1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to use iptables to block range of destination IP's?

Discussion in 'Tomato Firmware' started by samjones3, Nov 29, 2012.

  1. samjones3

    samjones3 Serious Server Member

    OK, I am struggling with the need to block facebook on http and https.

    I have determined (with a kb I found, and with some nslookup) that these are the destination IP's I want to block.

    I want to block them just during certain times of day.... (like I generally do in the access restrictions area of tomato).

    From what I have read, I need to use iptables. Questions:

    a) How to script blocking destination ip ranges?
    b) Can I use cron on tomato, so I can turn stuff on at times and turn stuff off at times.
    c) I am a newb at this. Any detail will be helpful.

    TIA!!

    66.220.144.0 - 66.220.159.255
    69.63.176.0 - 69.63.191.255
    69.171.224.0 - 69.171.255.255
    204.15.20.0 - 204.15.23.255

    65.201.208.24/29
    65.204.104.128/28
    66.92.180.48/28
    66.93.78.176/29
    66.199.37.136/29
    67.200.105.48/30
    74.119.76.0/22
    173.252.64.0/18
     
  2. koitsu

    koitsu Network Guru Member

    These are all Facebook IP ranges. It might be more convenient for you to just use the Access Restriction capability of TomatoUSB, which will let you enter in a domain name like "facebook.com" and also let you set what hours the restriction applies.

    Think about it this way: if Facebook gets more IP space (which is possible), or changes their IP space in any way, people will then be able to (intermittently) access Facebook. And you're going to have to micro-manage that firewall list.

    For the HTTP Request to block, I would say use this string:

    Code:
    facebook.com$
    
    The dollar sign on the end is regex, which indicates "end of string". In English, this means: "block access to any website ending in facebook.com" (i.e. blocks www.facebook.com, whatever.facebook.com, and facebook.com).

    This will block things like mymomlikesfacebook.com as well, so if you want something more precise I can write a more precise regex, but that will get you started.

    Also be aware that Facebook is moving to HTTPS (i.e. SSL), which Access Restriction cannot help with. You can read details on how to work around that here, but it involves building your own TomatoUSB release with some changes and writing some firewall rules manually:

    http://www.linksysinfo.org/index.ph...ccess-restriction-block-https-websites.45988/

    If you really, absolutely want to do this by CIDR, despite my warnings above, these are the iptables commands you can use to block *outbound* packets to those CIDR blocks:

    Code:
    iptables -I FORWARD -d 65.201.208.24/29 -j DROP
    iptables -I FORWARD -d 65.204.104.128/28 -j DROP
    iptables -I FORWARD -d 66.92.180.48/28 -j DROP
    iptables -I FORWARD -d 66.93.78.176/29 -j DROP
    iptables -I FORWARD -d 66.199.37.136/29 -j DROP
    iptables -I FORWARD -d 67.200.105.48/30 -j DROP
    iptables -I FORWARD -d 74.119.76.0/22 -j DROP
    iptables -I FORWARD -d 173.252.64.0/18 -j DROP
    
    As far as "what time of day" and using cron to manage those iptables rules -- this gets even trickier. The way to do this sanely, as far as I see it, would be to make an iptables target chain by the name of something like "blacklist" and then insert a reference of that chain into the FORWARD rules. It'd be something like this:

    Code:
    iptables -N blacklist
    iptables -A blacklist -d 65.201.208.24/29 -j DROP
    iptables -A blacklist -d 65.204.104.128/28 -j DROP
    iptables -A blacklist -d 66.92.180.48/28 -j DROP
    iptables -A blacklist -d 66.93.78.176/29 -j DROP
    iptables -A blacklist -d 66.199.37.136/29 -j DROP
    iptables -A blacklist -d 67.200.105.48/30 -j DROP
    iptables -A blacklist -d 74.119.76.0/22 -j DROP
    iptables -A blacklist -d 173.252.64.0/18 -j DROP
    
    Then your cronjob would simply need to run this rule (based on time of day) to enable the blocking:

    Code:
    iptables -A FORWARD -j blacklist
    
    And this command would disable the blocking:

    Code:
    iptables -D FORWARD -j blacklist
    
    As for "the cron job" itself, the easiest way to do this is to use Administration -> Scheduler and add the rules into Custom 1 (i.e. enable block) and Custom 2 (i.e. disable block).
     
  3. samjones3

    samjones3 Serious Server Member

    Koitsu,

    You are amazing!

    Yes, I have to use the iptables approach, because of ssl. (I would love to use the normal access restriction feature of tomato... in fact, I have used it for many months! But ssl access to facebook etc has made this the access restriction feature useless for facebook and many other sites).

    I will get to work on this!

    Thanks!
     
  4. samjones3

    samjones3 Serious Server Member

    Koitsu,

    You rock.

    I assembled this whole thing, and I am now blocking https to facebook great!
    Thanks!

    Code:
    // blocking known ip's for facebook.
    // this will block https and http access to facebook.
    // these commands are done at a command shell. For example, use putty to ssh to
    // your router.
     
    // create the list object:
    iptables -N blockfacebook
     
     
    // add the rules to the list:
    iptables -A blockfacebook -d 65.201.208.24/29 -j DROP
    iptables -A blockfacebook -d 65.204.104.128/28 -j DROP
    iptables -A blockfacebook -d 66.92.180.48/28 -j DROP
    iptables -A blockfacebook -d 66.93.78.176/29 -j DROP
    iptables -A blockfacebook -d 66.199.37.136/29 -j DROP
    iptables -A blockfacebook -d 67.200.105.48/30 -j DROP
    iptables -A blockfacebook -d 74.119.76.0/22 -j DROP
    iptables -A blockfacebook -d 173.252.64.0/18 -j DROP
    iptables -A blockfacebook -d 66.220.144.0/20 -j DROP
    iptables -A blockfacebook -d 69.63.176.0/20 -j DROP
    iptables -A blockfacebook -d 69.171.224.0/19 -j DROP
    iptables -A blockfacebook -d 204.15.20.0/22 -j DROP
     
    // enable the list:
    iptables -I FORWARD 1 -j blockfacebook
     
    // disable
    iptables -D FORWARD -j blockfacebook
     
     
    // now use the enable and disable options on cron job if desired to allow access at times
    // easiest way to set up cron jobs on tomato is, as koitsu says: 
    //  use Administration -> Scheduler and add the rules into Custom 1 (i.e. enable block) and Custom 2 (i.e. disable block).
    // in my situation (home use), I turn off facebook at 8 pm, and turn it on at 6:30 pm, so it can be used
    // a little each day.
     
  5. koitsu

    koitsu Network Guru Member

    I'll send Monk E. Boy a PM asking him to check this out/answer -- I'm not an iptables expert (I'm more FreeBSD-oriented) -- but I think there may be a way to remove all the "-j DROP' statements from the blocking rules and instead just set the default policy for the chain "blockfacebook" to be DROP. I'm not sure, but you could try it if you want. It would be this:

    Code:
    iptables -N blockfacebook
    iptables -P blockfacebook DROP
     
    iptables -A blockfacebook -d x.x.x.x/xx
    iptables -A blockfacebook -d x.x.x.x/xx
    ...etc...
    
    Please don't try this until Monk E. Boy or someone else more familiar with iptables chimes in to say "yeah you can do that" or "nope won't work".
     
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    To be honest, I'm really not an iptables expert either, but I can play with the RT-N16 on my desk and see what can be made of it. I've never used iptables in that manner, but it doesn't mean it can't work that way. I finally wrapped my head around iptables a couple years ago but my knowledge is still pretty limited.

    I believe what Koitsu is setting is the default table behavior, so logically it should work. One problem is that at the end (-A instead of -I) of the facebook table you would need to have line that, basically, states that all other traffic is allowed, otherwise it will perform the default action (drop) on all traffic.

    As a general rule with drop table you have a bunch of -j allow or the like and then there's an implicit drop for all traffic. Also, and this is the fuzzy bit about iptables I'm not sure of which is why I need to test, I don't know what a rule match without a jump statement does. Does it match the default action?
     
  7. Monk E. Boy

    Monk E. Boy Network Guru Member

    Just wanted to leave a note here that I haven't forgotten about this, but that the spare RT-N16 on my desk got used due to one blowing up, and its replacement is the RT-N66 that just showed up today. Its been a painful few days, even the ISP decided to start creating headaches for us at around the same time (thanks, RIAA/MPAA, those draconian measures you demanded ISPs start implementing this week are working out just wonderfully).
     
  8. koitsu

    koitsu Network Guru Member

    All I know is what's documented here: http://ipset.netfilter.org/iptables.man.html

    Specifically (gotta read the whole thing):

    -j, --jump target

    This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.​

    The documentation for -P implies that what I describe should work... at least that's how I read the documentation anyway.
     
  9. rhester72

    rhester72 Network Guru Member

    koitsu,

    Your understanding is correct. The most optimal way is a custom chain with a default of DROP containing only explicit ACCEPTS. If that isn't an option, you should have all the ACCEPT rules at the beginning and one final matches-everything DROP at the end (which is effectively the same thing as above, but works even for the default chains).

    Rodney
     
  10. samjones3

    samjones3 Serious Server Member

    OK, this works great.... but when router is rebooted the iptables stuff is lost.
    How do I back it up, reload it?
    thx!!
     
  11. koitsu

    koitsu Network Guru Member

    Of course it's lost when you reboot.

    You put all relevant commands into the Scripts -> Firewall section of the GUI.
     
  12. threehappypenguins

    threehappypenguins Serious Server Member

    I just don't get this. I went to Administration > Scripts > Firewall and copied and pasted this script into it:

    Code:
    iptables -A blockfacebook -d 65.201.208.24/29 -j DROP
    iptables -A blockfacebook -d 65.204.104.128/28 -j DROP
    iptables -A blockfacebook -d 66.92.180.48/28 -j DROP
    iptables -A blockfacebook -d 66.93.78.176/29 -j DROP
    iptables -A blockfacebook -d 66.199.37.136/29 -j DROP
    iptables -A blockfacebook -d 67.200.105.48/30 -j DROP
    iptables -A blockfacebook -d 74.119.76.0/22 -j DROP
    iptables -A blockfacebook -d 173.252.64.0/18 -j DROP
    iptables -A blockfacebook -d 66.220.144.0/20 -j DROP
    iptables -A blockfacebook -d 69.63.176.0/20 -j DROP
    iptables -A blockfacebook -d 69.171.224.0/19 -j DROP
    iptables -A blockfacebook -d 204.15.20.0/22 -j DROP
    Then I went to Administration > Scheduler and under Custom1, I enabled it, and I set it for 8am M-F and copied and pasted this script:

    Code:
    iptables -I FORWARD 1 -j blockfacebook
    And under Custom2, I enabled it, and set it for 3pm M-F and copied and pasted this script:

    Code:
    iptables -D FORWARD -j blockfacebook
    It's 2pm here and Facebook is still not blocked. What am I doing wrong?
     
  13. jerrm

    jerrm Network Guru Member

    Have you created (-N) the chain anywhere?
     
  14. threehappypenguins

    threehappypenguins Serious Server Member

    I don't know what that is. I'm a complete noob. I just want to find a way to block Facebook during specific times of day, for a couple of specific devices on a home network. I have OpenDNS, but there are no time based features. So I've been pulling my hair out trying to find a workaround. I can't block all https traffic (which works) because there are other legitimate needs for it.
     
  15. lancethepants

    lancethepants Network Guru Member

    You should check out easytomato. It may help you better with access restrictions and scheduled access.


    http://www.easytomato.org/
     
  16. threehappypenguins

    threehappypenguins Serious Server Member

    On the easytomato website: http://www.easytomato.org/development/easytomato-0-7-6-released

    Q: "can in restriction area websites with https (SSL) tunnel also be blocked? as many websites today like facebook and twitter are using https as their alternative way to gain access."

    A: "As of now you can’t, but we are looking into ways to fix that. You’re right many sites are using HTTS and many many more will in the future."

    So there is no point in flashing easytomato. I would get the exact same issue.
     
  17. koitsu

    koitsu Network Guru Member

    Your iptables rules are saying "append these rules/blocks to the blockfacebook chain", yet if you haven't run iptables -N blockfacebook prior to all of that, then there isn't going to be a blockfacebook chain, and those iptables commands will all throw errors (which you won't see unless you were to execute the commands via the CLI manually).

    So try putting iptables -N blockfacebook at the top of your Firewall script.

    You really need to get used to doing all of this in the CLI manually first (via telnet, etc.), get it working, then work on adding it to Scripts

    Finally: blocking based on IP address/destination does not scale. The instant Facebook adds a new network range (which happens all the time), or switches to something like a CDN somewhere else, your stuff will stop working and you'll appear here complaining that "it all just stopped working one day!"

    There really is no 100% reliable way to block HTTPS right now at the router level. I am the one who introduced people to the xt_string module (which is used in a Tomato release which I forget the name of, maybe it's EasyTomato, I don't remember -- it's a very long post/thread here on the forum) which can be used to do this, however it can be circumvented by chance depending upon where the HTTPS SNI header is located within the initial payload, and can be circumvented by using older browsers that do not support SNI (and there's nothing you can do about that). Some mobile phones even do not support SNI.

    TL;DR -- Blocking HTTPS is extremely difficult, bordering on impossible, aside from using something like a transparent proxy that siphons all TCP port 443 through it (ex. squid, where you could literally say something like "Deny *.facebook.com"). This makes legitimate HTTPS traffic significantly slower however as there's now additional overhead in numerous regards. I tend to recommend people not try to block HTTPS; it's an opinion, but the reality is that blocking Facebook, Twitter, etc. is usually done by people due to social situations (i.e. parents trying to control their kids' behaviour). Try solving the problem at a social level, not via technology.
     
  18. threehappypenguins

    threehappypenguins Serious Server Member

    Thanks, koitsu. Let's say I want to go the route that I was already trying to (firewall script and scheduler) and it works (it's not; but just for kicks we'll pretend). How would I keep the IP addresses updated? I know how to do nslookup in the windows command prompt. How would I search for Facebook IP addresses to keep them updated?

    I know how to telnet into my router, but I don't know what you mean when you say to do "all of this in the CLI manually". I don't what commands to type. I know how to copy and paste. :)

    Secondly, I forgot to mention that I DID put "iptables -N blockfacebook" at the top of my firewall script. This is *everything* that is in my firewall script (I also use a script that I found and copied and pasted to force all users to use OpenDNS; I tested it and it works well):

    Code:
    iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    
    // create the list object:
    iptables -N blockfacebook
    
    // add the rules to the list:
    iptables -A blockfacebook -d 65.201.208.24/29 -j DROP
    iptables -A blockfacebook -d 65.204.104.128/28 -j DROP
    iptables -A blockfacebook -d 66.92.180.48/28 -j DROP
    iptables -A blockfacebook -d 66.93.78.176/29 -j DROP
    iptables -A blockfacebook -d 66.199.37.136/29 -j DROP
    iptables -A blockfacebook -d 67.200.105.48/30 -j DROP
    iptables -A blockfacebook -d 74.119.76.0/22 -j DROP
    iptables -A blockfacebook -d 173.252.64.0/18 -j DROP
    iptables -A blockfacebook -d 66.220.144.0/20 -j DROP
    iptables -A blockfacebook -d 69.63.176.0/20 -j DROP
    iptables -A blockfacebook -d 69.171.224.0/19 -j DROP
    iptables -A blockfacebook -d 204.15.20.0/22 -j DROP
     
    Last edited: Feb 21, 2014
  19. koitsu

    koitsu Network Guru Member

    1. There is no "easy way" to find out all the netblocks/IP ranges Facebook is using. Don't let someone tell you "use whois and ask ARIN" -- you have to know what to query to get that information. That's the problem with the "block by netblock/IP range" method -- it may change in the future and you wouldn't know if it stopped working until someone was suddenly able to use Facebook (would that person you're trying to cease from using Facebook tell you they're able to reach it intermittently? Unlikely :) )

    The problem is the same with those "geographic IP blocks/ranges" scripts; portions of IPv4 space are being re-delegated all the time and providers/ISPs/services are getting new networks and relinquishing control over old subnets all the time. Like I said, it's a cat and mouse game, and if you want to play it that's perfectly OK but just remember it may stop working (or intermittently stop working -- much more likely) at any moment.

    2. Thanks for the clarification with your rules. Good to see you're making the blockfacebook chain using iptables -N, but what I don't see anywhere is where you actually reference the chain itself. :) So no wonder this isn't working.

    Basically the part from your script that's missing is the "tie-in" that says "hey, make use of the blockfacebook chain I've created".

    I believe what you're trying to is block any outbound packets which are destined to Facebook's IP netblocks, correct? I.e. you want to stop them from ever going out your WAN link. No problem:

    Code:
    iptables -N blockfacebook
    
    iptables -A blockfacebook -d 65.201.208.24/29 -j DROP
    {...all the other lines you have like this...}
    
    iptables -I FORWARD 1 -j blockfacebook
    
    What this does is insert a rule at line 1 (use iptables -L -n -v --line-numbers to see line numbers in addition to your existing rules; I always recommend doing that, as the order of the rules matters!) into the FORWARD chain that says "jump to the chain called blockfacebook", which then causes all those rules in that chain to get examined, and if none of them match, it goes back to the FORWARD chain at line 2 and continues on. If a match is found in the blockfacebook chain, then the packet is dropped (the -j DROP part of each of your entries) and that's the end of it.

    Few notes:

    i) The 1 in the last line is very important. It causes the rule being added to be inserted at the start of your FORWARD chain. This is important because by default (at least on Toastman firmwares), the default first rule is to allow any packets going in/out of the bridge interface (br0) to be permitted. This is why it's important to use --line-numbers so you can know exactly where to insert something into your chain vs. the other existing rules.

    ii) This blocking methodology only applies to packets going "through" the router (i.e. from machines on your LAN or wireless network using the router as a gateway), and not packets coming from the router natively itself. The FORWARD chain is for packets being "forwarded through the router", i.e. coming from a system on your LAN/etc. wanting to reach the Internet. If you were to try and do something like "telnet 65.201.208.24 80" from the router itself this would work because packets originating from the router itself (vs. getting siphoned through it) are analysed using a different chain. I assure you that what you want is the FORWARD chain though. :)

    iii) I have tested this (though using a different method, blocking packets going to 4.2.2.1 just as a test subject/destination) and it does work. What I did for testing via the CLI was the following:

    Code:
    iptables -N block4221
    iptables -A block4221 -d 4.2.2.1 -j DROP
    iptables -I FORWARD 1 -j block4221
    
    Then from a machine on my LAN, I did ping 4.2.2.1 (which would time out/no response), and then on the router did iptables -L block4221 -n -v and I could clearly see the pkts/bytes counters increasing, indicating the packets were being blocked.

    What things looked like was this:

    Code:
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target  prot opt in  out  source  destination
      52  4157 block4221  all  --  *  *  0.0.0.0/0  0.0.0.0/0
    3132  356K ACCEPT  all  --  br0  br0  0.0.0.0/0  0.0.0.0/0
    3320  269K DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state INVALID
    355K  21M TCPMSS  tcp  --  *  *  0.0.0.0/0  0.0.0.0/0  tcp flags:0x06/0x02 TCPMSS clamp to PMTU
      89M  45G ACCEPT  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state RELATED,ESTABLISHED
    87713 6362K wanin  all  --  vlan2  *  0.0.0.0/0  0.0.0.0/0
      18M 1140M wanout  all  --  *  vlan2  0.0.0.0/0  0.0.0.0/0
      18M 1140M ACCEPT  all  --  br0  *  0.0.0.0/0  0.0.0.0/0
    87712 6361K upnp  all  --  vlan2  *  0.0.0.0/0  0.0.0.0/0
    
    Chain block4221 (1 references)
    pkts bytes target  prot opt in  out  source  destination
      2  120 DROP  all  --  *  *  0.0.0.0/0  4.2.2.1
    
    iv) It's a lot nicer (to the IP/TCP stack on the system trying to access Facebook) if you would use -j REJECT instead of -j DROP on your anti-facebook rules. This will cause an immediate failure/rejection (browser will immediately return an error, etc.) and the IP stack on that system will very quickly know things aren't contactable -- rather than the IP stack on the system sitting around retrying silently for some time before finally giving up. Remember, all these packets are on your LAN/wireless/local network and not going out the Internet, so it's often better to use REJECT if you can. (For Internet-facing blocking, like "I want to block packets coming from 1.2.3.4 coming into my router", definitely use DROP).

    v) These rules should only go into your Firewall area (like you're doing -- good!), they should NEVER go into your WAN Up area. This is incredibly important and I'm stating it here because I'm sure some user will find this thread and start screwing around with WAN Up. You have to do things differently in WAN Up because on WAN down/up the firewall rules aren't reloaded from scratch, i.e. you will end up having duplicate entries in your chains and that causes all kinds of problems. I've already seen it happen here on the forum more than once.

    3. Comments in an Init script or other file are not preceded by // marks; that is a C++ (and some other languages) comment delimiter. The comment delimiter for shell scripts / init scripts is # (hash mark). What you don't realise is that the comments you're using are actually causing the router to try and run the file/command // create the list object: and so on. Change // to # please. Oh, and blank lines are skipped/ignored silently, so no problems there.

    Let me know where I should send a bill for my time. *grin* ;-)
     
    Last edited: Feb 22, 2014
  20. threehappypenguins

    threehappypenguins Serious Server Member

    Thanks Koitsu! However, I'm confused. I had

    Code:
    iptables -I FORWARD 1 -j blockfacebook
    under Administration > Scheduler > Custom 1

    and

    Code:
    iptables -D FORWARD -j blockfacebook
    under Administration > Scheduler > Custom 2 so that I could schedule in when the block would take effect and when it would stop (don't want Facebook blocked all the time). I decided to uncheck the schedulers and put the
    Code:
    iptables -I FORWARD 1 -j blockfacebook
    right under the rest of the firewall script. This is what I have (everything) that is in my firewall now:

    Code:
    iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    
    iptables -N blockfacebook
    
    iptables -A blockfacebook -d 65.201.208.24/29 -j DROP
    iptables -A blockfacebook -d 65.204.104.128/28 -j DROP
    iptables -A blockfacebook -d 66.92.180.48/28 -j DROP
    iptables -A blockfacebook -d 66.93.78.176/29 -j DROP
    iptables -A blockfacebook -d 66.199.37.136/29 -j DROP
    iptables -A blockfacebook -d 67.200.105.48/30 -j DROP
    iptables -A blockfacebook -d 74.119.76.0/22 -j DROP
    iptables -A blockfacebook -d 173.252.64.0/18 -j DROP
    iptables -A blockfacebook -d 66.220.144.0/20 -j DROP
    iptables -A blockfacebook -d 69.63.176.0/20 -j DROP
    iptables -A blockfacebook -d 69.171.224.0/19 -j DROP
    iptables -A blockfacebook -d 204.15.20.0/22 -j DROP
    
    iptables -I FORWARD 1 -j blockfacebook
    It's *still* not working. I even rebooted the router. Perhaps it has something to do with where I live?

    *P.S. I will change the DROP to REJECT when I see it working first. Thank you SO MUCH for your time. It's a long story... but I am VERY thankful for all the help I receive on forums!
     
  21. threehappypenguins

    threehappypenguins Serious Server Member

    Do you have a link to a tutorial to the method of doing this? If not, what would the method be called so I can look it up and figure it out?
     
  22. kthaddock

    kthaddock Network Guru Member

    @threehappypenguins

    Don't make it difficult, first put all rules under firewall and make sure that working. Verify with iptables -vnL
    Don't mix -A and -I if you want specifik order use -A with rule number (-A FORWARD 1).
    Are you sure "nvram get lan_ipaddr" is right? = 192.168.1.1

    Some suggestions to start with.
     
  23. threehappypenguins

    threehappypenguins Serious Server Member

    I'm sorry. I'm really, really lost. How do I verify with iptables -vnL? Do I type it somewhere? Command prompt? Do I copy and paste it underneath everything in the firewall? Then when I do, what do I do after that to look for and verify? Syslog? If so, what am I looking for? I'm totally confused.

    You said not to mix A and I. I don't know what that means. I just copied and pasted what koisu gave me. Also, how would I verify if "'nvram get lan_ipaddr' is right?" Do I type that in somewhere too? 192.168.1.1 is the internal IP address of my router... not sure what you mean when you wrote = 192.168.1.1... ???

    I am a copying and pasting newbie. I understand very little on what I'm doing. I understand that "
    iptables -I FORWARD 1 -j blockfacebook" is apparently telling the rule "blockfacebook" to do execute (I think?) and "iptables -N blockfacebook" is the starting rule or something like that.
     
  24. jerrm

    jerrm Network Guru Member

    If you're running shibby, using dnsmasq ability to add resolved addresses to an ipset might be simpler.

    In init add:
    Code:
    modprobe ipt_set
    ipset -N facebook iphash
    
    In Advanced->DHCP/DNS->dnsmasq custom config add(may need to tweak domain list):
    Code:
    ipset=/facebook.com/fb.com/facebook
    Enable blocking with:
    Code:
    iptables -I FORWARD -m set --set facebook dst -j DROP
    I'd probably add a late night cron job to make sure the ip list doesn't keep stale entries:
    Code:
    ipset -F facebook; kill -HUP $(pidof dnsmasq)
    Still potential overmatch and other issues, but nothing's perfect...
     
    Last edited: Feb 22, 2014
  25. koitsu

    koitsu Network Guru Member

    What I gave you should work -- in fact, I know it works because I did it before I posted, heh :).

    I wonder if the firmware you're using is bypassing the FORWARD chain somehow; I would be very surprised if that was the case.

    I'll go through an entire session here in a code block and do some other verification steps along the way (such as showing relevant iptables output). Or maybe not. One of the problems with code blocks here on the forum is that they screw up whitespace formatting so things are very hard to visually read. Maybe I'll try to find some screen + audio capture software and make a video of it or something. This kind of information is sometimes hard to convey purely with text, but it depends on the individual.

    As to you wondering if it has to do with where you live: absolutely not. That's one thing we can all be 100% sure of.

    @jerrm's idea looks very interesting -- what it does, by the way, is effectively "tie together" DNS lookups for certain strings/domains/etc. to an iptables rule. I wasn't even aware of that feature until right now. But it's presently only available on Shibby's TomatoUSB firmware (maybe RAF as well, not sure).
     
  26. jerrm

    jerrm Network Guru Member

    Still just Shibby unfortunately. Victek hasn't added ipset support.
     
  27. koitsu

    koitsu Network Guru Member

    Well I made a 40 minute video stepping through iptables and understanding terminology/operation, but CamStudio was awesome and spewed some nonsensical error and the .avi went kapoof. *rolls eyes* Software designers these days...

    I'll have to do a text version and put it on pastebin or something.
     
  28. threehappypenguins

    threehappypenguins Serious Server Member

    I am using Toastman's firmware; tomato-WRT54G_WRT54GL-1.28.7634Toastman-IPT-ND-VLAN-VPN.bin to be exact. However, I am only testing it on my router and the settings will be implemented for my friend on his router, which is running Shibby (tomato-E2500USB-NVRAM60K-1.28.RT-N5x-MIPSR2-093-Nocat-VPN.bin).

    As for CamStudio, I never had much luck with it. I always found it "kapoofing" me LOL. I use VLC Media Player and record my desktop. Works like a charm. :)

    Thanks for all your help, guys!!!! I will take a look at this more on Monday.
     
  29. threehappypenguins

    threehappypenguins Serious Server Member

    So, I can't get this to work no matter what and I don't understand why. I tried changing FORWARD to PREROUTING (I read somewhere that sometimes that works), and I also tried changing DROP to REJECT. I tried both of these in different combinations. It won't work no matter what. I also tried to just implement it straight into my friend's router (Shibby... mine is Toastman), and they are still getting access to Facebook.
     
  30. threehappypenguins

    threehappypenguins Serious Server Member

    I finally figured something out. I found this page here: http://www.cyberciti.biz/tips/linux-iptables-examples.html

    kthaddock said to "Verify with iptables -vnL." I had no idea what that meant and where to type it to verify. I am running Windows 8, so I started Putty, went into my router with SSH (or however you want to word it), and that gave me a command line to work with. So I typed in
    Code:
    iptables -v -n -L
    And that gave me this information. I don't know what it means... I don't know how to read it. I still can't block Facebook either. One bizarre note... last night at about 9:30pm, I couldn't access Facebook. But then when I got up this morning I could again.

    Code:
    Chain INPUT (policy DROP 1 packets, 48 bytes)
    pkts bytes target     prot opt in     out     source               destination                                                                                        
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   state INVALID
      480 46262 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   state RELATED,ESTABLISHED
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   tcp dpt:22 state NEW
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   tcp dpt:2222 state NEW
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                                                                                          
      135  9190 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                                                                                          
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   tcp dpt:8080
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   tcp dpt:2222
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination                                                                                        
    11154 7431K blockfacebook  all  --  *      *       0.0.0.0/0            0.0.0.0/                                                                                        0
    11159 7433K            all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0                                                                                          
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   state INVALID
      344 17704 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    4521  497K monitor    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0                                                                                          
    10950 7421K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   state RELATED,ESTABLISHED
        0     0 wanin      all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0                                                                                          
      209 12336 wanout     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0                                                                                          
      209 12336 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                                                                                          
        0     0 upnp       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0                                                                                          
    
    Chain OUTPUT (policy ACCEPT 561 packets, 58491 bytes)
    pkts bytes target     prot opt in     out     source               destination                                                                                        
    
    Chain blockfacebook (1 references)
    pkts bytes target     prot opt in     out     source               destination                                                                                        
        0     0 DROP       all  --  *      *       0.0.0.0/0            65.201.208.2                                                                                        4/29
        0     0 DROP       all  --  *      *       0.0.0.0/0            65.204.104.1                                                                                        28/28
        0     0 DROP       all  --  *      *       0.0.0.0/0            66.92.180.48                                                                                        /28
        0     0 DROP       all  --  *      *       0.0.0.0/0            66.93.78.176                                                                                        /29
        0     0 DROP       all  --  *      *       0.0.0.0/0            66.199.37.13                                                                                        6/29
        0     0 DROP       all  --  *      *       0.0.0.0/0            67.200.105.4                                                                                        8/30
        0     0 DROP       all  --  *      *       0.0.0.0/0            74.119.76.0/                                                                                        22
        0     0 DROP       all  --  *      *       0.0.0.0/0            173.252.64.0                                                                                        /18
        0     0 DROP       all  --  *      *       0.0.0.0/0            66.220.144.0                                                                                        /20
        0     0 DROP       all  --  *      *       0.0.0.0/0            69.63.176.0/                                                                                        20
        0     0 DROP       all  --  *      *       0.0.0.0/0            69.171.224.0                                                                                        /19
        0     0 DROP       all  --  *      *       0.0.0.0/0            204.15.20.0/                                                                                        22
    
    Chain monitor (1 references)
    pkts bytes target     prot opt in     out     source               destination                                                                                        
        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   WEBMON --max_domains 300 --max_searches 300
    
    Chain shlimit (2 references)
    pkts bytes target     prot opt in     out     source               destination                                                                                        
        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   recent: SET name: shlimit side: source
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                   recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    
    Chain upnp (1 references)
    pkts bytes target     prot opt in     out     source               destination                                                                                        
    
    Chain wanin (1 references)
    pkts bytes target     prot opt in     out     source               destination                                                                                        
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.11                                                                                        7       tcp dpts:5080:5082
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.11                                                                                        7       udp dpts:5080:5082
    
    Chain wanout (1 references)
    pkts bytes target     prot opt in     out     source               destination    
     
  31. threehappypenguins

    threehappypenguins Serious Server Member

    I'm really confused. I did a whois lookup on this website http://www.mydnstools.info/nslookup/facebook.com/A and it's showing facebook's IP as 173.252.110.27. If I open command prompt and try to ping that address (in command prompt), it times out. On the website, I also see the information "SERVER: 4.2.2.1#53(4.2.2.1)" and I was wondering where koitsu got those numbers from when he said he "tested it." Also, I ran a tracert in command prompt and I got the ip address 31.13.69.80. When I put 31.13.69.80, I get facebook. It also pings fine as well.

    So maybe it's something to do with 31.13.69.80 why facebook won't block? I tried searching on how to look up a CIDR based on an IP address, but I'm totally lost. I thought that maybe I need to add more CIDR addresses to my blockfacebook list in IP tables.
     
  32. jerrm

    jerrm Network Guru Member

    You've cheked that facebook resolves to an IP in your list? Looks like packets are hitting the forward rule, but nothing is hitting in the blockfacebook chain.
     
  33. threehappypenguins

    threehappypenguins Serious Server Member

    Also, when I do a traceroute on the website with 31.13.69.80, I get this:

    Code:
    traceroute to 31.13.69.80 (31.13.69.80), 30 hops max, 40 byte packets
    1  linux3.hostavps.com (173.212.217.115)  0.074 ms  0.043 ms  0.022 ms
    2  vl0202.agg02.col.dupa01.hostnoc.net (64.120.184.209)  0.291 ms  0.336 ms  0.418 ms
    3  vl0208.cor02.dupa01.hostnoc.net (64.120.184.197)  0.342 ms  0.379 ms  0.450 ms
    4  xe1-04.gwy01.dupa01.hostnoc.net (64.120.184.137)  1.413 ms  1.470 ms  1.526 ms
    5  xe-5-2-1.edge3.Newark1.Level3.net (4.28.7.17)  61.546 ms  61.541 ms  61.530 ms
    6  ae-32-52.ebr2.Newark1.Level3.net (4.69.156.62)  11.001 ms  10.996 ms  10.985 ms
    7  ae-4-4.ebr2.Washington1.Level3.net (4.69.132.101)  10.973 ms  10.975 ms  11.021 ms
    8  ae-62-62.csw1.Washington1.Level3.net (4.69.134.146)  11.020 ms ae-72-72.csw2.Washington1.Level3.net (4.69.134.150)  11.002 ms  10.983 ms
    9  ae-1-60.edge2.Washington4.Level3.net (4.69.149.16)  10.950 ms ae-3-80.edge2.Washington4.Level3.net (4.69.149.144)  10.982 ms ae-1-60.edge2.Washington4.Level3.net (4.69.149.16)  11.010 ms
    10  FACEBOOK-IN.edge2.Washington4.Level3.net (4.53.114.46)  12.295 ms  12.838 ms  12.277 ms
    11  ae1.bb02.iad1.tfbnw.net (74.119.79.204)  12.665 ms  12.648 ms  12.625 ms
    12  ae1.dr01.ash3.tfbnw.net (74.119.79.127)  12.384 ms  12.361 ms  12.421 ms
    13  po126.msw01.10.iad1.tfbnw.net (31.13.29.171)  12.646 ms  12.605 ms  12.639 ms
    14  edge-star-shv-10-iad1.facebook.com (31.13.69.80)  12.414 ms  12.378 ms  12.379 ms
     
  34. jerrm

    jerrm Network Guru Member

    That IP is not in your rules. This is an example of what koitsu was saying about the difficulty of determining IPs belonging to facebook. Facebook is adding/removing IPs all the time. It's a cat and mouse game, and you'll always be behind.
     
  35. jerrm

    jerrm Network Guru Member

    Instead of the dnsmasq/ipset, an ugly, but probably easier to maintain than the netblocks, reasonably functional solution could be a cron job to update the facebook IPs every 15 minutes or so (facebook's ttl currently appears to be 15 minutes, but that could change at anytime). This would need to be a recurring cron job, as the IPs could change at any time and the DNS names are only resolved at the time the rules are added, not dynamically with each connection:
    Code:
    # flush the chain
    iptables -F blockfacebook
    # block the current IPs
    iptables -A blockfacebook -d fb.com
    iptables -A blockfacebook -d facebook.com
    iptables -A blockfacebook -d www.fb.com
    iptables -A blockfacebook -d www.facebook.com
    
    This would likely generate some redundant rules. It would not stop all facebook traffic, you may need to expand the list of dns host to include things like "apps.facebook.com" etc. Or maybe even append your net blocks.

    There would be windows of time facebook would still get through if the the ip changes from one 15 minute window to the next, but realistically that isn't likely to be much of a problem.

    Also make sure DNS is intercepted at the router - a different IP could be given if the client points themselves to another DNS server.

    Like I said - it is (very) ugly, but should throw enough of a wrench in things to discourage most facebook activity.
     
    Last edited: Feb 24, 2014
  36. threehappypenguins

    threehappypenguins Serious Server Member

    jerrm, this is *everything* that is in my firewall rule now. I tried to implement what you told me. Don't I need some sort of line to execute what you told me to put in? If so, I don't know what to put. Also, I blocked DNS interception. I tested it by changed the DNS on my laptop to 8.8.8.8 and 8.8.4.4 (Google) and it OpenDNS (the DNS service that I am using) was enforced by the router.

    Code:
    iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    
    iptables -N blockfacebook
    iptables -A blockfacebook -d 31.13.69.80/29 -j DROP
    iptables -A blockfacebook -d 65.201.208.24/29 -j DROP
    iptables -A blockfacebook -d 65.204.104.128/28 -j DROP
    iptables -A blockfacebook -d 66.92.180.48/28 -j DROP
    iptables -A blockfacebook -d 66.93.78.176/29 -j DROP
    iptables -A blockfacebook -d 66.199.37.136/29 -j DROP
    iptables -A blockfacebook -d 67.200.105.48/30 -j DROP
    iptables -A blockfacebook -d 74.119.76.0/22 -j DROP
    iptables -A blockfacebook -d 173.252.64.0/18 -j DROP
    iptables -A blockfacebook -d 66.220.144.0/20 -j DROP
    iptables -A blockfacebook -d 69.63.176.0/20 -j DROP
    iptables -A blockfacebook -d 69.171.224.0/19 -j DROP
    iptables -A blockfacebook -d 204.15.20.0/22 -j DROP
    iptables -A blockfacebook -d 66.220.144.0/21 -j DROP
    iptables -A blockfacebook -d 69.63.184.0/21 -j DROP
    iptables -A blockfacebook -d 69.63.176.0/21 -j DROP
    iptables -A blockfacebook -d 69.171.255.0/24 -j DROP
    iptables -A blockfacebook -d 69.171.224.0/20 -j DROP
    iptables -A blockfacebook -d 103.4.96.0/22 -j DROP
    iptables -A blockfacebook -d 69.63.176.0/24 -j DROP
    iptables -A blockfacebook -d 173.252.64.0/19 -j DROP
    iptables -A blockfacebook -d 31.13.64.0/18 -j DROP
    iptables -A blockfacebook -d 31.13.24.0/21 -j DROP
    iptables -A blockfacebook -d 66.220.152.0/21 -j DROP
    iptables -A blockfacebook -d 66.220.159.0/24 -j DROP
    iptables -A blockfacebook -d 69.171.239.0/24 -j DROP
    iptables -A blockfacebook -d 69.171.240.0/20 -j DROP
    iptables -A blockfacebook -d 31.13.64.0/19  -j DROP
    iptables -A blockfacebook -d 31.13.64.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.65.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.67.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.68.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.69.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.70.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.71.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.72.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.73.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.74.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.75.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.76.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.77.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.96.0/19 -j DROP
    iptables -A blockfacebook -d 31.13.66.0/24 -j DROP
    iptables -A blockfacebook -d 173.252.96.0/19 -j DROP
    iptables -A blockfacebook -d 69.63.178.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.78.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.79.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.80.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.82.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.83.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.84.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.85.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.87.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.88.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.89.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.90.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.91.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.92.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.93.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.94.0/24 -j DROP
    iptables -A blockfacebook -d 31.13.95.0/24 -j DROP
    iptables -A blockfacebook -d 69.171.253.0/24 -j DROP
    iptables -A blockfacebook -d 69.63.186.0/24 -j DROP
    iptables -A blockfacebook -d 204.15.20.0/22 -j DROP
    iptables -A blockfacebook -d 69.63.176.0/200 -j DROP
    iptables -I FORWARD 1 -j blockfacebook
    
    # flush the chain
    iptables -F blockfacebook
    # block the current IPs
    iptables -A blockfacebook -d fb.com
    iptables -A blockfacebook -d facebook.com
    iptables -A blockfacebook -d www.fb.com
    iptables -A blockfacebook -d www.facebook.com
    iptables -A blockfacebook -d apps.facebook.com
    I realize that this is a "cat and mouse" game. That is why I keep asking how to find out the CIDR addresses. I keep fiddling with stuff, but I can't figure it out. Please, tell me what I need to type in and WHERE. Command prompt? Putty? Some website? I am running Windows 8.

    I tried typing
    Code:
    host -t a www.facebook.com
    into Putty, but I got an error that says "-sh: host: not found." I also tried to type in
    Code:
    whois 31.13.69.80 | grep CIDR
    into Putty and I get the error "-sh: whois: not found." I got my information from here: http://www.cyberciti.biz/tips/linux-iptables-examples.html

    I also got a list of facebook CIDR addresses from here: http://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook

    One person says this:
    Code:
    # Bloqueio facebook
    for ip in `whois -h whois.radb.net '!gAS32934' | grep /`
    do
      iptables -A FORWARD -p all -d $ip -j REJECT
    done
    But I don't understand what he means. Is his code something that would look up the facebook CIDR all the time and automatically block them as they come in? I don't understand how to implement it, except by copying and pasting it exactly the way it is into the firewall. But it does't look right (I need to change something in it to say blockfacebook to match my rules, maybe?)

    I'm pretty iptables and linux illiterate.
     
  37. threehappypenguins

    threehappypenguins Serious Server Member

    Once I get this working, I need to figure out a way to specify which MAC address I want to make the block apply to. I'm doing this for a friend. He wants to block one of his son's from facebook (the abuser) on his computer and iPhone, and leave facebook open for the rest of the family) on all other devices. I found this website, but I'm not sure how I would write it in: http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html
     
  38. jerrm

    jerrm Network Guru Member

    This is getting disturbingly ugly. Shibby with ipset support is probably the best option. The netblock list is getting unwieldy and GUI size limits will become an issue. I doubt I'll update anything past this point, but below is tested and works.

    Remove this and check "Intercept DNS Port" under the Advanced->DHCP/DNS GUI instead.
    Code:
    iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    
    Add this to init:
    Code:
    #build a script to create/update the blockfacebook chain
    cat << EOF > /tmp/build_fbchain.sh
    #!/bin/sh
     
    fb() {
    iptables -A blockfacebook -d \$1 -j DROP
    }
     
    # Create the chain if it does not exist
    iptables -N blockfacebook
     
    # flush the chain if it does exist
    iptables -F blockfacebook
     
    # Add the IPs facebook currently resolves to (in case they add new IPs)
    fb fb.com
    fb facebook.com
    fb www.fb.com
    fb www.facebook.com
    fb apps.facebook.com
     
    # Add known facebook netblocks
    fb 31.13.69.80/29
    fb 65.201.208.24/29
    fb 65.204.104.128/28
    fb 66.92.180.48/28
    fb 66.93.78.176/29
    fb 66.199.37.136/29
    fb 67.200.105.48/30
    fb 74.119.76.0/22
    fb 173.252.64.0/18
    fb 66.220.144.0/20
    fb 69.63.176.0/20
    fb 69.171.224.0/19
    fb 204.15.20.0/22
    fb 66.220.144.0/21
    fb 69.63.184.0/21
    fb 69.63.176.0/21
    fb 69.171.255.0/24
    fb 69.171.224.0/20
    fb 103.4.96.0/22
    fb 69.63.176.0/24
    fb 173.252.64.0/19
    fb 31.13.64.0/18
    fb 31.13.24.0/21
    fb 66.220.152.0/21
    fb 66.220.159.0/24
    fb 69.171.239.0/24
    fb 69.171.240.0/20
    fb 31.13.64.0/19 
    fb 31.13.64.0/24
    fb 31.13.65.0/24
    fb 31.13.67.0/24
    fb 31.13.68.0/24
    fb 31.13.69.0/24
    fb 31.13.70.0/24
    fb 31.13.71.0/24
    fb 31.13.72.0/24
    fb 31.13.73.0/24
    fb 31.13.74.0/24
    fb 31.13.75.0/24
    fb 31.13.76.0/24
    fb 31.13.77.0/24
    fb 31.13.96.0/19
    fb 31.13.66.0/24
    fb 173.252.96.0/19
    fb 69.63.178.0/24
    fb 31.13.78.0/24
    fb 31.13.79.0/24
    fb 31.13.80.0/24
    fb 31.13.82.0/24
    fb 31.13.83.0/24
    fb 31.13.84.0/24
    fb 31.13.85.0/24
    fb 31.13.87.0/24
    fb 31.13.88.0/24
    fb 31.13.89.0/24
    fb 31.13.90.0/24
    fb 31.13.91.0/24
    fb 31.13.92.0/24
    fb 31.13.93.0/24
    fb 31.13.94.0/24
    fb 31.13.95.0/24
    fb 69.171.253.0/24
    fb 69.63.186.0/24
    fb 204.15.20.0/22
    # below needs correcting - it is an invalid mask
    # fb 69.63.176.0/200
    EOF
    chmod +x /tmp/build_fbchain.sh
    
    Call the script created in init and enable blocking under Administration->Scripts->Firewall:
    Code:
    /tmp/build_fbchain.sh
    # remove the below line and and place in a scheduler job if you wish to schedule access
    iptables -I FORWARD -j blockfacebook
    
    Create an "Every 15 Minutes" job under Administration->Scheduler to update the blockfacebook chain.
    Code:
    /tmp/build_fbchain.sh
     
  39. jerrm

    jerrm Network Guru Member

    host and whois are utilities not included in tomato. Unless you wish to add a USB drive and install entware, these are not viable options.
     
  40. koitsu

    koitsu Network Guru Member

    Sorry folks I start a new job in a couple weeks and have a billion things at work to finish (I hate leaving loose ends) so I haven't had time to apply to this. @jerrm has been doing a top-notch job.

    I reviewed what was provided in this post:

    http://www.linksysinfo.org/index.ph...k-range-of-destination-ips.57087/#post-241760

    And think this is definitely the best way to go about the situation given your needs and current understanding of what goes on under-the-hood, @threehappypenguins. I mean that respectfully too, not judgementally.

    One footnote: the 69.63.176.0/200 CIDR entry should be 69.63.176.0/20 (extra zero on the end). I verified using ARIN, but I have not verified by looking at what FB actually announces onto the Internet via BGP. (ARIN vs. what gets announced via BGP are not always the same thing, but you're better off going with ARIN if you can actually find the entry within ARIN. I can explain why later).
     
  41. threehappypenguins

    threehappypenguins Serious Server Member

    Success!!! Thanks, koitsu for telling me about ARIN!!! This all that I have now, and it WORKS!!!

    Code:
    iptables -N blockfacebook
    iptables -A blockfacebook -d 31.0.0.0/8 -j REJECT
    iptables -A blockfacebook -d 173.252.64.0/18 -j REJECT
    iptables -I FORWARD 1 -j blockfacebook
    Since I had no idea how to get a CIDR from the IP address 31.13.69.80, when you said to use ARIN, then I searched for that and found this website: http://itools.com/tool/arin-whois-domain-search

    I simply looked up 31.13.69.80 with that website, and it gave me the CIDR 31.0.0.0/8. That one CIDR alone blocks Facebook when I put the rules in the firewall. Just in case, I looked up 173.252.110.27, and that gave me a CIDR of 173.252.64.0/18 and I put that in the firewall rule as well.

    So in summary, this is what I did to get the necessary addresses, and in the future when it stops working I will play the "cat" and do it again:

    1. Open command prompt and type
    Code:
    tracert facebook.com
    2. Find the offending IP address in the list that will open facebook in the browser.
    3. Take that IP address, and look it up on http://itools.com/tool/arin-whois-domain-search
    4. Copy and paste the CIDR into the firewall rules as shown in the code at the beginning of this post.
     
  42. jerrm

    jerrm Network Guru Member

    Just be aware the addresses your blocking may be stable and valid for years or they could change next week. With the /8 mask you are blocking millions of non-facebook addresses as well.
     
  43. threehappypenguins

    threehappypenguins Serious Server Member

    So this is what I have so far:

    Administration > Scripts > Firewall

    Code:
    iptables -N blockfacebook
    iptables -A blockfacebook -d 31.0.0.0/8 -j REJECT
    iptables -A blockfacebook -d 173.252.64.0/18 -j REJECT
    Administration > Scheduler > Custom 1

    Enabled, 8am, M,T,W,Th,F

    Code:
    iptables -I FORWARD 1 -m mac --mac-source 00:00:00:00:00:00 -j blockfacebook
    iptables -I FORWARD 1 -m mac --mac-source 00:00:00:00:00:00 -j blockfacebook
    Administration > Scheduler > Custom 2

    Enabled, 3pm, M,T,W,Th,F

    Code:
    iptables -D FORWARD -m mac --mac-source 00:00:00:00:00:00 -j blockfacebook
    iptables -D FORWARD -m mac --mac-source 00:00:00:00:00:00 -j blockfacebook
    There are just three things:

    1. I'm not sure how to apply this to MAC addresses. The above code is my best guess (of course, substituting the 00:00:00:00:00:00 with the *actual* MAC address).
    2. I'm not sure how to apply it to multiple MAC addresses (in this case, I need to apply it to two; my friend does not want to block Facebook for the entire household. Just his one son's computer and iPhone).
    3. Right now, under Custom 1 in the Scheduler, I have to have "every minute" rather than 8am in order for it to be in effect right now. I'm guessing that if I set it for 8am right now, starting at 8am TOMORROW the rule will go into effect and last until 3pm. Is that correct?
     
  44. threehappypenguins

    threehappypenguins Serious Server Member

    Thanks, jerrm. I will keep all that in mind. It's a quick fix for now to be a facebook deterrent. I can always play around with the rules and IP addresses if it starts interfering with other things. But so far, so good! :)
     
  45. jerrm

    jerrm Network Guru Member

    1: Mac syntax looks right. It would be a line for each mac you want to block.
    2: Not sure what your saying, facebook should be allowed for all except one computer or denied for all but one?
    3: Correct, but realize if the router is rebooted at 9am, the 8am cron job enabling the block might not run and facebook will be allowed. Might want to take the approach blocking is enabled by default.
     
  46. threehappypenguins

    threehappypenguins Serious Server Member

    I think you answered my question when you said
    I want to leave facebook unblocked for everyone except for the specified mac addresses. So I want each line to block the specified mac address. If a mac address is not listed, then I don't want the block to apply.

    I don't want facebook blocked all the time for those two mac addresses. I only want facebook blocked between 8am and 3pm. I don't think their router is rebooted all that often. The only times it's rebooted is by me remotely. So if I need to reboot it for whatever reason, I will just enable the cron job for every minute, and then change it to 8am again when 3pm hits, I suppose. I am assuming that if I leave the cron job enabled for every minute, that the "custom 2" cron job to drop the rule would be overridden by the "every minute" cron job under "custom 1" to enact the rule, right?
     
  47. jerrm

    jerrm Network Guru Member

    From Tools->System or the command line, post the results of:
    Code:
    modprobe ipt_time
    iptables -m time --help
    Not sure if the time module is generally available, or only on Shibby. If available, you can do away with all the scheduler entries.
     
  48. koitsu

    koitsu Network Guru Member

    Re: 31.0.0.0/8 vs. 31.13.69.80/29 -- the tool you're using isn't giving you all the necessary information and you're blocking a large percentage of the Internet that has no relation to Facebook.

    You have to understand how ARIN and other whois-based services work: there is no longer a "central repository" for this information, so when you query one (like querying ARIN), part of the protocol actually supports redirecting you to a third-party server (if available). Parts of Europe (RIPE), Asia (APNIC), and other regions have their own whois servers. But whether or not the redirection happens is up to the program doing the lookups. (Yes, I find this annoying too, but it's the way it works today).

    For example, http://ws.arin.net/ looks like a great resource, but it doesn't recursively redirect you to the RIPE server that actually gives you the proper size netblock.

    Here's what you'll get using a properly-implement whois CLI command. Please keep reading past my code block.

    Code:
    $ whois -a 31.13.69.80
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    
    
    #
    # Query terms are ambiguous.  The query is assumed to be:
    #  "n 31.13.69.80"
    #
    # Use "?" to get help.
    #
    
    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=31.13.69.80?showDetails=true&showARIN=false&ext=netref2
    #
    
    NetRange:  31.0.0.0 - 31.255.255.255
    CIDR:  31.0.0.0/8
    OriginAS:
    NetName:  RIPE-31
    NetHandle:  NET-31-0-0-0-1
    Parent:
    NetType:  Allocated to RIPE NCC
    Comment:  These addresses have been further assigned to users in
    Comment:  the RIPE NCC region. Contact information can be found in
    Comment:  the RIPE database at http://www.ripe.net/whois
    RegDate:
    Updated:  2010-05-18
    Ref:  http://whois.arin.net/rest/net/NET-31-0-0-0-1
    
    OrgName:  RIPE Network Coordination Centre
    OrgId:  RIPE
    Address:  P.O. Box 10096
    City:  Amsterdam
    StateProv:
    PostalCode:  1001EB
    Country:  NL
    RegDate:
    Updated:  2013-07-29
    Ref:  http://whois.arin.net/rest/org/RIPE
    
    ReferralServer: whois://whois.ripe.net:43
    
    OrgAbuseHandle: ABUSE3850-ARIN
    OrgAbuseName:  Abuse Contact
    OrgAbusePhone:  +31205354444
    OrgAbuseEmail:  abuse@ripe.net
    OrgAbuseRef:  http://whois.arin.net/rest/poc/ABUSE3850-ARIN
    
    OrgTechHandle: RNO29-ARIN
    OrgTechName:  RIPE NCC Operations
    OrgTechPhone:  +31 20 535 4444
    OrgTechEmail:  hostmaster@ripe.net
    OrgTechRef:  http://whois.arin.net/rest/poc/RNO29-ARIN
    
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf
    
    % Note: this output has been filtered.
    %  To receive output for a database update, use the "-B" flag.
    
    % Information related to '31.13.64.0 - 31.13.127.255'
    
    % Abuse contact for '31.13.64.0 - 31.13.127.255' is 'domain@fb.com'
    
    inetnum:  31.13.64.0 - 31.13.127.255
    netname:  IE-FACEBOOK-20110418
    descr:  Facebook Ireland Ltd
    country:  IE
    org:  ORG-FIL7-RIPE
    admin-c:  RD4299-RIPE
    tech-c:  RD4299-RIPE
    status:  ALLOCATED PA
    mnt-by:  RIPE-NCC-HM-MNT
    mnt-lower:  fb-neteng
    mnt-routes:  fb-neteng
    source:  RIPE # Filtered
    
    organisation:  ORG-FIL7-RIPE
    org-name:  Facebook Ireland Ltd
    org-type:  LIR
    address:  Facebook Ireland Ltd Hanover Reach, 5-7 Hanover Quay 2 Dublin Ireland
    phone:  +0016505434800
    fax-no:  +0016505435325
    admin-c:  PH4972-RIPE
    mnt-ref:  RIPE-NCC-HM-MNT
    mnt-ref:  fb-neteng
    mnt-by:  RIPE-NCC-HM-MNT
    abuse-mailbox:  domain@fb.com
    abuse-c:  RD4299-RIPE
    source:  RIPE # Filtered
    
    role:  RIPE DBM
    address:  1601 Willow Rd.
    address:  Menlo Park, CA, 94025
    admin-c:  PH4972-RIPE
    tech-c:  PH4972-RIPE
    nic-hdl:  RD4299-RIPE
    mnt-by:  fb-neteng
    source:  RIPE # Filtered
    abuse-mailbox:  domain@fb.com
    
    % This query was served by the RIPE Database Query Service version 1.71 (WHOIS1)
    
    Note how it starts out at ARIN, then redirects to RIPE (Europe's equivalent of ARIN), that then discloses the network block/range for Facebook Ireland is 31.13.64.0 - 31.13.127.255. Some whois servers spit out CIDR, others spit out network blocks/ranges.

    You'll then say "Wait a minute, how do I turn 31.13.64.0 - 31.13.127.255 into a CIDR (ex. 1.2.3.4/16)?" There are lots of tools to do this on the web (just search for something like "ip range cidr"), but I actually tend to do it in my head because I've done this nonsense for years.

    It's 31.13.64.0/18.

    HOWEVER, as I alluded to in one of my previous posts, that's not necessarily the network size that Facebook announces onto the Internet via BGP. So we can use another resource to check that, particularly the routeviews.org project.

    Code:
    $ telnet route-views.routeviews.org
    Trying 128.223.51.103...
    Connected to route-views.routeviews.org.
    Escape character is '^]'.
    
     **********************************************************************
    
      Oregon Exchange BGP Route Viewer
      route-views.oregon-ix.net / route-views.routeviews.org
    
     route views data is archived on http://archive.routeviews.org
    
     This hardware is part of a grant from Cisco Systems.
     Please contact help@routeviews.org if you have questions or
     comments about this service, its use, or if you might be able to
     contribute your view.
    
     This router has views of the full routing tables from several ASes.
     The list of ASes is documented under "Current Participants" on
     http://www.routeviews.org/.
    
      **************
    
     route-views.routeviews.org is now using AAA for logins.  Login with
     username "rviews".  See http://routeviews.org/aaa.html
    
     **********************************************************************
    
    
    User Access Verification
    
    Username: rviews
    route-views>
    route-views>
    route-views>show ip route 31.13.69.80
    Routing entry for 31.13.69.0/24
      Known via "bgp 6447", distance 20, metric 0
      Tag 3356, type external
      Last update from 4.69.184.193 5d05h ago
      Routing Descriptor Blocks:
      * 4.69.184.193, from 4.69.184.193, 5d05h ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 3356
    
    route-views>exit
    Connection closed by foreign host.
    
    So you can see here the discrepancy between what Facebook announces on the Internet vs. what network ranges are registered with RIPE. Which should you go with? IMO, go with what's in ARIN/RIPE/etc.. Just remember that if at any time Facebook relinquishes part of their network (for example if they wanted to shrink their network from 31.13.64.0/18 to 31.13.64.0/20), it's your job to micro-manage and try to reverse-engineer what's changed. This goes back to the whole cat/mouse game comment myself and others have made.

    Else, welcome to a very small insight into how the Internet actually works behind the scenes. :)
     
    dc361 likes this.
  49. szpunk

    szpunk Networkin' Nut Member

    If you use shibby's firmware (or other firmware based on shibby like Advance Tomato), it's a easy way to do this with dnsmasq and ip-set, you dont need care of facebook's ip ranges.

    1. Make sure checked the "Intercept DNS port" on Advanced-DHCP/DNS page;
    2. Add some rules in dnsmasq custom configuration, like your wish facebook:
    Code:
    ipset=/facebook.com/blocklist
    ipset=/facebook.net/blocklist
    ...etc
    3. Add the firewall script:
    Code:
    # Loading ipset modules
    if [ $(ipset -v | grep v6 | wc -l) -eq 1 ]; then
        setme="--match-set"
        if [ $(lsmod | grep "xt_set" | wc -l) -eq 0 ]; then
            elog "loading ipset v6 modules"
            for module in ip_set ip_set_hash_ip ip_set_hash_net ip_set_list_set xt_set
            do
                insmod $module
            done
            elog "ipset modules loaded success"
        fi
    elif [ $(ipset -v | grep v4 | wc -l) -eq 1 ]; then
        setme="--set"
        if [ $(lsmod | grep "ipt_set" | wc -l) -eq 0 ]; then
            elog "loading ipset v4 modules"
            for module in ip_set ipt_set
            do
                insmod $module
            done
            elog "ipset modules loaded success"
        fi
    else
        elog "Unknow ipset version."
        exit 1
    fi
    
    # Create new chain
    iptables -t nat -D PREROUTING -i `nvram get lan_ifname` -p tcp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -j BLOCKEDDOMAIN
    iptables -t nat -F BLOCKEDDOMAIN
    iptables -t nat -X BLOCKEDDOMAIN
    iptables -t nat -N BLOCKEDDOMAIN
    
    #use blocklist
        checkblocklist=$(ipset -L blocklist 2> /dev/null | wc -l)
        [ $checkblocklist -eq 0 ] && ipset -N blocklist iphash --hashsize 4096
        iptables -t nat -A BLOCKEDDOMAIN -p tcp -m multiport --dports 80,443 -m set $setme blocklist dst -j REJECT
    
    # Apply the rules
    iptables -t nat -A PREROUTING -i `nvram get lan_ifname` -p tcp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -j BLOCKEDDOMAIN
    Every time the client want connect to facebook.com, dnsmasq add the IP of the facebook.com to "blacklist" ipset, then REJECT by the firewall rules.
     
    Monk E. Boy and glennsamuel32 like this.
  50. glennsamuel32

    glennsamuel32 New Member Member

    I just signed up to leave this comment ;)
    wow !! wow !! wow !!!
    @szpunk you are da man !!!
    just an amazing script :):):)
    thanks a lot for posting it, even though the last post was a year and 4 months old !!!
     
  51. Alexu

    Alexu Network Newbie Member

    Hi. Apply this rule with ipset, but with Chrome i should to add UDP.
    In edge, firefox tcp is enough. But chrome can use UDP.
    So add + extra rules for UDP and works grate.
     

Share This Page