LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-17-2008, 10:31 AM   #1
AndrzejL
Member
 
Registered: Jun 2008
Distribution: PCLinuxOS
Posts: 38

Rep: Reputation: 15
Question [SOLVED] Minime server with IPtables forwarding. How to block www by host or IP?


Hola Boys and Girls.

I have a tiny problem. Its not really a problem but something that bothers me a lot. I have a laptop. Old IBM Thinkpad 600E which runs PCLinuxOS 2008 MiniMe with Nokia N73 setup as modem and dialed by kppp. I have a USB wifi card in it as well and I am sharing the internet connection to my 4 other ad-hoc wifi network laptops. 1 of them is Windows 2000 3 others are MiniMe as well. This is done by the iptables. I have wrote and using 2 little scripts that are doing it for me.

Name kpppauto.sh

kppp -c 3G

Name ICS.sh

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -A FORWARD -i ppp0 -o rausb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i rausb0 -o ppp0 -j ACCEPT

I have placed it into /home/hagrid/.kde/Autostart and it really works great.

If kppp disconnects for any reason the laptop reboots itself connects and continues sharing again.

IPs are static and DNS as well.

My question is

How can I block certain pages from being accessed in my network?

Is there a file like blacklist for modules that I can type in IP or host and nobody will be able to access this page? I dont want to use any extra software but if what I am planning to do is impossible then what software would you recommend? Would I have to redo the whole server?

I have few little visitors and they are using www when they are at my place but I wouldnt really like to explain myself to their parents who are good friends of mine why their child could see a porn or some other forbidden content on the net and how comes that the parental filter is not on.

What You reckon? Am I dreaming here?

Thanks in advance for any help.

Andy

Last edited by AndrzejL; 01-06-2009 at 05:06 AM. Reason: Solved
 
Old 11-17-2008, 01:34 PM   #2
zQUEz
Member
 
Registered: Jun 2007
Distribution: Fedora, RHEL, Centos
Posts: 294

Rep: Reputation: 54
I think you are dreaming because think of the sheer number of websites you would want to block, and yet your plan is to manually add IP's / websites to a blacklist. I think it would be a full time job just adding all those sites.

However, if you wanted to use IPTables, you could simply add a drop to your outbound tables, like:

iptables -I OUTPUT 1 -p tcp -d 12.12.12.12 --dport 80 -j DROP
(where 12.12.12.12 is the IP of the porn site).
And then you could add a rule (script to add a rule for each ip address). Also, the more rules you add, the slower your entire network is likely to be as each rule is processed before allowing the packet out. 50 rules not so bad ... 1000+ you will see some slowdown.

I think it would be easier + less overhead on your laptop and your time to use Squid proxy and some form of free websense.
 
Old 11-17-2008, 01:44 PM   #3
AndrzejL
Member
 
Registered: Jun 2008
Distribution: PCLinuxOS
Posts: 38

Original Poster
Rep: Reputation: 15
Hi Bud!

I have the list of the websites ready so there is no hassle I like crazy ideas and I just needed to find out is there a way. Will try your idea and let you know if it works. Would I be able to do something similiar with host? Like for example www.google.ie has dynamic ip and blocking one IP wouldnt do it

Thanks for replying

Andy
 
Old 11-18-2008, 05:30 AM   #4
zQUEz
Member
 
Registered: Jun 2007
Distribution: Fedora, RHEL, Centos
Posts: 294

Rep: Reputation: 54
.... not with iptables because of where in the IP layer it works. it doesn't know about DNS (unless there is a mod I am not aware of).

If you are just trying to see if you can do it - I am all for it. But if you want a working solution, you really should be using Squid and a site blocker that works on host addresses.

Last edited by zQUEz; 11-18-2008 at 05:33 AM.
 
Old 11-18-2008, 02:44 PM   #5
AndrzejL
Member
 
Registered: Jun 2008
Distribution: PCLinuxOS
Posts: 38

Original Poster
Rep: Reputation: 15
Ok
Quote:
If you are just trying to see if you can do it - I am all for it.
I am trying to block few nasty pages. About 30 of them at the most. I have tried Your idea from yesterday. iptables -I OUTPUT 1 -p tcp -d 12.12.12.12 --dport 80 -j DROP
(where 12.12.12.12 is the IP of the porn site)
should block it

[hagrid@WISHMASTER ~]$ ping www.bebo.com
PING a500.c.akamai.net (195.27.154.11) 56(84) bytes of data.
64 bytes from 195.27.154.11: icmp_seq=1 ttl=52 time=378 ms

--- a500.c.akamai.net ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 378.525/378.525/378.525/0.000 ms

I am using bebo for example here. This command should look like this right?

iptables -I OUTPUT 1 -p tcp -d 195.27.154.11 --dport 80 -j DROP

I have typed it all at the server and i could still load bebo.

I have added it to my ICS.sh script and rebooted.

Bebo is still coming up...

Any other ideas? If I could block it by IP only I could still managed by host would be ideal.

Joble from www.pclinuxos.com gave me this idea

Quote:
This looks interesting:
http://onlyubuntu.blogspot.com/2007/...p-blocker.html

Haven't checked the repos for it yet.

It's in the repos:
iplist
a list based packet handler
iplist is a list based packet handler which uses
the netfilter netlink-queue library (kernel 2.6.14 or
later). It filters by IP-address and is optimized for
thousands of IP-address ranges.

http://iplist.sourceforge.net/

Let me know if you don't like it, and I'll keep looking.
but i would rather use something from command line as graphic mode will get the server under more preasure specially that i am using kde and this works with gnome. Or am I wrong here?

I am all ears.

Andy
 
Old 01-06-2009, 05:05 AM   #6
AndrzejL
Member
 
Registered: Jun 2008
Distribution: PCLinuxOS
Posts: 38

Original Poster
Rep: Reputation: 15
Quote:
Ok. Here is what I did, instead of sharing my internet connection via static IP I have redid the server with dhcp and proxy and then I ran as root from the konsole

Quote:
iptables -I OUTPUT 1 -p tcp -d 12.12.12.12 --dport 80 -j DROP
where 12.12.12.12 is an IP of unwanted website ie. bebo so now :P when someone is trying to access bebo he gets this

Quote:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.bebo.com/

The following error was encountered:

* Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is root.
Generated Mon, 05 Jan 2009 15:23:25 GMT by myfirewall@nightwish.com (squid/2.6.STABLE1)
but this was not enough.

I went to /etc/hosts

and added line

www.pudelek.pl 127.0.0.1

so now when someone is trying to get to this www he gets?

Quote:
The requested URL could not be retrieved

While trying to retrieve the URL: http://mobile.3ireland.ie/pc/Live/pcreator/live/mwsun

The following error was encountered:

Unable to determine IP address from host name for mobile.3ireland.ie

The dnsserver returned:

Name Error: The domain name does not exist.

This means that:

The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.

Your cache administrator is root.
Generated Mon, 05 Jan 2009 15:26:02 GMT by myfirewall@nightwish.com (squid/2.6.STABLE1)
which means I can block any website by IP or host. Makes no difference!

This distro ROX! Big time!

THANK YOU ALL FOR YOUR HELP! YOU ARE THE GREATEST!

Andy
Hi Lads I have solved this case. I re-did the server from static IP to a dhcp, proxy, caching gateteway.

Andy

Last edited by AndrzejL; 01-06-2009 at 05:07 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
HP F2180 on MiniMe running server is not detectable via WLAN on MiniMe running Client AndrzejL Linux - Networking 0 11-01-2008 02:05 PM
after port forwarding to web server, lan user cant access by typing www via browser shio Linux - Networking 6 02-24-2008 10:38 AM
Resolving <www.some remote host>.... failed: Host not found. koodoo Linux - Newbie 2 06-27-2005 08:48 AM
iptables forwarding to internal server pyloth Linux - Security 4 04-17-2005 12:51 PM
iptables for dedicated www server (one nic) ridertech Linux - Security 7 01-03-2004 02:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration