IPTable Rules to allow one domain and block all other HTTPS

[aamirshafiq]

Hi!
I am using two Lans card in my proxy to route and filter traffic. One eth0 is connected to Internet and eth1 connected to internal network.

I use the following code to block the HTTPS facebook. It's working fine.
iptables -A FORWARD -i eth1 -s 192.168.1.100 -p tcp --dport 443 -d www.facebook.com -j DROP

I use this rule to block all HTTPS traffic for specific host.
iptables -A FORWARD -i eth1 -s 192.168.1.100 -p tcp --dport 443 -j DROP

What I want to do to allow only the destination gmail.com or www.gmail.com and block all other https traffic?

[TrevorH]

That's not really a very robust solution. When you add the iptables rule then it looks up http://www.facebook.com and gets its ip address and adds the rule with that ip address in it. It does not dynamically change the ip address later if DNS changes. I just looked up facebook from two different hosts and got two different IP addresses back. Your way will only block one of those.

Why are you not looking at solutions like squid or other proxy servers which are designed to do this sort of thing?

[aamirshafiq]

Yes, you are right. Facebook uses different ip addresses but usually remains the same in one region. I have tested.
Well for proxy like squid or dansguardian, I am unable to handle HPPTS traffic.
I just want to use iptables to open the www.gmail.com (gmail IPS) and block all other https traffic.

[aamirshafiq]

I have tried this code.

(74.125.226.0 gmail IPs)

iptables -A FORWARD -i eth1 -s 192.168.10.100 -d 74.125.226.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.10.100 -p tcp --dport 443 -j REJECT

I am unable to open the gmail and all https traffic blocked. I tried to put the ip address of gmail.com (74.125.226.54) in browser it opens the google.com.
Any Help Please