Block HTTPS Traffic with Transparent Proxy Setup

Question

I'm developing a Captive Portal system and (for now), I would like to know if there is any way to block HTTPS traffic on a Transparent Proxy setup.

Here is what I have: a GNU/Linux Router (Netfilter), running Squid v3.4.8 with the following configuration for its interfaces.

eth2 (LAN): 192.168.0.0/24, 172.16.255.1/27, 10.255.255.0/24

eth1 (WAN): 192.168.100.0/24

Here are the firewall rules that I have right now, and even though I'm using a rule like this, for an specific IP, it just doesn't work:

-A INPUT -i eth2 -p tcp -s 192.168.0.11 --dport 443 -j REJECT

I'm probably missing something important (sorry if I'm too blind...). I just can't figure out, why I cannot just simply deny the access to the destination port 443, for an specific IP from my network.

I'm usingPREROUTING rules, but all of them are routing traffic with destination to 80 (HTTP) to 3128 (Squid).

*nat
:PREROUTING ACCEPT [19:2473]
:INPUT ACCEPT [13:2173]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

######### SQUID (Transparent Proxy Rules) #########

-A PREROUTING -i eth2 -s 192.168.0.0/24  -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
-A PREROUTING -i eth2 -s 172.16.255.0/27 -p tcp --dport 80 -j DNAT --to-destination 172.16.255.1:3128
-A PREROUTING -i eth2 -s 10.255.255.0/26 -p tcp --dport 80 -j DNAT --to-destination 10.255.255.1:3128
-A POSTROUTING -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -p tcp --sport 80 -j REDIRECT --to-port 3128

###################################################

COMMIT

*filter
:INPUT ACCEPT [18:2650]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [33:3188]


########## Basic Setup + Network Traffic #########

### Default Policies
-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

### ICMP (all interfaces)
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

### Allow Traffic (loopback/localhost/127.0.0.1)
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

### Allow Traffic (LAN)
-A INPUT -i eth2 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT

####################################################



################ Essential Services ################

### SSH (Access to Server Shell - Command Line)
-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT

### DNS (Translation of Names to IP Addresses)
-A INPUT -i eth1 -p udp --sport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp --sport 53 -j ACCEPT

### NTP (Server Clock and DHCP Clock)
-A INPUT -i eth1 -p udp --sport 123 -j ACCEPT

### SAMBA (File Server)
# WAN
-A INPUT -i eth1 -p udp --dport 137 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 137 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 138 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 138 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 139 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 139 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 445 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 445 -j ACCEPT
# LAN
-A INPUT -i eth2 -p udp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 445 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 445 -j ACCEPT

### EMAIL       
# SMTP
-A INPUT -i eth2 -p tcp --sport 25 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 587 -j ACCEPT
# POP/POP over SSL
-A INPUT -i eth2 -p tcp --sport 110 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 995 -j ACCEPT
# IMAP/IMAP over SSL
-A INPUT -i eth2 -p tcp --sport 143 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 993 -j ACCEPT

### Ubiquiti

-A INPUT -i eth2 -p tcp --dport 8080 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 8081 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 8443 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 8880 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 8843 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 27117 -j ACCEPT

-A INPUT -i eth2 -p tcp --sport 8080 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 8081 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 8443 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 8880 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 8843 -j ACCEPT
-A INPUT -i eth2 -p tcp --sport 27117 -j ACCEPT

####################################################



############### Additional Services ################

### VNC 
-A INPUT -i eth1 -p tcp --dport 5800 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 5900 -j ACCEPT

### DROPBOX

# LanSync
-A INPUT -i eth2 -p udp --dport 17500 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 17500 -j ACCEPT
# OpenButton
-A INPUT -i eth2 -p udp --dport 17600 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 17600 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 17603 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 17603 -j ACCEPT

### Apple Services

# APNS (Apple Push Notification Service - iCloud)
-A INPUT -i eth2 -p tcp --dport 5223 -j ACCEPT

####################################################



######## Network Traffic + Logging + Router ########

### Allow Traffic for Opened Connections (ESTABLISHED, RELATED)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Log All Traffic (syslog)
-A INPUT -j LOG --log-prefix "[netfilter] "

### Routing Configuration (eth2 [LAN] <-> [WAN] eth1)
-A FORWARD -i eth2 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT

####################################################

COMMIT

Any help would be much appreciated.

Answer 1

Well... There is a lot to say about your iptables rules (for exemple the state ESTABLISHED should be first)... But about the specific problem you are asking for, remember that INPUT is for incoming traffic ending locally, not for traffic going through, about which you should use FORWARD for that.

Answer 2

I suggest to block using squid acl. I have ever blocked a port using squid before.

acl block_port port 443
acl block_port_ip src 192.168.0.11
http_access deny block_port block_port_ip