Blocking unwanted websites with iptables can be done. This is not done via an Internet Protocol address, as this does not work. But matching strings does work. I have found out a way to do this.
This sample below shows a few rules to block a website, if you try and load it, it will keep trying to load and time-out afterward, which is not that elegant, but it works, and that is what matters.
# Generated by iptables-save v1.8.3 on Fri Jan 24 09:59:40 2020 *filter :INPUT ACCEPT [1:40] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:40] -A OUTPUT -p tcp -m string --string "4channel.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "boards.4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Fri Jan 24 09:59:40 2020 |
So, this can be used to block various websites, as well as a CDN to block various content using a Linux gateway machine like a pihole.
Blocking the Pirate Bay does seem to work with this trick, but this is not perfect. For a gateway machine, it would be better to use Privoxy as a web proxy, this allows blocking ads and has a good blocklist out of the box. This can be used to create a family-friendly Internet connection.
Read about this here in the quickstart manual.
https://www.privoxy.org/user-manual/quickstart.html. But this iptables trick does work, even though it could be possible to bypass this using the webserver IP address instead. But a proper web proxy would fix this issue.
And this is my new and improved filter list for iptables.
# Generated by iptables-save v1.8.3 on Fri Jan 24 10:47:04 2020 *filter :INPUT ACCEPT [2844:1526102] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2818:439101] -A FORWARD -m string --string "facebook.com" --algo bm --to 65535 -j DROP -A OUTPUT -p tcp -m string --string "facebook" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "smh.com.au" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "thepirate-bay.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "doubleclick.net" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "4channel.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "boards.4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Fri Jan 24 10:47:04 2020 |
The Facebook string blocks access to facebook.com. I tried to access the site by the IP address and it still would not load. So this is a bit of a kludge, but it is functional. But in summary, this works but Privoxy would be more elegant, having unwanted sites timing out would only result in tech-support calls in the business environment.