0

I'm using CentOS 5.8(final), kernel 2.6.18-308.8.2, iptables v1.3.5

I want to block a HTTPs POST/GET request to outside which matches a string (defined as ABCxyz) in the POST/GET payload. I tried to block outgoing HTTPs GET request by adding the following rule to iptables 

iptables -I OUTPUT -p tcp --dport 443 -m string --string 'GET / HTTP/1.1' --algo bm -j DROP

I don't know why when I run curl command as bellow, it still works :

curl https://website.com

It should be blocked as my imagination but ...

Do you have any ideas about that?

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
lx8
  • 1
  • 1
  • 1
  • 6
    Because it's encrypted, of course. – Michael Hampton Sep 23 '14 at 02:34
  • Thank you! Is there anyway to overcome the https encrypting problem in this case? – lx8 Sep 23 '14 at 02:54
  • 2
    It's hard to say, since you haven't explained what you're actually trying to do. – Michael Hampton Sep 23 '14 at 02:56
  • Yes, I see. Actually I want to block a HTTPs POST/GET request to outside which matches a string (defined as ABCxyz ) in the POST/GET payload. I tried to find solution but not successful until now. – lx8 Sep 23 '14 at 03:16
  • Have you looked at other ways of achieving the same end, such as not making the requests in the first place? Or, if it's just one website, rejecting all traffic on port 443 to the IP address of the website in question? – Ladadadada Sep 23 '14 at 17:29
  • In my case, the requirement is a little complex. I only want to prevent some HTTPs POST/GET requests which match the predefined string in their payload. Others don't match, are allowed. After searching around, I think this policy should be done at the application layer. It's too expensive to do it at the TCP/IP layer. – lx8 Sep 24 '14 at 03:35

1 Answers1

3

HTTPS requests are encrypted with a shared secret between the client and the server. The encrypted data can only be decrypted if you have the shared secret, which is generated during the TLS handshake.

So to inspect the data, you need to somehow retrieve the shared secret and even then you still have to get iptables to use it to decrypt the traffic and then inspect it. Iptables is not the right tool for what you're trying to achieve, you should look at an HTTPS proxy. Keep in mind that in some jurisdictions this is illegal.

For more information on how HTTPS works you can checkout this link.

Big thanks to @poige for pointing out the inaccuracies in my original answer.

Iskren
  • 221
  • 2
  • 5
  • Ok, It's clearer for me. But with HTTPs proxy, I think we also couldn't decrypt https payload to find the matching string because we aren't owner of that site (https site) that mean we don't have its private key legally . am I right? – lx8 Sep 23 '14 at 09:14
  • Correct, if you're using a direct TLS/SSL connection to the other end. If your browser uses CONNECT tunnels, you can use the HTTPS proxy in MITM (see Squid proxy) and the proxy can inspect the queries. – Iskren Sep 23 '14 at 13:24
  • > HTTPS requests are encrypted with the server's public key — *wrong*. The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted © Wikipedia – poige Apr 28 '17 at 05:58
  • you're messing up symmetric vs assymetric crypto – poige Feb 18 '20 at 10:46