re: [Help] Allow website using iptables

[Mauricio Tavares]

On Mon, May 11, 2020 at 7:36 AM Reindl Harald <h.reindl@thelounge.net> wrote:
>
>
>
> Am 11.05.20 um 12:20 schrieb Sơn Đỗ:
> > Do you guys have any idea to allow a certain website with a specific
> > MAC address ?
>
> that's not how the ip layer works
> you don't have any MAC adress after a router
>
      What I read is that he wants to have an egress rule to block a
computer behind his router (private network) to reach youtube. If the
computer is in the same broadcast domain as the router, his request is
valid. I guess offending computer uses DHCP and he is looking for a
solution that accounts for that and expects user knows nothing about
MAC spoofing.

> don#t get me wrong but you need to learn the absolute basics about
> networking: https://en.wikipedia.org/wiki/OSI_model
>
> > Vào Th 2, 4 thg 5, 2020 vào lúc 21:00 John Haxby
> > <john.haxby@oracle.com> đã viết:
> >>
> >>
> >>
> >>> On 4 May 2020, at 09:54, Lazuardi Nasution <mrxlazuardin@gmail.com> wrote:
> >>>
> >>> YouTube use SSL. So you can't match strings inside the packet, it is
> >>> encrypted.
> >>
> >> Actually, in most cases you can: the first packet set will usually have the hostname in the SNI extension header

Re: [Help] Allow website using iptables

[Marc SCHAEFER]

On Mon, May 11, 2020 at 07:48:13AM -0400, Mauricio Tavares wrote:
> valid. I guess offending computer uses DHCP and he is looking for a
> solution that accounts for that and expects user knows nothing about
> MAC spoofing.

I have done things like this but more with ebtables than iptables.

Re: [Help] Allow website using iptables

[Trent W. Buck]

Sơn Đỗ, I agree with Alessandro.  Here are some additional comments.

Alessandro Vesely <vesely@tana.it> writes:
> On 04/05/2020 08:53, Sơn Đỗ wrote:
>> I have a Linux router and using iptables 1.4 to configure the firewall.

Note that iptables 1.4 is *really* old - about 2015 I think.
Consider upgrading if possible.

>> And I want to permit a device to access a certain website with a
>> domain name and block other websites. So I have use some cmds in
>> iptables below:
>> 
>> iptables -N allow_chain
>> iptables -A FORWARD -j allow_chain
>> iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -m string --algo bm --string youtube -j ACCEPT
>> iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -j DROP
>> 
>> In this case, I want computer with MAC address 11:22:33:44:55:66
>> connected to my Linux router can only access the youtube.
>
> Quite problematic, as it has to be able to access a name server to get the
> target IP, at least.  If you mean youtube.com, access to a number of ancillary
> Javascript providers (google.com, gstatic.com, and the like) may also have to
> be granted.

See also https://en.wikipedia.org/wiki/Deep_packet_inspection

> For a different approach, censorship is often applied by controlling the DNS resolver.  See:
> https://en.wikipedia.org/wiki/Internet_censorship#Content_suppression_methods

Another approach is to disable routing (ip_forward) altogether, and
instead require clients to use a forward proxy (e.g. squid).

The proxy can then choose what sites to allow.
HTTPS proxies using CONNECT, so per-domain ACLs are easy.
To e.g. allow https://example.com/index.html but block https://example.com/email.php,
you need the proxy to do a MITM attack on your users, see

    http://www.squid-cache.org/Doc/config/ssl_bump/

Note that your jurisdiction's privacy laws may forbid such techniques.

Both DNS and HTTP proxy methods are increasingly difficult to implement
as GUI web browsers get smarter about e.g. cert pinning and DNSSEC/DANE.
See e.g.

    https://en.wikipedia.org/wiki/Certificate_Transparency

Re: [Help] Allow website using iptables

[Alessandro Vesely]

Hi,

On 04/05/2020 08:53, Sơn Đỗ wrote:
> I have a Linux router and using iptables 1.4 to configure the firewall.
> 
> And I want to permit a device to access a certain website with a
> domain name and block other websites. So I have use some cmds in
> iptables below:
> 
> 
> 
> iptables -N allow_chain
> iptables -A FORWARD -j allow_chain
> iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -m string --algo bm --string youtube -j ACCEPT
> iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -j DROP
> 
> 
> In this case, I want computer with MAC address 11:22:33:44:55:66
> connected to my Linux router can only access the youtube.


Quite problematic, as it has to be able to access a name server to get the
target IP, at least.  If you mean youtube.com, access to a number of ancillary
Javascript providers (google.com, gstatic.com, and the like) may also have to
be granted.

For a different approach, censorship is often applied by controlling the DNS
resolver.  See:
https://en.wikipedia.org/wiki/Internet_censorship#Content_suppression_methods


> But the result was not my expectation, after I apply those rules , my
> computer cannot access to youtube and other web also, it drop all internet 
> connection.

I guess that depends on the default policy (iptables -P) you set.  The rules
quoted above only affect packets matching the given mac-source.


> In my understanding, the rule with ACCEPT target was not apply even the
> package match with the condition, and all packages are handled in the rule
> with DROP target.

I don't think that /every/ packet will contain that string.  Typically, a
"Host: youtube.com", header field will only appear in one of the first packets
after the TCP handshake.


HTH

Ale
-- 

[Help] Allow website using iptables

[Sơn Đỗ]

I have a Linux router and using iptables 1.4 to configure the firewall.

And I want to permit a device to access a certain website with a
domain name and block other websites. So I have use some cmds in
iptables below:



iptables -N allow_chain
iptables -A FORWARD -j allow_chain
iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -m
string --algo bm --string youtube -j ACCEPT
iptables -A allow_chain -m mac --mac-source 11:22:33:44:55:66 -j DROP


In this case, I want computer with MAC address 11:22:33:44:55:66
connected to my Linux router can only access the youtube . But the
result was not my expectation, after I apply those rules , my computer
cannot access to youtube and other web also, it drop all internet
connection . In my understanding, the rule with ACCEPT target was not
apply even the package match with the condition, and all packages are
handled in the rule with DROP target.

So is there any thing wrong with my cmd? What was the problem ?

Please help me, Thanks.