[Last Call] Learn how to a build a cloud-first strategyRegister Now


Block web traffic with iptables?

Posted on 2009-04-22
Medium Priority
Last Modified: 2013-11-16
I have a linux server internet gateway eth0 is public eth1 is private I use iptables for POSTROUTING. I would like to block websites like myspace, youtube, but I search the IP address of the websites did the iptables -A OUTPUT -s websites ip -j DROP and it does not work. how can i do this?
Question by:quantumsativa
  • 2
  • 2
LVL 13

Accepted Solution

WizRd-Linux earned 1000 total points
ID: 24210516
Because things like Myspace, Facebook and Youtube don't run from one or two computer they are run from clouds and distributed environments it is almost impossible to block them with IPtables.

You would have far greater success in using squid and re-routing all destination port 80 traffic to squid and then use ACL's to block the sites you don't want.

iptables -A forward -d x.x.x.x -j DROP if you do want to attempt to block everything, this is the forward rule that "forwards/routes" the traffic.

Author Comment

ID: 24210697
yeah I am using samba and one of my questions was to how to use squid thank you very much
LVL 13

Expert Comment

ID: 24210860
Setup squid from your package manager or source and then configure the squid.conf, in particular the ACL's : http://wiki.squid-cache.org/SquidFaq/SquidAcl

Once you have completed this you will be able to "test" it from a workstation by setting the IP address of the server as the proxy server with the port 3128.

If everything is blocked as expected you can use IP tables as described on this page : http://tldp.org/HOWTO/TransparentProxy-6.html

Assisted Solution

mchkorg earned 1000 total points
ID: 24212876

Use squid and squidguard to manage easily your URL lists.
Because blocking sites like *.facebook.com with ACL won't help as your users will find some proxyfied versions of facebook, for example. You have to count on up-to-date URL blacklists.

Some URL lists are free:
I suggest those free from "Université        Toulouse blacklist collection", free and accurate...

You'll be able to manage easliy your web filters by categories (no webmail, no "social networking" and so on)

Expert Comment

ID: 24212900
Of course, you'll have to use a transparent proxy as wizrd-linux said, and block any direct access to port 80 through your gateway.
That won't prevent you from deploying your proxy configuration in every web browser on every computer (using logon script in samba, importing .reg files). If not, https sites won't work as https can't be transparentely proxyfied

'hope this helps

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month18 days, 6 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question