Hola Boys and Girls.

I have a tiny problem. Its not really a problem but something that bothers me a lot. I have a laptop. Old IBM Thinkpad 600E which runs PCLinuxOS 2008 MiniMe with Nokia N73 setup as modem and dialed by kppp. I have a USB wifi card in it as well and I am sharing the internet connection to my 4 other ad-hoc wifi network laptops. 1 of them is Windows 2000 3 others are MiniMe as well. This is done by the iptables. I have wrote and using 2 little scripts that are doing it for me.

Name kpppauto.sh

kppp -c 3G

Name ICS.sh

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -A FORWARD -i ppp0 -o rausb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i rausb0 -o ppp0 -j ACCEPT

I have placed it into /home/hagrid/.kde/Autostart and it really works great.

If kppp disconnects for any reason the laptop reboots itself connects and continues sharing again.

IPs are static and DNS as well.

My question is

How can I block certain pages from being accessed in my network?

Is there a file like blacklist for modules that I can type in IP or host and nobody will be able to access this page? I dont want to use any extra software but if what I am planning to do is impossible then what software would you recommend? Would I have to redo the whole server?

I have few little visitors and they are using www when they are at my place but I wouldnt really like to explain myself to their parents who are good friends of mine why their child could see a porn or some other forbidden content on the net and how comes that the parental filter is not on.

What You reckon? Am I dreaming here?

Thanks in advance for any help.

Andy

I think you are dreaming because think of the sheer number of websites you would want to block, and yet your plan is to manually add IP's / websites to a blacklist. I think it would be a full time job just adding all those sites.

However, if you wanted to use IPTables, you could simply add a drop to your outbound tables, like:

iptables -I OUTPUT 1 -p tcp -d 12.12.12.12 --dport 80 -j DROP
(where 12.12.12.12 is the IP of the porn site).
And then you could add a rule (script to add a rule for each ip address). Also, the more rules you add, the slower your entire network is likely to be as each rule is processed before allowing the packet out. 50 rules not so bad ... 1000+ you will see some slowdown.

I think it would be easier + less overhead on your laptop and your time to use Squid proxy and some form of free websense.

Hi Bud!

I have the list of the websites ready so there is no hassle I like crazy ideas and I just needed to find out is there a way. Will try your idea and let you know if it works. Would I be able to do something similiar with host? Like for example www.google.ie has dynamic ip and blocking one IP wouldnt do it

Thanks for replying

Andy

.... not with iptables because of where in the IP layer it works. it doesn't know about DNS (unless there is a mod I am not aware of).

If you are just trying to see if you can do it - I am all for it. But if you want a working solution, you really should be using Squid and a site blocker that works on host addresses.

Ok I am trying to block few nasty pages. About 30 of them at the most. I have tried Your idea from yesterday. iptables -I OUTPUT 1 -p tcp -d 12.12.12.12 --dport 80 -j DROP
(where 12.12.12.12 is the IP of the porn site)
should block it

[hagrid@WISHMASTER ~]$ ping www.bebo.com
PING a500.c.akamai.net (195.27.154.11) 56(84) bytes of data.
64 bytes from 195.27.154.11: icmp_seq=1 ttl=52 time=378 ms

--- a500.c.akamai.net ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 378.525/378.525/378.525/0.000 ms

I am using bebo for example here. This command should look like this right?

iptables -I OUTPUT 1 -p tcp -d 195.27.154.11 --dport 80 -j DROP

I have typed it all at the server and i could still load bebo.

I have added it to my ICS.sh script and rebooted.

Bebo is still coming up...

Any other ideas? If I could block it by IP only I could still managed by host would be ideal.

Joble from www.pclinuxos.com gave me this idea

but i would rather use something from command line as graphic mode will get the server under more preasure specially that i am using kde and this works with gnome. Or am I wrong here?

I am all ears.

Andy

Hi Lads I have solved this case. I re-did the server from static IP to a dhcp, proxy, caching gateteway.

Andy