Block web traffic with iptables?

Posted on 2009-04-22
Last Modified: 2013-11-16
I have a linux server internet gateway eth0 is public eth1 is private I use iptables for POSTROUTING. I would like to block websites like myspace, youtube, but I search the IP address of the websites did the iptables -A OUTPUT -s websites ip -j DROP and it does not work. how can i do this?
Question by:quantumsativa
    LVL 13

    Accepted Solution

    Because things like Myspace, Facebook and Youtube don't run from one or two computer they are run from clouds and distributed environments it is almost impossible to block them with IPtables.

    You would have far greater success in using squid and re-routing all destination port 80 traffic to squid and then use ACL's to block the sites you don't want.

    iptables -A forward -d x.x.x.x -j DROP if you do want to attempt to block everything, this is the forward rule that "forwards/routes" the traffic.

    Author Comment

    yeah I am using samba and one of my questions was to how to use squid thank you very much
    LVL 13

    Expert Comment

    Setup squid from your package manager or source and then configure the squid.conf, in particular the ACL's :

    Once you have completed this you will be able to "test" it from a workstation by setting the IP address of the server as the proxy server with the port 3128.

    If everything is blocked as expected you can use IP tables as described on this page :
    LVL 7

    Assisted Solution


    Use squid and squidguard to manage easily your URL lists.
    Because blocking sites like * with ACL won't help as your users will find some proxyfied versions of facebook, for example. You have to count on up-to-date URL blacklists.

    Some URL lists are free:
    I suggest those free from "Université        Toulouse blacklist collection", free and accurate...

    You'll be able to manage easliy your web filters by categories (no webmail, no "social networking" and so on)
    LVL 7

    Expert Comment

    Of course, you'll have to use a transparent proxy as wizrd-linux said, and block any direct access to port 80 through your gateway.
    That won't prevent you from deploying your proxy configuration in every web browser on every computer (using logon script in samba, importing .reg files). If not, https sites won't work as https can't be transparentely proxyfied

    'hope this helps

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now