iptables webstr not blocking https

Post new topic   Reply to topic    DD-WRT Forum Index -> X86 based Hardware
View previous topic :: View next topic  
Author Message
xaim00
DD-WRT Novice


Joined: 23 Jun 2008
Posts: 40
PostPosted: Tue Jan 06, 2009 4:13    Post subject: iptables webstr not blocking https Reply with quote
Here is an example. The following rule will successfully block access to http://dd-wrt.com

Code:
iptables -A lan2wan -p all -m webstr --host dd-wrt.com -j DROP


However, it is ineffective when using the https protocol. It will not block https://dd-wrt.com

Is this intentional or a bug or am I doing something wrong?

I'm using v24 sp1.
Back to top View user's profile Send private message
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany
PostPosted: Tue Jan 06, 2009 16:32    Post subject: Reply with quote
why dont u use the webif for blocking?
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Back to top View user's profile Send private message
xaim00
DD-WRT Novice


Joined: 23 Jun 2008
Posts: 40
PostPosted: Tue Jan 06, 2009 22:18    Post subject: Reply with quote
I just prefer to write my own rules, and the web interface has the same problem, it will not block https.
Back to top View user's profile Send private message
xaim00
DD-WRT Novice


Joined: 23 Jun 2008
Posts: 40
PostPosted: Fri Jan 09, 2009 0:14    Post subject: Reply with quote
I've done some thinking and there is a very simple reason why it doesn't work...

The webstr extension looks at the http header to see the host. On https connections this doesn't work because all data, including the header, is (obviously Wink) encrypted.
Back to top View user's profile Send private message
aicitman
DD-WRT Novice


Joined: 03 Apr 2013
Posts: 12
PostPosted: Tue Aug 12, 2014 5:16    Post subject: Reply with quote
xaim00 wrote:
I've done some thinking and there is a very simple reason why it doesn't work...

The webstr extension looks at the http header to see the host. On https connections this doesn't work because all data, including the header, is (obviously Wink) encrypted.

I agree that's why, and iptables won't help for that. But it's possible to filter it on the dns lookup (which doesn't use encryption), and not return a dns address. (Although I'm not sure how dns requests are sent. It could be very difficult to determine a dns request from any other tcp request.)
In either case, a solution like opendns would work, but can be circumvented by doing a dns lookup manually (using one of many web services).
Actually, even in https requests, the destination ip address is visible (obviously, how would the router know where to send it Idea ). You could block the ip addresses of any given dns. (Although, a lot of big sites have a ton of random IP addresses, and it would be a big deal to do it all manually. It would be convenient to have a script that constantly checks the domains - and subdomains - on a regular basis, and keeps the iptables updated accordingly.)
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> X86 based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum