/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Ronnie Samuel <[EMAIL PROTECTED]> wrote:
>
> I am trying to figure out where I can find examples of who to
> configure my stronger rule sets so that I can prevent an IP address
> which is behind the firewall from getting to a URL?
Preventing access to a specific URL is not easy. Preventing access to a
site is easier, but only if that site is static, meaning that it stays
at the same IP address and never moves.
Even easier if the site is small, so it only has one IP address.
The best place to put this rule is in your FORWARD rule set. Your
firewall can simply refuse to forward traffic that is from your local
IP, and going to your blacklisted site's IP.
iptables -A FORWARD -s 10.11.12.13 -d www.badsite.com \
-p tcp --dport 80 -j REJECT
Note the use of REJECT here, instead of DENY. If you REJECT the
connection, then the user will know he wasn't allowed to go to that
site, whereas if you DENY, then his browser will just time out
eventually.
Although, I have noticed that Windows does not seem to notice the REJECT
that iptables sends out, or at least doesn't think it is a permanent
failure, so it keeps trying anyway. I have noticed that if you add
"--reject-with icmp-proto-unreachable" that Windows will give up trying
right away.
The rule as shown will work, but only if DNS is available on your
firewall at the time that the firewall script is running. Since
everyone has a slightly different config, it is debatable whether the
script will actually run correctly at boot time. It will probably run
okay if you run it on the fly, but boot time is a different matter.
The safest thing to do, as far as boot time configuration goes, is to
look up the IP address of your bad site, and enter the IP into the rule
definition. Iptables uses IP addresses, not site names, when it is
filtering traffic, anyway. But as I mentioned, if the IP changes
periodically, it will be hard to block this moving target.
The only way I know to block specific URL's, that is, specific locations
within a web site, is to install a web proxy, like SQUID, and then
configure the firewall to redirect all outgoing HTTP through the proxy,
and configure the proxy to reject the things you don't want users to
browse to. A complicated task.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
