Apr 07 2011

Filtering Gmail/Facebook/Twitter with IPtables

In most cases port base filtering  is an all or none approach. For example if you want to block  a user from accessing a certain website, blocking that user’s access to port 80/443 outbound will stop them from accessing all websites not just that one. If you would like to get more granular then you would need some sort of  web content filtering systems.

Good news is, if you are still using iptables you are now able to filter traffic destined to sites such as Facebook, Twitter, Gmail etc. You can accomplish this by using iptables to block a given hex string that will appear in the initial packet handshake. I first saw this technique being discussed in a full-disclouser posting and I figured it was worth trying out.

The tools of choice here is Ngrep (Network Grep) and IPTables .

Step one: Capture the X.509 certificate

You will be doing this by using ngrep:

[[email protected] ~]# ngrep -d eth2 -q -x ‘Twitter’
interface: eth2 (
match: Twitter

You will then notice the following output in your terminal:


T -> [A]

  1. 30 30 31 16 30 14 06 03    55 04 0a 14 0d 54 77 69    001.0…U….Twi
  2. 74 74 65 72 2c 20 49 6e    63 2e 31 1c 30 1a 06 03    tter, Inc.1.0…
  3. 55 04 0b 14 13 54 77 69    74 74 65 72 20 20 4f 70    U….Twitter  Op


Step two: Creating your IPtable rule

You will be building your rule based on the hex string obtained above.

Prior to applying the rule I able to run the following command:

[[email protected]]$ curl –connect-timeout 60 https://www.twitter.com/
<title>301 Moved Permanently</title>
</head><body><h1>Moved Permanently</h1>
<p>The document has moved <a href=”https://twitter.com/”>here</a>.</p>

IPtable rules to use:

sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j DROP

sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j LOG

The first rule will drop the connection to twitter and the second rule will log the entry. If you take a look at your /var/log/message you will see the following entry over and over:

Apr  7 00:05:11 Test kernel: [870656.036848] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC= DST= LEN=1420 TOS=0x00 PREC=0x00 TTL=44 ID=58494 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0x00 ACK URGP=0

Apr  7 00:05:19 Test kernel: [870664.675930] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC= DST= LEN=1420 TOS=0x00 PREC=0x00 TTL=44 ID=58496 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0x00 ACK URGP=0

If you try to access www.twitter.com you will get to the site, but when you try login the session will set there and just timeout.

[[email protected]]$ curl –connect-timeout 60 https://www.twitter.com/
curl: (35) SSL connect error


I was unable to use the following IPtable rule on a Ubuntu based system but it worked fine on my Fedora 14 test box. Also another thing to look out for is if you use too short of a hex string will will get an error the one I used was about 85 characters give or take.

Have fun filtering and post your comments about how you are currently using IPtables.


4 Responses to “Filtering Gmail/Facebook/Twitter with IPtables”

  1. al mic says:


    I used dns redirect for that domain name.
    I made a zone for facebook.com and pointed to some private ip, and only allowed my client or network to check that dns zone.
    Then I also added an iptables rule to drop the traffic to that private ip

  2. Sherwyn says:

    Thats not a bad approach either, I was just using this example as a poor man’s way of getting the job done :).

  3. Er1c says:

    You can keep people off of that junk easier with:

    sudo echo “ facebook.com” >> /etc/hosts

    One command. Or if just during work hours see:

  4. Sherwyn says:

    Good call, thank you!

Leave a Reply

You must be logged in to post a comment.

Alibi3col theme by Themocracy

Read previous post:
Hey, i’m still around.

I know its been close to a month give or take since my last post so I just wanted to...