Blocking access to certain websites is very easy using iptables. The example below will block access to one website.
[root@2403-4800-25af-b00--2 Videos]# iptables -A OUTPUT -p tcp -m string --string "dailytelegraph.com.au" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable |
This is very easy to do. Loading the website in the web browser is futile, it will time out.
This is a more useful script example, this will block ICMP packets as well as access to unwanted websites.
# Generated by iptables-save v1.4.21 on Thu Mar 20 16:04:48 2014 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i wlan0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -p tcp -m tcp --dport 23 -j DROP -A INPUT -p tcp -m tcp --dport 21 -j DROP -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "dailytelegraph.com.au" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "*4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "boards.4chan.org" --algo kmp --to 65535 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Mar 20 16:04:48 2014 |
Load these rules into your iptables using this command.
[root@2403-4800-25af-b00--2 Documents]# iptables-restore < iptables.sh |
Then, it is possible to check the added iptables rules.
[root@2403-4800-25af-b00--2 Documents]# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -i wlan0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -p tcp -m tcp --dport 23 -j DROP -A INPUT -p tcp -m tcp --dport 21 -j DROP -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "dailytelegraph.com.au" --algo kmp -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "*4chan.org" --algo kmp -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m string --string "boards.4chan.org" --algo kmp -j REJECT --reject-with icmp-port-unreachable |
This is a very nice trick for a Linux user.