Posted: . At: 10:58 AM. This was 4 years ago. Post ID: 13989
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.



Sponsored



Blocking websites with iptables can be done, this will be useful on a gateway.

by

Blocking unwanted websites with iptables can be done. This is not done via an Internet Protocol address, as this does not work. But matching strings does work. I have found out a way to do this.

This sample below shows a few rules to block a website, if you try and load it, it will keep trying to load and time-out afterward, which is not that elegant, but it works, and that is what matters.

# Generated by iptables-save v1.8.3 on Fri Jan 24 09:59:40 2020
*filter
:INPUT ACCEPT [1:40]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:40]
-A OUTPUT -p tcp -m string --string "4channel.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m string --string "4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m string --string "boards.4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Jan 24 09:59:40 2020

So, this can be used to block various websites, as well as a CDN to block various content using a Linux gateway machine like a pihole.

Blocking the Pirate Bay does seem to work with this trick, but this is not perfect. For a gateway machine, it would be better to use Privoxy as a web proxy, this allows blocking ads and has a good blocklist out of the box. This can be used to create a family-friendly Internet connection.

Read about this here in the quickstart manual.

https://www.privoxy.org/user-manual/quickstart.html. But this iptables trick does work, even though it could be possible to bypass this using the webserver IP address instead. But a proper web proxy would fix this issue.

And this is my new and improved filter list for iptables.

# Generated by iptables-save v1.8.3 on Fri Jan 24 10:47:04 2020
*filter
:INPUT ACCEPT [2844:1526102]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2818:439101]
-A FORWARD -m string --string "facebook.com" --algo bm --to 65535 -j DROP
-A OUTPUT -p tcp -m string --string "facebook" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m string --string "smh.com.au" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m string --string "thepirate-bay.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m string --string "doubleclick.net" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m string --string "4channel.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m string --string "4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m string --string "boards.4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Jan 24 10:47:04 2020

The Facebook string blocks access to facebook.com. I tried to access the site by the IP address and it still would not load. So this is a bit of a kludge, but it is functional. But in summary, this works but Privoxy would be more elegant, having unwanted sites timing out would only result in tech-support calls in the business environment.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.