[HELP] Blok HTTPS dengan iptables

Diskusi tentang Ubuntu Server baik webserver, database server, samba server dan service lainnya serta jaringan menggunakan Sistem Operasi Ubuntu.
User avatar
rizaaal
Posts: 1212
Joined: 01 May 2011, 16:02
Location: Bekasi, Indonesia
Contact:

[HELP] Blok HTTPS dengan iptables

Postby rizaaal » 11 Mar 2012, 19:30

Topologi jaringan saya kayak gini nih :

internet----router+proxy----hub----client

Lalu saya sudah berhasil untuk menerapkan memblok website tertentu pada jam tertentu dengan konfigurasi squid seperti ini :

Code: Select all

# HIGH PERFORMANCE SQUID 2.7 # Duacikbar ICT Kardi Sejahtera # Script Editor : Rizal Rahman # Config date : 22 Februari 2012 ########################################### # ACCESS CONTROLS #---------------- acl QUERY urlpath_regex -i cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ localhost acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 563 81 acl Safe_ports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-65535 acl CONNECT method CONNECT acl purge method PURGE acl client src 172.16.0.0/24 acl client2 src 192.168.0.0/24 acl porno url_regex -i "/etc/squid/porno.txt" acl socmed url_regex -i "/etc/squid/socmed.txt" acl jam_belajar1 time MTWHF 07:00-10:00 acl istirahat time MTWHF 10:01-11:00 acl jam_belajar2 time MTWHF 11:01-12:30 acl sholat time MTWHF 12:31-13:00 acl jam_belajar3 time MTWHF 13:01-15:00 http_access deny porno http_access allow socmed istirahat http_access allow socmed sholat http_access deny socmed jam_belajar1 http_access deny socmed jam_belajar2 http_access deny socmed jam_belajar3 http_access allow socmed http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow client http_access allow client2 http_access allow localnet http_access deny all # NETWORK OPTIONS #---------------- http_port 3128 transparent zph_mode tos zph_local 0x30 zph_parent 0 zph_option 136 icp_port 0 htcp_port 0 icp_access deny all htcp_access deny all snmp_port 0 snmp_access deny all # OPTIONS WHICH AFFECT THE CACHE SIZE #------------------------------------ cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir aufs /cache/c1 4000 9 256 cache_dir aufs /cache/c2 4000 9 256 cache_dir aufs /cache/c3 4000 9 256 cache_dir aufs /cache/c4 4000 9 256 store_dir_select_algorithm least-load maximum_object_size 128000 KB cache_swap_low 90 cache_swap_high 95 update_headers off # LOGFILE PATHNAMES AND CACHE DIRECTORIES #---------------------------------------- access_log none cache_log /dev/null cache_store_log none logfile_rotate 5 log_ip_on_direct off log_icp_queries off buffered_logs off netdb_filename none pid_filename /var/run/squid.pid # OPTIONS FOR TUNING THE CACHE #----------------------------- cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private refresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private refresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$ 43200 95% 432000 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320 refresh_pattern -i \.index.(html|htm)$ 0 75% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 1440 90% 10080 quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 98 store_avg_object_size 13 KB # HTTP OPTIONS #------------- server_http11 on collapsed_forwarding on vary_ignore_expire on header_access From deny all header_access Server deny all header_access Link deny all header_access Via deny all header_access X-Forwarded-For deny all # TIMEOUTS #--------- forward_timeout 240 seconds connect_timeout 30 second peer_connect_timeout 5 seconds read_timeout 600 second request_timeout 60 second persistent_request_timeout 60 seconds client_lifetime 86400 second half_closed_clients off pconn_timeout 60 second shutdown_lifetime 10 second # ADMINISTRATIVE PARAMETERS #-------------------------- cache_mgr Duacikbar cache_effective_user proxy cache_effective_group proxy httpd_suppress_version_string on visible_hostname Duacikbar # DELAY POOL PARAMETERS #---------------------- # ADVANCED NETWORKING OPTIONS #--------------------------- max_filedescriptors 4096 # DNS OPTIONS #----------- check_hostnames off dns_timeout 30 seconds dns_nameservers 202.134.1.10, 202.134.0.155 hosts_file /etc/hosts ipcache_size 8192 ipcache_low 90 ipcache_high 95 fqdncache_size 4096 # MISCELLANEOUS #-------------- memory_pools off forwarded_for off reload_into_ims on coredump_dir /cache pipeline_prefetch on offline_mode off # -=EoF=-
Website yang saya blok pada jam-jam tersebut adalah facebook dan twitter. Nah, masalahnya kedua situs tersebut bisa dijebol kalo diakses melalui HTTPS.

akhirnya setelah mencari-cari ke google, saya nemu skrip iptables seperti ini :

Code: Select all

#!/bin/sh #iptables blok https facebook sesuai hari dan jam iptables -A FORWARD -p tcp --dport 443 -d 66.220.144.0/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 66.220.144.0/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 66.220.144.0/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 69.63.176.0/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 69.63.176.0/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 69.63.176.0/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com -m time --timestart 10:31 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d facebook.com -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d facebook.com -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d facebook.com -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com.edgesuite.net -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com.edgesuite.net -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com.edgesuite.net -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP #iptables blok https twitter sesuai hari dan jam iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.82/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.82/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.82/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.10/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.10/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.10/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 199.59.149.198/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 199.59.149.198/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d 199.59.149.198/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.twitter.com -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.twitter.com -m time --timestart 10:31 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.twitter.com -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d twitter.com -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d twitter.com -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP iptables -A FORWARD -p tcp --dport 443 -d twitter.com -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP exit 0
Memang berhasil, https kedua situs jadi gabisa diakses sedangkan situs https yang lain tetap lancar terbuka (ex:gmail). Tapi ada satu masalah, fungsi timestart dan timestopnya tidak berfungsi. Jadi tetep ke blok terus setiap saat.

Solusinya gimana ya? Kalo bisa pake cara lain buat ngeblok HTTPS gapapa deh, terserah yang penting bisa. :D Mohon pencerahannya. :)
User avatar
rizaaal
Posts: 1212
Joined: 01 May 2011, 16:02
Location: Bekasi, Indonesia
Contact:

Re: [HELP] Blok HTTPS dengan iptables

Postby rizaaal » 16 Mar 2012, 14:14

sundul ah.. masih belum solved juga nih masalah :eek:
User avatar
sipelaut
Posts: 1965
Joined: 03 Jan 2010, 17:25
Location: madura-sampang
Contact:

Re: [HELP] Blok HTTPS dengan iptables

Postby sipelaut » 17 Mar 2012, 15:08

up---- uppp---- juga ahhhh...
nunggu masternya nongol
BTW
klo acl nya langsung dibikin https kira2 bisa kagak yahhh ???
:grin:

Who is online

Users browsing this forum: No registered users and 20 guests