How to block a website using ubuntu tools?

A

Alexander2014-10-07 16:45:26

linux

Alexander, 2014-10-07 16:45:26

Hello everybody.
At work, I received a task to block several sites vk, fb, youtube, etc. and to be honest, I thought that iptables could handle these tasks, but since I work in a slightly different area with network administration, I encounter very little ...
What is currently
Ubuntu server 12.04
eth0 - external interface
inet addr: 94.159. 48.42
eth1 - internal interface
inet addr: 192.168.0.250
On the server, Internet forwarding and a couple more ports + a small firewall are configured.
What I have tried:
Block
#iptables -A FORWARD -m string --string "vk.com" --algo kmp --to 65535 -j DROP
Unlock for mac
#iptables -A FORWARD -m mac --mac-source b8:8d:12:0f:32:90 -m string --string "vk.com" --algo kmp --to 65535 -j ACCEPT
Everything is fine here, but! If you open a site on which the contact widget hangs out, it will blunt and maybe not open.
If you bypass DNS and knock on the DNS cache, then there is access ...
To solve the problem, we block the pool ip vk
#iptables -A FORWARD -s 95.142.200.0/21 -j DROP
...
so this is unlocked for mac
#iptables -A FORWARD - m mac --mac-source b8:8d:12:0f:32:90 -s 95.142.200.0/21 -j ACCEPT
...
If you do the same tricks with youtube, then it behaves very strange in general :)
The main disadvantage this approach is the fact that third-party sites with widgets of blocked sites are stupid ...
I've been shoveling my iptables rules for the third day now, but I can't get what I want:
- Block several sites (preferably by domain) for a large mass of machines on the network.
- Organize access to these sites for some machines on mac.
- Do not disrupt third-party sites.
Desperate, I already look into the squid sorrow, but deducted that everything is not so smooth there either ...
To be honest, it seems to me that this can be solved by forwarding, ala wrap all requests for domains on my own server, and then give either 404 or an empty sheet, but I'm not familiar with this part of iptables at all - so I could not set the rule correctly.
Please help the community! Thank you all for your attention and your replies!

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

P

Power, 2014-10-07
@Power

To avoid being dumb, replace "-j DROP" with "-p tcp -j REJECT --reject-with tcp-reset" or "-j REJECT --reject-with icmp-net-prohibited".

A

Alexander Borisovich, 2014-10-07
@Alexufo

webvpn.org
You can only make screenshots of the slave tables or install an extension on the browser for everyone (by the way, it’s not at all difficult to do) which will simply break it when it detects the layout of a prohibited site. It will help against anonymizers.

V

Valentine, 2014-10-07
@vvpoloskin

1) swap ACCEPT and DROP rules
2) use ipset , addresses to which can be added by resolving by cron or you can find out from some bgp resolver.
And widgets on sites hang most likely due to not all filtered IP-shniks. Find out all his addresses and filter them.
But still, a proxy is better suited for this.

O

Oleg Burca, 2014-10-07
@Cram

You can simply write in /etc/hosts the left IP addresses for these sites.
For example:
1.2.3.4 odnoklassinki.ru
1.2.3.4 facebook.com
1.2.3.4 vk.com
Then the browser will try to open the site from this left address.

E

Ergil Osin, 2014-10-16
@Ernillew

You are trying to solve the problem with the wrong tool.
For your purposes, you still need to use Squid in transparent proxy mode and its acl. You can block the necessary sites and allow the necessary IPs to go to them.
iptables is not designed for your needs.
dhcp with binding to poppies and squid in the form of a transparent proxy are your tools.
If you need more details, ask questions.