Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
Thanks acid kewpie
I read a lot of online stuff and a bought a book called Linux iptables.
ISBN -10: 0-596-00569-5
Those online materials tell how to block or allow websites.
So I know how to block a specific website using IPtables. Still it is not clear for me the purpose of using IPtables.
I hope the blocking and allowing certain websites are called filtering. Please correct me.
I think it is fine to say those Ethernet sockets as holes.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
Tinkster touched on the subject of Cisco certification.
No I have not tried those tests as yet.
I have some knowledge of Cisco as I studied them nearly 3 years ago. At home I have a Cisco router simulator too. So I practice Cisco commands when I find time.
In Cisco, you could block certain websites and I know how to do it. Those are caled ACL.
ACL stands for Access Control Lists.
iptables is a net-filter; you can apply varied rule-sets. If you
have even a basic understanding of ACLs you should know what iptables
is about.
From the man-pages you love so much:
Quote:
Code:
DESCRIPTION
Iptables is used to set up, maintain, and inspect the tables of IP packet
filter rules in the Linux kernel. Several different tables may be
defined. Each table contains a number of built-in chains and may also
contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each
rule specifies what to do with a packet that matches. This is called a
`target', which may be a jump to a user-defined chain in the same table.
Keep on reading from there - excellent info.
That said: no, if you don't use your Linux machine as THE router iptables
won't do you much good in the first place. Keep reading about the holes,
and try to get an understanding of IP networking before you dabble with
iptables ...
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
Gins, the question is not about blocking or filtering as words. The question is about what you filter or block.
If you say ‘‘site’’, it is probable that you mean HTTP entities. So, 2 sites with different domain names and different owners but on the same shared hosting are surely different sites. But iptables is not about sites. iptables are about IP packets. So if two packets go to the same IP address (for example to the same physical server with only one interface and without additional addresses bound to the same interface card), they may have different destination sites but the same destination IP address. iptables will not think they have different destinations.
If you want to filter or block sites with iptables, you need to configure transparent proxying, i.e. all the traffic going to port 80 (http) will be intercepted and redirected to an HTTP proxy, which will assemble full requests (not separate packets, which can carry only parts of requests) and analyze them.
Let us say I have single Linux server and 2 or 3 desktop computers which run on Linux. I will connect my router to share the computers.
The packets from the above sites will arrive at my server. What shall I do with IPtables in the above example?
[ I think I need two NICs on my server.]
Let us say I have single Linux server and 2 or 3 desktop computers which run on Linux. I will connect my router to share the computers.
The packets from the above sites will arrive at my server. What shall I do with IPtables in the above example?
[ I think I need two NICs on my server.]
Nothing. You shall go back and re-visit the second part
of my post above.
You obviously have no understanding of the very basics
of traffic flow on a LAN. If your other computers connect
to your router their web-traffic won't even touch your
Linux machine, so whatever you do with IPtables there in an
attempt to block certain websites is futile. How about you
go back to the gym instead?
Congrats Gins, a very good bad example of using google.com there. google.com has LOTS of IP addresses and adds and removes them as they see fit. You would *NEVER* block google by IP in iptables. you would block it my the use of a proxy.
As others have mentioned, I am not picking up on mere terminology but highly differing functionality, and your lack of acknowledgement of that just goes to compound the fact that you really don't have even the basis of a knowledge of most of the constituent parts of this thread.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
I never learnt IPtables. I have never worked with them. So it is correct to say that I have no any basic knowledge of IPtables.
This is not the case with Cisco routing. I studied them at school and practice them too. However, I am no expert in Cisco routing. There are things I have never worked in Cisco routing. Now VOIP is on the rise. I must learn stuff like VOIP and MPLS in Cisco.
How are you going to resolve VoIP issues if you don't understand the
traffic flow on your home network? Learn to crawl and walk before trying
to run ...
- it is a good and simple introduction into basic internet concepts (the lecture notes correspond to a course read in Russian, but they are in English despite .ru domain). You will understand from it which box should be touched by which packet.. A computer cannot affect a packet it doesn't see.
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662
Original Poster
Rep:
Thanks raskin.
It is a good site.
You speak Russian. I do speak some Russian too. I have studied Russian and I have been to Russia many times. During the cold war period I flew, several times, with Russian Aeroflot.
For me Russian is a beautiful language. Nowadays my Russian is rotten. Sometimes I look at the Russian channel. I have cable TV at home.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.