Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have Mepis Linux setup with NAT and BIND9( as a cached DNS) to allow the LAN computers to access the internet. I need to setup URL filtering to block access to porn sites (as this is company policy).
Is it possible to do this Just with NAT and BIND or do I have to setup a proxy server ? If it is possible, what should I do ?
I don't know much about BIND, so I can't comment on that, but you could block outgoing/forwarded traffic to certain sites using iptables (I assume that's what you're using for NAT). If the list of banned sites is continually growing, you could probably just insert more rules into the chain as more sites are added. If the IP of a site changes, you might need to restart the firewall to resolve the new address. As such you can't really filter URL's with iptables (or BIND, I would have thought), only domain names/IPs.
I was in a similar situation at a school where I was the administrator. We used Squid to determine who could use the web and where they could go. A couple of nice things about using Squid rather than iptables would be that you can use regular expressions in access controls (both for domains and URLs), and you can return a nice error page to tell the user that they were trying to do something naughty.
Originally posted by sind
but you could block outgoing/forwarded traffic to certain sites using iptables (I assume that's what you're using for NAT).
This is exactly what I want to do. The question is how ?
Quote:
As such you can't really filter URL's with iptables (or BIND, I would have thought), only domain names/IPs.
if it can do partial domain names or domain names with wildcard filtering then that would solve my problem as well.
Quote:
I was in a similar situation at a school where I was the administrator. We used Squid to determine who could use the web and where they could go. A couple of nice things about using Squid rather than iptables would be that you can use regular expressions in access controls (both for domains and URLs), and you can return a nice error page to tell the user that they were trying to do something naughty.
~sind [/B]
Yes I know that but proxy server is not an option I got
It says in the man page for iptables that that syntax is valid, however iptables on my machine wouldn't let me do it. I think there must be a bug in the version that I have.
I remember using a rule like that to allow telnet access from a dynamic domain name to a server (using ipchains), the main problem was that the name was resolved when the rule was added, and so when the address of the dynamic domain name changed, access was blocked... And then access was opened to whoever got the IP address next... :-|
Anyway, that was a different situation. Hopefully the sites you want to block have fairly constant IPs.
Hi, I was wondering what version of iptables will it work. It doesn't work on my machine running redhat 9 with iptables v1.2.7a. Will there be any problems if I upgrade iptables?
What I did is a white list of sites every host needed to access, sites that are not listed are droped. My current setup use the IP address filtering and what I need is the domain name filtering but unfortunately it doesn't work on my version of iptables.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.