N
N
nallion2015-09-28 12:21:35
linux
nallion, 2015-09-28 12:21:35

Iptables mark + iproute2 how to block a domain?

Actually the question is small)
I raised the Internet gateway, lartc, everything is as it should be.
Marking user packages
iptables -t mangle -A PREROUTING -s 10.0.0.6/32 ! -d 192.168.7.0/24 -j MARK --set-xmark 0x1/0xffffffff
And I send it to the desired gateway via ip rule
It is necessary that the user who sits on this rule cannot access the site, say ya.ru
I try
iptables like this - t mangle -A PREROUTING -m mark --mark 1 -m string --string "ya.ru" --algo kmp -j DROP
and it doesn't work, which is sooooo weird!
Tell me, colleagues, what to do in this situation?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir, 2015-09-28
@MechanID

Uh ... I would already insert the drop of packages into -t nat FORWARD and not into the mangle + keep in mind that this way you catch a bunch of false positives - for example, the user will open a site where there are links to ya.ru and the packages will also fall under the rule and drop.
IMHO Pts strange solution to the problem.
It is better to cut access to sites on a proxy or give a local dns stub ip and disable/fire third-party dns

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question