[HELP] Blok HTTPS dengan iptables

Diskusi tentang Ubuntu Server baik webserver, database server, samba server dan service lainnya serta jaringan menggunakan Sistem Operasi Ubuntu.
User avatar
rizaaal
Posts: 1212
Joined: 01 May 2011, 16:02
Location: Bekasi, Indonesia
Contact:

[HELP] Blok HTTPS dengan iptables

Postby rizaaal » 11 Mar 2012, 19:30

Topologi jaringan saya kayak gini nih :

internet----router+proxy----hub----client

Lalu saya sudah berhasil untuk menerapkan memblok website tertentu pada jam tertentu dengan konfigurasi squid seperti ini :

Code: Select all

# HIGH PERFORMANCE SQUID 2.7
# Duacikbar ICT Kardi Sejahtera
# Script Editor : Rizal Rahman
# Config date : 22 Februari 2012
###########################################

# ACCESS CONTROLS
#----------------

acl QUERY urlpath_regex -i cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ localhost
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 563 81
acl Safe_ports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-65535
acl CONNECT method CONNECT
acl purge method PURGE
acl client src 172.16.0.0/24
acl client2 src 192.168.0.0/24
acl porno url_regex -i "/etc/squid/porno.txt"
acl socmed url_regex -i "/etc/squid/socmed.txt"
acl jam_belajar1 time MTWHF 07:00-10:00
acl istirahat time MTWHF 10:01-11:00
acl jam_belajar2 time MTWHF 11:01-12:30
acl sholat time MTWHF 12:31-13:00
acl jam_belajar3 time MTWHF 13:01-15:00

http_access deny porno
http_access allow socmed istirahat
http_access allow socmed sholat
http_access deny socmed jam_belajar1
http_access deny socmed jam_belajar2
http_access deny socmed jam_belajar3
http_access allow socmed
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow client
http_access allow client2
http_access allow localnet
http_access deny all

# NETWORK OPTIONS
#----------------

http_port 3128 transparent
zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136

icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all

snmp_port 0
snmp_access deny all

# OPTIONS WHICH AFFECT THE CACHE SIZE
#------------------------------------

cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /cache/c1 4000 9 256
cache_dir aufs /cache/c2 4000 9 256
cache_dir aufs /cache/c3 4000 9 256
cache_dir aufs /cache/c4 4000 9 256
store_dir_select_algorithm least-load
maximum_object_size 128000 KB
cache_swap_low 90
cache_swap_high 95
update_headers off

# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#----------------------------------------

access_log none
cache_log /dev/null
cache_store_log none
logfile_rotate 5
log_ip_on_direct off
log_icp_queries off
buffered_logs off
netdb_filename none
pid_filename /var/run/squid.pid

# OPTIONS FOR TUNING THE CACHE
#-----------------------------

cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$ 43200 95% 432000 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i \.index.(html|htm)$ 0 75% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 1440 90% 10080

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
store_avg_object_size 13 KB

# HTTP OPTIONS
#-------------

server_http11 on
collapsed_forwarding on
vary_ignore_expire on
header_access From deny all
header_access Server deny all
header_access Link deny all
header_access Via deny all
header_access X-Forwarded-For deny all

# TIMEOUTS
#---------

forward_timeout 240 seconds
connect_timeout 30 second
peer_connect_timeout 5 seconds
read_timeout 600 second
request_timeout 60 second
persistent_request_timeout 60 seconds
client_lifetime 86400 second
half_closed_clients off
pconn_timeout 60 second
shutdown_lifetime 10 second

# ADMINISTRATIVE PARAMETERS
#--------------------------

cache_mgr Duacikbar
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname Duacikbar

# DELAY POOL PARAMETERS
#----------------------

# ADVANCED NETWORKING OPTIONS
#---------------------------

max_filedescriptors 4096

# DNS OPTIONS
#-----------

check_hostnames off
dns_timeout 30 seconds
dns_nameservers 202.134.1.10, 202.134.0.155
hosts_file /etc/hosts
ipcache_size 8192
ipcache_low 90
ipcache_high 95
fqdncache_size 4096

# MISCELLANEOUS
#--------------

memory_pools off
forwarded_for off
reload_into_ims on
coredump_dir /cache
pipeline_prefetch on
offline_mode off
# -=EoF=-


Website yang saya blok pada jam-jam tersebut adalah facebook dan twitter. Nah, masalahnya kedua situs tersebut bisa dijebol kalo diakses melalui HTTPS.

akhirnya setelah mencari-cari ke google, saya nemu skrip iptables seperti ini :

Code: Select all

#!/bin/sh
#iptables blok https facebook sesuai hari dan jam
iptables -A FORWARD -p tcp --dport 443 -d 66.220.144.0/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 66.220.144.0/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 66.220.144.0/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 69.63.176.0/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 69.63.176.0/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 69.63.176.0/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP

iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com -m time --timestart 10:31 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d facebook.com -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d facebook.com -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d facebook.com -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com.edgesuite.net -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com.edgesuite.net -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d www.facebook.com.edgesuite.net -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP

#iptables blok https twitter sesuai hari dan jam
iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.82/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.82/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.82/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.10/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.10/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 199.59.148.10/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 199.59.149.198/20 -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 199.59.149.198/20 -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d 199.59.149.198/20 -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP

iptables -A FORWARD -p tcp --dport 443 -d www.twitter.com -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d www.twitter.com -m time --timestart 10:31 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d www.twitter.com -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d twitter.com -m time --timestart 07:00 --timestop 10:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d twitter.com -m time --timestart 10:30 --timestop 12:30 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -p tcp --dport 443 -d twitter.com -m time --timestart 13:00 --timestop 15:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP

exit 0


Memang berhasil, https kedua situs jadi gabisa diakses sedangkan situs https yang lain tetap lancar terbuka (ex:gmail). Tapi ada satu masalah, fungsi timestart dan timestopnya tidak berfungsi. Jadi tetep ke blok terus setiap saat.

Solusinya gimana ya? Kalo bisa pake cara lain buat ngeblok HTTPS gapapa deh, terserah yang penting bisa. :D Mohon pencerahannya. :)
User avatar
rizaaal
Posts: 1212
Joined: 01 May 2011, 16:02
Location: Bekasi, Indonesia
Contact:

Re: [HELP] Blok HTTPS dengan iptables

Postby rizaaal » 16 Mar 2012, 14:14

sundul ah.. masih belum solved juga nih masalah :eek:
User avatar
sipelaut
Posts: 1963
Joined: 03 Jan 2010, 17:25
Location: madura-sampang
Contact:

Re: [HELP] Blok HTTPS dengan iptables

Postby sipelaut » 17 Mar 2012, 15:08

up---- uppp---- juga ahhhh...
nunggu masternya nongol
BTW
klo acl nya langsung dibikin https kira2 bisa kagak yahhh ???
:grin:

Return to “Ubuntu Server”

Who is online

Users browsing this forum: No registered users and 6 guests