[arch-general] Iptables block https traffic apache
Hi, I have configured apache + php + mysql in my house. I like block the specific url traffic over https... I found this: iptables -A OUTPUT -p tcp --sport 443 -m string --string "anything" --algo kmp -j REJECT But not works... With http works very well... Any ideas?? Thanks in advanced.
As the traffic is encrypted, iptables cannot analyse it. Apache must be the one who blocks here. On 2016-11-04 12:07, Maykel Franco via arch-general wrote:
Hi, I have configured apache + php + mysql in my house. I like block the specific url traffic over https...
I found this:
iptables -A OUTPUT -p tcp --sport 443 -m string --string "anything" --algo kmp -j REJECT
But not works... With http works very well...
Any ideas??
Thanks in advanced.
2016-11-04 12:09 GMT+01:00 Björn Fries via arch-general <arch-general@archlinux.org>:
As the traffic is encrypted, iptables cannot analyse it. Apache must be the one who blocks here.
On 2016-11-04 12:07, Maykel Franco via arch-general wrote:
Hi, I have configured apache + php + mysql in my house. I like block the specific url traffic over https...
I found this:
iptables -A OUTPUT -p tcp --sport 443 -m string --string "anything" --algo kmp -j REJECT
But not works... With http works very well...
Any ideas??
Thanks in advanced.
How can block in apache? The traffic enter anyway...what I want is that the requests do not enter? the apache does not process?
On Fri, Nov 4, 2016 at 7:12 AM Maykel Franco via arch-general < arch-general@archlinux.org> wrote:
How can block in apache? The traffic enter anyway...what I want is that the requests do not enter? the apache does not process?
From your description, it sounds like you want to block incoming traffic, but your iptables rule is attempting to stop traffic leaving the Apache box. Could you clarify this?
If you are trying to only serve content to other machines on your home network, and block all incoming traffic from the world, you may want to DROP input by default, and whitelist the IP range(s) you want to allow, in this case your home network. You could also set up ip filtering at the router, if it supports that.
participants (3)
-
Björn Fries
-
Maykel Franco
-
Travis Collins