URL Filtering in NAT+BIND9
 

Hi all, first time posting in these forums..

I have Mepis Linux setup with NAT and BIND9( as a cached DNS) to allow the LAN computers to access the internet. I need to setup URL filtering to block access to porn sites (as this is company policy).

Is it possible to do this Just with NAT and BIND or do I have to setup a proxy server ? If it is possible, what should I do ?

Thanks.

I don't know much about BIND, so I can't comment on that, but you could block outgoing/forwarded traffic to certain sites using iptables (I assume that's what you're using for NAT). If the list of banned sites is continually growing, you could probably just insert more rules into the chain as more sites are added. If the IP of a site changes, you might need to restart the firewall to resolve the new address. As such you can't really filter URL's with iptables (or BIND, I would have thought), only domain names/IPs.

I was in a similar situation at a school where I was the administrator. We used Squid to determine who could use the web and where they could go. A couple of nice things about using Squid rather than iptables would be that you can use regular expressions in access controls (both for domains and URLs), and you can return a nice error page to tell the user that they were trying to do something naughty. ;)

~sind

This is exactly what I want to do. The question is how ?
if it can do partial domain names or domain names with wildcard filtering then that would solve my problem as well.

Yes I know that but proxy server is not an option I got :(

You should be able to specify a hostname in a rule like so (for example):

# iptables -A FORWARD -d www.google.com -j REJECT

It says in the man page for iptables that that syntax is valid, however iptables on my machine wouldn't let me do it. I think there must be a bug in the version that I have.

I remember using a rule like that to allow telnet access from a dynamic domain name to a server (using ipchains), the main problem was that the name was resolved when the rule was added, and so when the address of the dynamic domain name changed, access was blocked... And then access was opened to whoever got the IP address next... :-|

Anyway, that was a different situation. Hopefully the sites you want to block have fairly constant IPs.

HTH,
~sind

thanks. I'll try this one.

Hi, I was wondering what version of iptables will it work. It doesn't work on my machine running redhat 9 with iptables v1.2.7a. Will there be any problems if I upgrade iptables?

I will very much appreciate your response.

Thanks

Jeff

How do I find the version of iptables ? What I have is the iptables that comes with the 2.6 kernel.

Incidentally this method works but its a real pain to maintain the list of banned sites. Using proxy server with ACLs is muvh better way to do it.

Run this command:

#iptables --version

What I did is a white list of sites every host needed to access, sites that are not listed are droped. My current setup use the IP address filtering and what I need is the domain name filtering but unfortunately it doesn't work on my version of iptables.

the version I have is 1.2.11

though I have stopped using this method and am now using Squid with ACLs.