1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

blocking https site http://www.hotspotshield.com/

Discussion in 'Tomato Firmware' started by onehomelist, Apr 22, 2010.

  1. onehomelist

    onehomelist Addicted to LI Member

    I use open dns to block access to streaming sites and bittorrent sites. Recently I found out that my users are using https to access blocked content. This is the service they use http://www.hotspotshield.com

    It has many ips. I tried to block some ips but ti didn't work. Here is the script I used. All the ips belong to the same service, and there are many more. Please suggest a solution to block the service.
    Code:
    iptables -A INPUT -s 216.218.185.189  -j DROP
    iptables -A OUTPUT -d 216.218.185.189  -j DROP
    iptables -A INPUT -s 216.218.185.187 -j DROP
    iptables -A OUTPUT -d 216.218.185.187 -j DROP
    iptables -A INPUT -s 216.218.185.188 -j DROP
    iptables -A OUTPUT -d 216.218.185.188 -j DROP
    iptables -A INPUT -s 68.68.101.76 -j DROP
    iptables -A OUTPUT -d 68.68.101.76 -j DROP
    iptables -A INPUT -s 64.62.196.39 -j DROP
    iptables -A OUTPUT -d 202.54.20.22 -j DROP
     
  2. mikester

    mikester Network Guru Member

    I'd suggest starting with wireshark. You can also use something like ntop to map out the end points and block the IP ranges. Try using the following to prevent connections:

    iptables -I FORWARD -d 216.218.185.0/24 -j DROP

    You can also try creating a URL filter for the words

    "/config/?action=connect"
    "hotspotshield"

    If these are users on a work network then you need to lock down the machines to prevent users from installing their own software. If your users have admin rights then you have bigger problems than VPN tunnels...

    Another hint is to assign IP's based on MAC addresses and prevent connections by unknown MACs.

    Whitelisting sites is another option...
     
  3. Toastman

    Toastman Super Moderator Staff Member Member

    One way is to find out if a common port is being used to access the VPN tunnel (often 1723) and classify that port into a nice class of it's own, say E - and then slow it down to a crawl using QOS, which effectively deters people from using it. Do the same using GRE L7 filter. This wrecks the performance of many such tunnels.
     
  4. onehomelist

    onehomelist Addicted to LI Member

    Thanks mikester and Toastman. Hotspotshield has loads of different ip addresses, so blocking ip's won't work. My users connect over open wi-fi. So, MAC access restriction will not work.

    The application creates a tunnel through port 443, which cannot be put to E class, as many https sites like gmail use it.

    I will try the url filter suggested by mikester.

    Here is one. Please see if it is okay
    Code:
     iptables -I INPUT -p tcp -s 0.0.0.0/0 -m string --string "/config/?action=connect" -j DROP
    
     iptables -I INPUT -p tcp -s 0.0.0.0/0 -m string --string "hotspotshield" -j DROP 
    This following links says that mvps.org hosts list has an entry for box.anchorfree.net (hotpsotshield), so the adblocking scripts posted on this forum may solve the issue.
    http://forums.informaction.com/viewtopic.php?f=7&t=1531
     
  5. mikester

    mikester Network Guru Member

    Oh yes it will work - look under "Basic" --> "Wireless Filter". All ethernet devices have a MAC. Set up a filter to block all MAC's accept the one you want to allow access.

    RE:CODE - Personally I prefer to set up blocking using "Access Restriction" rather than IP tables - it's a lot less work and easier to manage.
     
  6. onehomelist

    onehomelist Addicted to LI Member

    I know that it works. I always use it to block excessive filesharers. I said it won't work for me becuase I have more than 300 clients on my network, and tomato MAC access restriction supports only 100. I am going to try the content filtering script you suggested. And I found something else too. here it is:
    http://forums.opendns.com/comments.php?DiscussionID=2298
    I will try and will let you know the results.
     
  7. mikester

    mikester Network Guru Member

    300 wireless clients on a Tomato??? Are you my crappy ISP? ;-)

    Time to get a real firewall!
     
  8. onehomelist

    onehomelist Addicted to LI Member

    Though there are 300 clients only about 100 of them access internet at one time. I don't have to go for a pricy firewall.Tomato does the job, the QOS is brilliant. And the Asus RT-N16 with its 128 MB memory is more than what I wanted. Even if I buy one it might have the same netfilter/iptables.
     
  9. onehomelist

    onehomelist Addicted to LI Member

    I want to block multiple port range. Here is the script. Please tell me if it's okay

    Code:
    iptables -A wanout -p udp -m mport --dports 8040-8045 -j DROP
     

Share This Page