Hi guys,
I have been informed one can block a list of sites listed/saved in a file by using firewall rules/iptables. i use redhat enterprise 3 and i have a set of firewall rules for internet sharing and security looks like this.

*filter
:INPUT DROP [117:62544]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1180:576525]
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -i ! eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 64.235.230.106 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Apr 11 15:46:43 2006
# Generated by iptables-save v1.2.8 on Tue Apr 11 15:46:43 2006
*nat
:PREROUTING ACCEPT [241:76631]
:POSTROUTING ACCEPT [15:5946]
:OUTPUT ACCEPT [53:31646]
-A POSTROUTING -o eth0 -j SNAT --to-source 80.190.56.192
COMMIT
# Completed on Tue Apr 11 15:46:43 2006
# Generated by iptables-save v1.2.8 on Tue Apr 11 15:46:43 2006
*mangle
:PREROUTING ACCEPT [1322:573941]
:INPUT ACCEPT [1191:541126]
:FORWARD ACCEPT [131:32815]
:OUTPUT ACCEPT [1190:582879]
:POSTROUTING ACCEPT [1331:616335]
COMMIT
# Completed on Tue Apr 11 15:46:43 2006

so eth0 is the external card while eth1 is the lan card on which i have workstations but dont know how to include a rule to block workstations only from browsing any of the sites listed and saved in the file :- sites.txt

NB: its easier this way because i have a wide range of sites that needs to be blocked wont do to set rule for each one by one. pls need help.
murphy.

As far as I am aware, you have either been misinformed or misinterpreted what was meant.

IPTABLES is a kernel function, and does not dynamically read files for data. You can create a script to transform a list of IP addresses into a block list, which can be loaded by IPTABLES. However, large rule sets can significantly impact network performance and consume memory.

If you simply want to remove the directory listing from a web site, then remove the 'Options Indexes' from the web server configuration (if you have access to it).

If you want to _enforce_ a security policy for HTTP, then the best way is to set up a proxy such as squid or privoxy. I belive both can be configured to block sites based on a dynamic list, possibly in their own formats. Once configured and running you can "force" users to use it by turning off all HTTP forwarding and provide "proxy autoconfigure" facilities. Users need only change one setting in their browser. I use privoxy and I can add and remove blocked sites on-the-fly. Users benefit from faster web pages since most of the advertising is filtered out for them. Squid provides a local cache and hooks for all kinds of filters and blocks.

I believe there is an iptables module (ipt_filter?) that can block connections by matching regular expressions in the data stream, but it's not widely used and difficult to make it work well.

Thanks for the tip but one thing is "How do i block sites with proxy?"

Privoxy was designed mainly to improve web privacy. It comes complete with a set of default filters that list known "problem" sites, known advertising strings and image sizes etc.

All you need to do is configure your browser to use the proxy, usually port 8118 for privoxy, and see what gets through. Anything you don't want, find the web address and add it to privoxy's user configuration through the built-in web interface. Adding a name like ".hacked-site.com" to the "block" list will block all sites whose domain name ends with .hacked-side.com, replacing it with an information page to tell the user what happened and how to change it. There are plenty of filtering options but basic allow/block is the best place to start.