You are not logged in.
Hi, I'm here again. I've searched everywhere but I can't find consistent information about this. I'm currently sharing internet to a second machine using the tipical Internet Share.
I want to block some url's to the second computer using iptables, because I think it's the appropriate tool to do this. I have followed instructions in a few sites but neither of them works. The most common sentences are:
iptables -A INPUT -s facebook.com -j DROP
iptables -A OUTPUT -d facebook.com -j DROP
Lamentably, the second pc still can use facebook.com, and I don't know how to make iptables work.
Do you have any idea or recommendation?
Thanks!
Last edited by sironitomas (2011-03-14 23:43:17)
Offline
I believe it's not possible to do such filtering with iptables, at least as far as I know, especially for large site like facebook which has a lot of different servers with different IP addresses.
What you really want in this case is an HTTP proxy, like squid or privoxy (altough I only have experience with squid, and experience is kinda a big word). And then, you'll want to use iptables to make sure every HTTP requests is passing through your proxy.
Offline
You can use iptables to transparently redirect traffic to a running service to filter based on url, like dansguardian or the already mentioned squid or privoxy (i am sure there are other proxies as well).
DuckDuckGo search results: https://duckduckgo.com/?q=transparent+d … n+iptables
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
The reason you can't use iptables to block a URL is because iptables works at OSI Layer 3/4. It only deals with IP Addresses, Port Numbers, Protocol (TCP/UDP etc, not HTTP, FTP) etc
The URL is above that, so iptables never gets to 'see' the URL, only the IP Address that it resolves to. If you look at the rule you created in your test (iptables -nvL), you'll see only 1 IP Address was added as a rule.
So, you either need to block ALL the IP Addresses used by Facebook and it's Content Delivery Network (CDN), which is near impossible since they constantly change. Or use a filtering proxy as mentioned by others.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Thanks for the answers. I suspected facebook has more than one IP, which makes kind of impossible the use of iptables to block it.
@fukawi2: your explanation of the OSI layers was very usefull!
As you all said, I'll have to use a proxy, and I'll try squid. My question is: Is it possible to use squid just for filtering and not caching? What is the line in /etc/squid/squid.conf to do such blocking? I tried to find that in the config file but it's too big!
Last edited by sironitomas (2011-03-13 21:17:01)
Offline
This is what I use to block sites:
# Blacklisted Sites; They're crap and we dont want them
acl blacklisted_sites dstdomain wer.microsoft.com
acl blacklisted_sites dstdomain social.microsoft.com
acl blacklisted_sites dstdomain stats.update.microsoft.com
http_access deny blacklisted_sites
And to bypass the cache:
acl cache_bypass_domains dstdomain example.com
no_cache deny cache_bypass_domains
always_direct allow cache_bypass_domains
EDIT: To block Facebook, there's 2 domains you need to deny access to:
facebook.com
fbcdn.net
Last edited by fukawi2 (2011-03-13 23:40:29)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
@fukawi2 Thank you. I'll try those lines when I have time.
Regards!
Offline