Block websites by IP address?

cci_admin · August 2, 2006, 6:48pm

Hello,

I’m looking to see if I can block specific websites:

http://www.uwm.edu
https://panthermail.uwm.edu

from some of our users to be not able to access them. I assume I can setup filter rules to block the IP addresses correct? If so, I try doing

chain: output
dst address: xx.xx.xxx.xx
connection type: (6) tcp

and I guess that must be wrong. Using ping I find out the IP of these sites, but how do I block them? Is this even possible?

andrewluck · August 2, 2006, 7:21pm

Use the Forward chain.

Regards

Andrew

cci_admin · August 2, 2006, 7:32pm

Ok,

when I ping http://www.uwm.edu it returns 129.89.7.9 so I put that in the DST address along w/ the forward chain. Protocol is (6) TCP and the last page under actions has reject. It still will take me to http://www.uwm.edu in a web browser. Am I missing something still?

Thanks.

yancho · August 2, 2006, 8:01pm

Try to use nslookup to resolve all ip:

nslookup www.uwm.edu
Name:    batch1.csd.uwm.edu
Addresses:  129.89.169.224, 129.89.7.9, 129.89.70.230
Aliases:  www.uwm.edu

cci_admin · August 2, 2006, 8:18pm

I’m an idiot. Worked beautifully. Thanks.

One last question:

I also want to block https://panthermail.uwm.edu but you cannot nslookup secure sites? Or am I missing something there too? I can block http://www.panthermail.uwm.edu…but is the secure site the same address probably?

sergejs · August 3, 2006, 4:45am

You can nslookup panthermail.uwm.edu and block it (it shoud work ).
Addresses are the same.

Probably, transaparent proxy will be more flexible to create HTTP firewall (you can block by url, dst-path, etc.).

cci_admin · August 3, 2006, 1:57pm

This can be done using the router interface somewheres?

randy601 · August 3, 2006, 4:34pm

There are several ways you can do this depending on how you set your system up.
The fastest way is if your running web proxy. Deny access to these sites by URL. The draw back is this is a complete block and will allow no one to them unless you add their IP to the access list.

2nd way is to build a list of computers you want to be able to access these sites. Build an address list of black lists sites. Compare
(NOT) computer list with black list then you can drop, reject, redirect or whatever. By doing it this way it allows you to build a list of sites that can be blocked by just adding their IP to the list.

There are a lot more ways but these work for me.

McKinley · August 8, 2006, 11:33pm

I tried this just earlier this week. I assumed Forward Chain would work as desired but found I had to put the rule in either the input or output chain. I am running it as a hotspot though so perhaps that is the difference.