Block websites by IP address?

cci_admin · Wed Aug 02, 2006 9:48 pm

Hello,

I'm looking to see if I can block specific websites:

http://www.uwm.edu
https://panthermail.uwm.edu

from some of our users to be not able to access them. I assume I can setup filter rules to block the IP addresses correct? If so, I try doing

chain: output
dst address: xx.xx.xxx.xx
connection type: (6) tcp

and I guess that must be wrong. Using ping I find out the IP of these sites, but how do I block them? Is this even possible?

andrewluck · Wed Aug 02, 2006 10:21 pm

Use the Forward chain.

Regards

Andrew

cci_admin · Wed Aug 02, 2006 10:32 pm

Use the Forward chain.

Regards

Andrew

Ok,

when I ping http://www.uwm.edu it returns 129.89.7.9 so I put that in the DST address along w/ the forward chain. Protocol is (6) TCP and the last page under actions has reject. It still will take me to http://www.uwm.edu in a web browser. Am I missing something still?

Thanks.

yancho · Wed Aug 02, 2006 11:01 pm

Try to use nslookup to resolve all ip:

nslookup www.uwm.edu
Name:    batch1.csd.uwm.edu
Addresses:  129.89.169.224, 129.89.7.9, 129.89.70.230
Aliases:  www.uwm.edu

cci_admin · Wed Aug 02, 2006 11:18 pm

Try to use nslookup to resolve all ip:

nslookup www.uwm.edu
Name:    batch1.csd.uwm.edu
Addresses:  129.89.169.224, 129.89.7.9, 129.89.70.230
Aliases:  www.uwm.edu

I'm an idiot. Worked beautifully. Thanks.

One last question:

I also want to block https://panthermail.uwm.edu but you cannot nslookup secure sites? Or am I missing something there too? I can block http://www.panthermail.uwm.edu...but is the secure site the same address probably?

Thu Aug 03, 2006 7:45 am

You can nslookup panthermail.uwm.edu and block it (it shoud work ).
Addresses are the same.

Probably, transaparent proxy will be more flexible to create HTTP firewall (you can block by url, dst-path, etc.).

cci_admin · Thu Aug 03, 2006 4:57 pm

You can nslookup panthermail.uwm.edu and block it (it shoud work ).
Addresses are the same.

Probably, transaparent proxy will be more flexible to create HTTP firewall (you can block by url, dst-path, etc.).

This can be done using the router interface somewheres?

randy601 · Thu Aug 03, 2006 7:34 pm

There are several ways you can do this depending on how you set your system up.
The fastest way is if your running web proxy. Deny access to these sites by URL. The draw back is this is a complete block and will allow no one to them unless you add their IP to the access list.

2nd way is to build a list of computers you want to be able to access these sites. Build an address list of black lists sites. Compare
(NOT) computer list with black list then you can drop, reject, redirect or whatever. By doing it this way it allows you to build a list of sites that can be blocked by just adding their IP to the list.

There are a lot more ways but these work for me.

McKinley · Wed Aug 09, 2006 2:33 am

Use the Forward chain.

Regards

Andrew

I tried this just earlier this week. I assumed Forward Chain would work as desired but found I had to put the rule in either the input or output chain. I am running it as a hotspot though so perhaps that is the difference.

Block websites by IP address?

Block websites by IP address?

Easy to do