Hi!

I would like to setup iptables to block IP net blocks belonging to advertising firms. Now I need some info of what kind of block should I use? Should I just DROP? or use REJECT? Or DROP if traffic is from advert firms IPs and REJECT if heading to adver firms IP.

How would this effect web browsing? Would I be bombarded with error messages instead of adverts?

Will there be an advantage if I use host.deny?

There is this article http://www.ecst.csuchico.edu/~atman/spam/adblock.shtml who redirect advert server address to local host add (127.0.0.1) using /etc/hosts. But if I want to protect multiple machine (different OSes) would be kinda multiple work for me.

Thanks in advance.

i suggest you DON'T try and do this using iptables... have you looked into using a filter??

i think you might like privoxy:

http://www.privoxy.org/

Am not a fan of using proxy

Anybody, with experience on this?

well if you really wanna do it with iptables you could simply create a reference in your iptables script to a text file containing the IP netblocks you wanna filter... or you could manually put them in your script... none of these methods will be very effective, though...

wheather you use DROP or REJECT is really up to you, the site will be blocked either way... except of course with REJECT a reply will be sent to the host initiating the request...

you need to be very careful should you choose to do this filtering with iptables: the ad server netblocks will vary, and also there might be non-ad servers in a netblock you filter...

content filtering is the best way to block ads, IMHO... but you don't like proxies, and it seems like you like the idea of making your own blacklists, so maybe the /etc/hosts thing is the best option for you: yes, you can do DNS blocking for the whole network using the /etc/hosts file on your gateway if you want... just use a daemon like dnsmasq which will look at /etc/hosts, then do the usual 127.0.0.1 (or whatever IP you want) routine... it's very easy...

hosts on the lan making a dns request to the dns daemon for an ad host will be fed 127.0.0.1 (or whatever) as the address, so it'll be like doing the /etc/hosts thing on every machine, except you only have to do it on one... this way has the benefit that you won't need to touch iptables and the ad sites will be blocked even if the IPs change...

good luck...

Easier to use adblock in firefox.Some ad agencies use outside datacenters to host servers....same ipblock as say maybe a legit site.Blocking a whole block is asking for trouble.
I do use some block lists but......i dont update them anymore....soon id have to block the entire internet

just my 2cents

not when you have TONS of computers on a LAN...

=)

Adblock in firefox don't block cookies. I know I can specify which domain or IP to block them. It is really too much hassle EVEN on ONE machine. And, it doesn't solve the problem once users use other browsers such as Mozilla, Safari, "you must be nuts to use IE", Opera, etc.

Over the night sleep, pivoxy suggested by win32sux seems more attractive now. Will give it a try, so don't accuse me of not trying and be bias.