-   Linux - Networking (
-   -   BLOCK any web site ( IPTABLES ) (

barcaalep 10-08-2008 04:24 AM

BLOCK any web site ( IPTABLES )
hello everyone
i am using open suse 11 and i installed IPTABLES i want to right IPTABLES instructions that block any web site

i tried this but it doesnt work

iptables -A INPUT -i eth0 -s -j DROP

salasi 10-08-2008 09:49 AM

Did you check first that you weren't fighting with the SuSEFirewall2 system, which has been known to override hand-amended firewall rulesets? In effect, do you know that the ruleset was what you expected before you changed it and that your change was made?

Secondly, you are not behind a router (anything that is, in effect, a router, whether it says that on the box or not, e.g., some of the ADSL modems are in efect routers)?

If those are both ok, it would be a lot easier if we could see more of your ruleset than this as something else may be coming into play.

Additionally, note that this will only work with nominated ip addresses and if the web site uses more than one or it changes, that will be problematic. As it will be if the web site changes ip address, of course.

jschiwal 10-08-2008 11:04 AM

Look in /etc/sysconfig/SuSEfirewall2. You can enter the name of a file with your own rules to add.


## Type:        string
# 25.)
# Do you want to load customary rules from a file?
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom

You might want to block outbound traffic instead of INPUT to block contacting a the website.

Part of the reason your rule didn't work is because it is located after a rule that accepted the traffic.

sudo /usr/sbin/iptables  -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere            state NEW,RELATED,ESTABLISHED

Use the OUTPUT or INPUT filter to only list the table you need and insert the rule where it needs to be.
If your test iptables command works, then edit /etc/sysconfig/SuSEfirewall2 and /etc/sysconfig/scripts/SuSEfirewall2-custom so that your rule is run when the firewall service starts.

Because the OUTPUT table is probably not used much, you could create a startup script in /etc/rc.d/ that runs after the SuSEfirewall2 service and inserts a rule before the others in the OUTPUT table. If you use -I instead of -A to insert the rule instead of -A (adding) the rule your iptables command would probably work.

barcaalep 10-09-2008 11:33 AM

ok guys thanks for the help :)

the rule that block the IP address it works and it added to the firewall rules BUT the problem is i am surfing on the internet using proxy so how can i do that
like even if the iptables block the IP address my PC doesnt really connect to that ip cuz it connects to the proxy server then

Sreenivasan 10-12-2008 05:15 AM

Applying iptables firewall rules: Bad argument `any'
Error occured at line: 12
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

salasi 10-13-2008 05:26 AM


Originally Posted by Sreenivasan (Post 3307524)
Applying iptables firewall rules: Bad argument `any'
Error occured at line: 12
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Is this supposed in some way to be relevant (and are you a sock puppet?) to the original problem or is it a new problem which is only related to the original problem in that it also concerns iptables?

If this is a new problem (and then a new thread probably would have been a better choice) the information that you give is that you have an error in line 12, but you don't give any details of what might be in line 12 or any context so that someone can see what line 12 should be doing. This does not seem like an action likely to lead to anyone knowing enough about your circumstances to offer you much help.

I shouldn't do this from memory, but offhand I can't think of many (any?) iptables commands where 'any' is a vaid argument, so that could be your problem. but you will have looked at that when you saw the error message, won't you? It is unknown to me what kind of outcome you hope for from posting this fragment.

All times are GMT -5. The time now is 09:33 AM.