System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

security related block perticular site

SOLVED
Go to solution
monu_1
Regular Advisor

security related block perticular site

Hi all,

I am using firestarter in my LAN environment and i want to block a particular website in my LAN environment.

is it possible to block IP address?

How can i block this.

Thanks in Advance.

MKS
11 REPLIES
Leandro Daniel Costa
Occasional Advisor

Re: security related block perticular site

Take a look at this page

http://www.fs-security.com/docs/policy-page.php

Here, it explains how to accomplish what you're trying to do.
You need to block outgoing traffic to that IP address.

Hope it helps

Regards,
Leandro Costa
Ivan Ferreira
Honored Contributor

Re: security related block perticular site

Yes it's possible. You can do it via firewall or proxy. It depends of how your network connects to Internet.

If you have a Linux gateway with NAT, you should use iptables to block access.

If you use a proxy server like squid, you need to configure access lists and rules.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
monu_1
Regular Advisor

Re: security related block perticular site

Thanks Ivan!

I am using linux gateway with NAT.
Please suggest which command i should append in IPTABLE entry to block a particular web sit that no one can access that site in my LAN env users.

Thanks a lot again

MKS
Leandro Daniel Costa
Occasional Advisor

Re: security related block perticular site

iptables -A OUTPUT -s YOURLAN -d TARGET_IP_ADDRESS -j DENY

replacing YOURLAN by something like: 192.168.0.0/24 and TARGET_IP_ADDRESS to another CIDR, or an ip address, like: 1.1.1.1

That would block outgoing traffic to that site.

Regards,
Leandro Daniel Costa
Ivan Ferreira
Honored Contributor

Re: security related block perticular site

The rule could be like this:

LANIP="192.168.0.1/24"
DESTHOST=w.x.y.z

iptables -I FORWARD 1 -s $LANIP -d $DESTHOST -j REJECT
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
monu_1
Regular Advisor

Re: security related block perticular site

Hi Costa!

Accoring to yr command i have put entry in iptables but with REJECT.

But this entry also reject my ping request to other sites also.

means icmp request reject

where is the prob
plz suggest

MKS
monu_1
Regular Advisor

Re: security related block perticular site

Hi Ivan!

According to yr given rule, i read somewhere that -s and -d option shoule have same parameter

like -s $192.168.1.0/24
-d $x.y.z.w/24
what should i do.I have to block site (x.y.z.w) for my LAN clients.

According to yr given command

LANID="192.168.1.0/24"
DESID=x.y.z.w
#IPTABLES -I FORWARD 1 -s $LANID -d $DESID -j REJECT

Above is not working and after changes its also not desplaying others entry in my previous configured IPTABLES enteries.

Please ellaborat more clearly.

Thank you very much for resolving my prob.

Is there any option to put DNS for blocking.

Regards,
MKS
Ivan Ferreira
Honored Contributor

Re: security related block perticular site

>>> Above is not working and after changes its also not desplaying others entry in my previous configured IPTABLES enteries.

Tha's weird. Can you post the output of:

service iptables status

Or

iptables -nL FORWARD


>>> Is there any option to put DNS for blocking.

Depending of what do you want to block, if you want to restrict clients from using DNS, you have two options, block the port 53 for these clients, or add a rule in the named.conf to restrict the hosts that can query your dns server (if you have one).
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
monu_1
Regular Advisor

Re: security related block perticular site

Hi All,

I have done above task as

iptables -A OUTPUT -s 192.168.1.0/24 -d x.y.z.w -j DROP

and it is working now. But when i restart iptables service, its remove my above targeted entry from filter table.

What shd i do that it will remains permanent in filter table even after reboot my system

Regards,
MKS
Ivan Ferreira
Honored Contributor
Solution

Re: security related block perticular site

If you use Red Hat or something similar, just use:

service iptables save

If you run another Linux distribution, it depends of how it loads the iptables services, but basically, you have to run:

iptables-save > /path/to/file

Where /path/to/file could be something like /etc/sysconfig/iptables.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
monu_1
Regular Advisor

Re: security related block perticular site

Thread Closed