• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 995
  • Last Modified:

Block web traffic with iptables?

I have a linux server internet gateway eth0 is public eth1 is private I use iptables for POSTROUTING. I would like to block websites like myspace, youtube, but I search the IP address of the websites did the iptables -A OUTPUT -s websites ip -j DROP and it does not work. how can i do this?
0
quantumsativa
Asked:
quantumsativa
  • 2
  • 2
2 Solutions
 
WizRd-LinuxCommented:
Because things like Myspace, Facebook and Youtube don't run from one or two computer they are run from clouds and distributed environments it is almost impossible to block them with IPtables.

You would have far greater success in using squid and re-routing all destination port 80 traffic to squid and then use ACL's to block the sites you don't want.

iptables -A forward -d x.x.x.x -j DROP if you do want to attempt to block everything, this is the forward rule that "forwards/routes" the traffic.
0
 
quantumsativaAuthor Commented:
yeah I am using samba and one of my questions was to how to use squid thank you very much
0
 
WizRd-LinuxCommented:
Setup squid from your package manager or source and then configure the squid.conf, in particular the ACL's : http://wiki.squid-cache.org/SquidFaq/SquidAcl

Once you have completed this you will be able to "test" it from a workstation by setting the IP address of the server as the proxy server with the port 3128.

If everything is blocked as expected you can use IP tables as described on this page : http://tldp.org/HOWTO/TransparentProxy-6.html
0
 
mchkorgCommented:
Hi,

Use squid and squidguard to manage easily your URL lists.
Because blocking sites like *.facebook.com with ACL won't help as your users will find some proxyfied versions of facebook, for example. You have to count on up-to-date URL blacklists.

Some URL lists are free:
http://www.squidguard.org/blacklists.html
I suggest those free from "Universit√©        Toulouse blacklist collection", free and accurate...

You'll be able to manage easliy your web filters by categories (no webmail, no "social networking" and so on)
0
 
mchkorgCommented:
Of course, you'll have to use a transparent proxy as wizrd-linux said, and block any direct access to port 80 through your gateway.
That won't prevent you from deploying your proxy configuration in every web browser on every computer (using logon script in samba, importing .reg files). If not, https sites won't work as https can't be transparentely proxyfied

'hope this helps
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now