On Mon, Dec 15, 2014 at 07:14:26PM +0100, meino.cra...@gmx.de wrote > But it does not work as exspected: With wireshark I still see > the crypted traffic for example to secure.informaction com and > s3-1.amazonaws.com by starting firefox and doing nothing more > (homepage is a blank page...). > > So I need bigger weapons...
First, get the IP addresses... [d531][waltdnes][~] nslookup s3-1.amazonaws.com Server: 208.67.222.222 Address: 208.67.222.222#53 Non-authoritative answer: Name: s3-1.amazonaws.com Address: 54.231.1.0 [d531][waltdnes][~] nslookup secure.informaction.com Server: 208.67.222.222 Address: 208.67.222.222#53 Non-authoritative answer: Name: secure.informaction.com Address: 82.103.140.40 Name: secure.informaction.com Address: 82.103.140.42 Name: secure.informaction.com Address: 69.195.141.179 Name: secure.informaction.com Address: 69.195.141.178 With that info in hand, add the following at the top of your iptables "OUTPUT" chain... -A OUTPUT -d 69.195.141.178/31 -j DROP -A OUTPUT -d 82.103.140.40/30 -j DROP -A OUTPUT -d 54.231.1.0/32 - j DROP The first one drops 69.195.141.178 and 69.195.141.179. The second one drops 82.103.140.40, 82.103.140.41, 82.103.140.42, and 82.103.140.43. The third one drops 54.231.1.0. The Amazon cloud service covers 54.230.0.0/15. If s3-1.amazonaws.com is "dynamic", you may have to block that entire range. For those of you who are interested, I'm attaching a copy of my /var/lib/iptables/rules-save which is tweaked for my LAN. Note the following... * this is a paranoid ruleset for general client end-users only. It will *NOT* work for a server * the 192.168.x.y addresses are for my internal LAN * the 169.254.0.0/16 range is for my HDHomerun OTA TV tuner * "the "FECESBOOK" rules block Facebook, coming and going. Firefox spins its wheels for several seconds "Connecting to facebook.com", before giving up. -- Walter Dnes <waltd...@waltdnes.org> I don't run "desktop environments"; I run useful applications
rules-save.gz
Description: Binary data