How and I blocked a URL with IP tables?

I want to block everyone from accessing yahoo.com by using iptables, how can I do that?

It is possible, however yahoo.com has several subdomains. I was searching for the other thread where I posted the iptables line for this, but we ended up with 6 rules I think. That was several months ago that this questions was brought up. The kicker here is to push an entry to the /etc/hosts file telling the computer that yahoo.com is 127.0.0.1. This is your best bet to get this working properly.

What are the 6 rules? I still want to be able to access yahoo, but dont want anyone else to.

IPTABLES -A OUTPUT -d yahoo.com -reject-with icmp-host-unreachable

Since I'm not on a linux machine, I can't tell you the other names you'll need. Open a terminal and type dig yahoo.com then input the rules for each name.

You say you want to be able to access it but nobody else? What's your setup? Is this computer acting as a gateway for other computers or do you all share the same one?

The easiest way to still to push an /etc/hosts file to everyone else with yahoo.com spoofed.

How can I let me through, my IP is 10.10.0.9?

Will this work?
IPTABLES -A OUTPUT -s 10.10.0.9 -j ACCEPT
IPTABLES -A OUTPUT -d yahoo.com -reject-with icmp-host-unreachable
iptables -N state_chk
iptables -A state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A state_chk -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A state_chk -j LOG --log-prefix fw-state:
iptables -A state_chk -j DROP

Is this the correct syntax?
IPTABLES -A OUTPUT -s 10.10.0.9 -j ACCEPT

If I only want to block the guy next to me can I do:
IPTABLES -A OUTPUT -s 10.10.0.10 -d yahoo.com -reject-with icmp-host-unreachable

Thanks in advance!

Your accept needs to be after all the blocks however you are still doing this the hard way.

You can compress that idea into one rule
Which reads as "Append to NAT table's PREROUTING chain: if destination is yahoo.com and source is not 10.10.0.9, reject it"

That way you can still use your chain policy since the jump (-j) directive stops the processing of the chain there may be rules you may wish to add in the future to prevent output from 10.10.0.9.

Also what is the purpose of the state_check chain?

PS musicman_ace still has the simplest solution, though it is not server-centric.

EDIT I fixed the above rule's target.

I'm not sure that would still work. Since yahoo.com isn't the FQDN, it will get resolved to one of the other FQDNs that exist. The other thread that discussed this was using hotmail as an example and in the end I think the person went with content filters rather than IP tables.

[edit]
I known this seems odd. It should block all IP's that get resolved from yahoo.com, but the last time we discussed this idea it didn't work the way we logically think it should.

Thanks! But I tried
iptables -t nat -A PREROUTING -d yahoo.com ! -s 10.10.0.9 -j REJECT
and got the error:
iptables v1.2.8: ! not allowed with multiple source or destination IP addresses
Try `iptables -h' or 'iptables --help' for more information.

When I removed
! -s 10.10.0.9
It gave the error:
iptables: Invalid argument

Got any tips?

Sorry I made a little mistake in the above rule. You do need some extra stuff to match multiple IPs, which yahoo has:

You need to add a rule for each IP you wish to block, not each hostname. I assume, of course, that yahoo is the a "theoretical" domain here: I don't know why you'd want to block yahoo, but that's not the point.

The rules above should work for you without a problem.

Thanks that blocks yahoo.com but its not blocking anything.yahoo.com
(yahooligans.yahoo.com and mail.yahoo.com still load)

Is there a way to block *.yahoo.com ?

To do it with iptables you need to find the IP address of every subdomain host (if it's different) and block that too.

Let me tell you, yahoo.com has a heck of a lot.