LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-19-2010, 12:25 PM   #1
linuxbird
Member
 
Registered: Feb 2006
Distribution: Slackware
Posts: 290

Rep: Reputation: 20
Blocking websites - preferred method?


I'm trying to block specific websites, preferably using a portion of the url. For example, if blocking acmegrocery.com, www.acmegrocery.com would also be blocked. This implies that simply blocking a single IP using iptables would not work well.

The names to block will be somewhat dynamic, so a list specification would be ideal.

In my case, the LAN has a mix of linux and ms machines, and they all use a linux gateway currently running dnsmasq.

Doing some reading, I find suggestions from using /etc/hosts (might work with yp, but not ideal) on the gateway machine, through to using squid on the gateway machine.

I have to believe several people have worked on solutions to this problem, and might be able to suggest best practices. Any takers?
 
Old 05-19-2010, 12:27 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
I would be inclined to use squid and dansguardian.
 
Old 05-19-2010, 07:40 PM   #3
jefro
Guru
 
Registered: Mar 2008
Posts: 11,076

Rep: Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362
Might add in a hosts file.
 
Old 05-20-2010, 08:20 AM   #4
linuxbird
Member
 
Registered: Feb 2006
Distribution: Slackware
Posts: 290

Original Poster
Rep: Reputation: 20
Quote:
Originally Posted by jefro View Post
Might add in a hosts file.
The problem is that the hosts file can only deal with the name. Unless running YP/NIS the others, who _could_ use a different nameserver, can still route there. Also, can be readily circumvented with use of an IP in the URL.

That's why I'm looking for a better solution.
 
Old 05-20-2010, 03:31 PM   #5
jefro
Guru
 
Registered: Mar 2008
Posts: 11,076

Rep: Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362
I don't disagree.

I'd say that a dedicated firewall solution would be in order. See untanle maybe.

If you want secure then you need to prevent physical access to the firewall. Any on machine scheme can be bypassed.
 
Old 05-20-2010, 04:19 PM   #6
linuxbird
Member
 
Registered: Feb 2006
Distribution: Slackware
Posts: 290

Original Poster
Rep: Reputation: 20
I was trying to avoid a major change (or expense). Untanle appears to be an appliance one buys, and my assumption is that it gets database updates.

Might be good for an enterprise which needs an easy solution.

I'm still looking for a open solution, if I can find one.
 
Old 05-20-2010, 04:46 PM   #7
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
You could try monowall or shorewall, but really for what it seems like you're interested in doing dansguardian and squid are the right answer.
 
Old 05-20-2010, 06:20 PM   #8
svancouw
LQ Newbie
 
Registered: Oct 2006
Location: California
Distribution: Debian Etch
Posts: 9

Rep: Reputation: 0
Actually, Untangle is a largely free (some modules you must pay for) software that is intended to be used on a dedicated system or running as a vm. You don't have to buy anything if you don't want to. The only major change is that it replaces your gateway, or you could set it up as a bridged device so that it's transparent to the network.

I've used Untangle for quite some time and I really like it (just make sure you have at least 1GB RAM installed... preferably 2GB). It has a filter built into it that should do exactly what you want: http://www3.untangle.com/web-filter

They also have a fantastic forum where support staff answers any questions that users cannot.

If you have a spare system or parts laying around it's a great product. I am not affiliated with them in any way other than as a satisfied user.


Sean
 
Old 05-20-2010, 07:09 PM   #9
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
If you have LAN and Linux as a gateway, you probably use DHCP, so you can tell clients to use your DNS, which can be just small dns proxy with list of negative queries. Of course you need to disable direct DNS query.
 
Old 05-21-2010, 09:24 AM   #10
Norwood
Member
 
Registered: Feb 2010
Location: A Smidge South O' Boston
Distribution: Debian
Posts: 41

Rep: Reputation: 15
Quote:
Originally Posted by rweaver View Post
I would be inclined to use squid and dansguardian.
QFT.

This is the exact solution I used at a company a while back. All free.

I built a machine from parts lying around our lab, you really don't need much horsepower or juice to accomplish this.

Install squid, install dansguardian and voila! Another good idea is to make sure you setup the web interface. You set up logins and passwords for users that should have access to which users are doing what and they can log into a web interface, scroll through a list of names and see all the sites they visited.

Dansguardian also comes with (when I last used it at least) a precompiled list of bad domains and ip addresses.

The only downfall - depending, actually, upon your perspective - is that squid requires an extra credential login prompt for any sort of logging.

All of this should be able to be accomplished without any cost.

Last edited by Norwood; 05-21-2010 at 09:26 AM.
 
  


Reply

Tags
blocking


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Want to know preferred method of Slackware 13 installation, CD or DVD MonkfishAlchemist Slackware - Installation 4 02-16-2010 02:08 PM
Blocking websites valdez_42 Linux - Newbie 6 06-28-2009 11:01 PM
Preferred method to deploy RHEL driver for new device nickolais Red Hat 2 01-22-2009 05:15 PM
blocking websites fakie_flip Linux - Software 7 09-02-2006 07:57 PM
linblock blocking websites synaptical Linux - Software 3 09-07-2004 11:12 PM


All times are GMT -5. The time now is 09:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration