Facebook (now Meta) has eyes everywhere on the
Internet. It spies on everyone, sells data to advertisers and
governments violating your privacy and basic civil freedoms and
rights.
It does not only spy on you if you have an account. It also
spies on you through irrelevant sites by planting cookies to
your machine through several mechanisms. Even simple buttons on
a news site send data to Facebook.
Facebook knows you *better* than your friends and family.
With the following guide you completely block Facebook from
accessing your machine. Both IN and OUT traffic to/from Facebook
is blocked.
Of course it does not help if your friends give information to
Facebook about you. But in any case it is better than nothing.
Quick setup
1. Install whois (Ubuntu: sudo apt-get install whois
ArchLinux: pacman -S whois), and (similarly) awk
2. Copy this script
blockfacebook and
allowfacebook
as root in /usr/local/bin and make sure it is executable
sudo cp blockfacebook /usr/local/bin/
sudo cp allowfacebook /usr/local/bin/
sudo chmod +x /usr/local/bin/blockfacebook
sudo chmod +x /usr/local/bin/allowfacebook
3. Copy
blockfacebook.service
in /etc/systemd/system/ and make it executable
sudo cp blockfacebook.service /etc/systemd/system/
chmod +x /etc/systemd/system/blockfacebook.service
4. Copy
blockfacebookrestart
in /etc/cron.daily/ and make it executable
sudo cp blockfacebookrestart /etc/cron.daily/
chmod +x /etc/cron.daily/blockfacebookrestart
5. Enable and start the service
sudo systemctl enable blockfacebook
sudo systemctl start blockfacebook
If you want for some reason to unblock temporarily the access to
Facebook then execute
sudo /usr/local/bin/allowfacebook
See below for Twitter and TikTok.
Explanations
Facebook and all big companies use a lot of
addresses and IPs. So how do you find them in order to block
them? Each company has an
AS
number. All IPs are bind to the same AS number. This
number for Facebook is AS32934. So if you get the AS number you
can now find all the IPs assigned to the company and then block
them with standard firewall tools.
Assume you want to block Facebook. First get an IP in their
block:
nslookup www.facebook.com
This will return at least one IP. For example, among other
things, I got:
Address: 31.13.84.36
Now we find the AS number that this IP belongs to:
whois -h whois.radb.net 31.13.84.36
Among other things we read:
origin: AS32934
Now we got the AS number of this company.
The script blockfacebook given above has just two lines that it
executes and these are:
/usr/bin/whois -h "whois.radb.net" -- '-i origin AS32934' | grep -E "^route:" | awk '{print $NF}' | sed -r 's/(.*)/iptables -I OUTPUT -d \1 -j REJECT/' | source /dev/stdin
and for IP6
/usr/bin/whois -h "whois.radb.net" -- '-i origin AS32934' | grep -E "^route6:" | awk '{print $NF}' | sed -r 's/(.*)/ip6tables -I OUTPUT -d \1 -j REJECT/' | source /dev/stdin
The whois command asks whois.radb.net to get all IPs assigned to
origin AS32934; i.e., all Facebook IPs. Then the grep command
filters out only the lines that contain the IPs and the awk
command filters just the IPs. For each of them sed prepares a
firewall iptables command to block traffic to that IP. The last
source command executes them one by one.
The script allowfacebook does the opposite and disables the
block.
Then we have two more files, the blockfacebook.service and the
blockfacebookrestart for the cron service. The first one
guarantees that the blocking script will be executed every time
you reboot. The cron script placed in /etc/cron.daily/
guarantees that the blocking script is executed at least once
per day to catch IPs that Facebook may have added to it's
IP-block during the day.
How to block TikTok
TikTok has now trackers in many many sites. This is reason to
block it as well. Edit the blockfacebook script, and create
inside it a copy of its main command changing the Facebook AS
number to TikTok's AS number which is AS138699.
How to block Twitter
Same goes for Twitter. It's AS number is: AS13414.
This does not work for all companies.
Small companies do not have their own AS number necessarily.
Many rent IP blocks from larger companies, so if you block all
the IPs associated with the AS number you will block more than
the target company. But Facebook and other large companies have
their own AS number. So their strength becomes their Achilles'
heel and it is turned against them with the above method.
So if you want to block a small company first check that they
own the AS number. You can check this from the output of
whois -h whois.radb.net IP-number
as above.
A. Tsolomitis
Created Dec 6, 2022.