LinuxQuestions.org - iptables: blocking something.com for specific time

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - iptables: blocking something.com for specific time (https://www.linuxquestions.org/questions/linux-security-4/iptables-blocking-something-com-for-specific-time-323649/)

iptables: blocking something.com for specific time & comparison with cisco IOS ACL

Hi

Im doing a bit of different implementation of iptable. what i want to do is to block the iptables: blocking something.com for specific time .
like blocking specific web site for timings in office house and , allow in the week end.
but i dont want to add seprate rule for each web server of that web site. i just want to use Domainname so that it covers all webserver against it in the DNS record automatically.

secondly need some comparison and features to iptables to compare with cisco IOS ACL , for implementing in medium sized network.

Support for iptables and cisco geeks needed, help will be highly appreciated.

THX

using iptables to block hosts via DNS addresses is a bad idea, IMHO... it's not as effective as it looks like at first sight... i'm not even sure it can be done, but if it can then i assume the DNS would be resolved when the script is run, and then the resolved IP would be inserted in the rule... so not only would it slow your script down (and be error-prone), but it would also be about as pointless as trying to filter ONE of the website's several IPs - and when the website IP your client is currently connected on changes it would be more than pointless, it would be useless... try blocking google.com with an iptables rule, for example - they have about a zillion IPs...

IMHO, your best bet is to use a content filtering proxy's blacklist feature... you'd preferably want a filter which will also do reverse-DNS resolution... an example is http://www.dansguardian.org/ - this way you just put "google.com" in the blacklist and it won't matter if the client tries to connect to "google.com" or any of the zillions of IPs associated to that domain - all the client's connection attempts would be denied - automatically... and yeah, you can easily set a cronjob to implement the blacklist rules you want at the times you want...

just my :twocents:...

The best thing to use for blocking something a set period is to create a cronjob with two scripts
one to add the filters, and one to remove and run the first at say 9am and the second at 5pm.

Example:
$crontab -e
(this will open vi or EDITOR as defined in the environment variables)
# m h dom mon dow
0 9 * * * /path/to/addfilter
0 17 * * * /path/to/removefilter

As for the weekend you could add a similar entry to run every friday say.

save it and it will be installed.

man crontab will give you all of the information you need on using cron.

Regards