Question

3

How to block, deny or redirect an IP address or website domain

rated 0 times [ 3] [ 0] / answers: 1 / hits: 8346 / 1 Year ago, sun, february 12, 2023, 12:37:25

This question popped a couple of days ago and it is: How to block, deny or redirect an IP address or domain name to another IP or web domain without the use of a router or configuring a browser. Basically using only Ubuntu to do this.

For example, a user uses a computer, he/she does not have access to facebook or twitter (could be a denied access forever or just between 2pm to 8pm). If the user tries to enter facebook or twitter it will be redirected to another place or just plained canceled.

The program would be preferable in GUI but if there isn't terminal will do.

I have checked out for example ufw and gufw but it only works for programs and ports. The case about domain names is not there. Which would make it easier to select or deselect a domain.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ickump

Add To Favorites

Follow

Total Points: 234

Total Questions: 124

Total Answers: 111

Location: Jordan

Member since Fri, Apr 8, 2022

2 Years ago

answered 1 Year ago curatekill · Accepted Answer

iptables is helpful if it is only a few ip / domain names.

With iptables you can restrict based on user, group, and/or time although to do so you need to use the OUTPUT table. So to allow root, and a group "web", use

# this allows root for things such as apt-get

sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT



# this allows users of the group web

# create a group, web, and add users to it to allow access

sudo iptables -A OUTPUT -m owner --gid-owner web -j ACCEPT



# These two rules allow access to port 80 and 443 over the lunch hour

sudo iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m time --timestart 12:00 --timestop 13:00 -j ACCEPT

sudo iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -j DROP

But as your needs grow more complex, it is helpful to use proxies. For example you can use privoxy (and others) for adblock. Squid adds in filtering and more complex rules (acl or access control lists), but is likely over kill for a home user.

You then make the proxy transparent with iptables

# This allows root

sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT



# This allows privoxy, which serves as adblock

sudo iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner privoxy -j ACCEPT



# this blocks direct access to ports 80 to all other users

sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP



# This allows squid to access privoxy (I think squid runs as "proxy")

#sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner proxy -j ACCEPT



# this rule blocks other users from direct access to privoxy

sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -j DROP



# Redirect all outgoing traffic on port 80 to squid listening on port 3128

sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 3128

Now you install and configure privoxy and squid

Ubuntu server guide squid

Ubuntu wiki privoxy

The problem with this method is you then need to install squidguard, configure squid, etc, which would be a long post and better suited to a larger LAN.