I'm using iptables version 1.2.6a on a router/firewall linux box on my network. I've been successful in using the following rule to block LAN users from accessing certain websites on the net:

iptables -A FORWARD -p ALL --destination xxx.xxx.xxx.xxx -j DROP

By the way, the internet connection is dsl.

I'm having a problem blocking access to the website, eonline.com.
WHOIS and DNS Lookup show the following the following ip addresses for eonline.com:

216.136.194.150
63.240.204.150
216.136.194.178
199.191.128.105
12.127.16.69
12.46.7.226
64.162.108.55

I've plugged in each of the above addresses into the iptables rule; however, the site is not getting blocked. The site can be accessed from any LAN client.

The rule has worked to block about 20 other sites. I don't understand the failure with this one particular site.

Thanks for your help.

Mike

Here's some output from tcpdump regarding access to eonline.com on LAN Interface eth1. I thought it might show a clue or hint that I'm missing.

19:47:58.146592 ns1.snet.net.domain > 192.168.169.12.2122: 3[|domain] (DF)
19:47:58.147647 192.168.169.12.2123 > ace2-vip1.atdc1.eonline.com.www: S
22680248:22680248(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
19:47:58.149996 192.168.169.12.2118 > ace1-vip1.atdc1.eonline.com.www: . ack
37870 win 9520 (DF)
19:47:58.154188 ns1.snet.net.domain > 192.168.169.12.2121: 4*[|domain] (DF)
19:47:58.154260 192.168.169.12.2124 > ace2-vip1.atdc1.eonline.com.www: S
22680255:22680255(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
19:47:58.163515 192.168.169.12.2125 > ace1-vip1.atdc1.eonline.com.www: S
22680264:22680264(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
19:47:58.178037 192.168.169.12.2126 > ace2-vip1.atdc1.eonline.com.www: S
22680278:22680278(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
19:47:58.187196 ace1-vip1.atdc1.eonline.com.www > 192.168.169.12.2118: .
37870:39230(1360) ack 360 win 65280 (DF)
19:47:58.190692 192.168.169.12.2127 > ace2-vip1.atdc1.eonline.com.www: S
22680291:22680291(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
19:47:58.220258 ace1-vip1.atdc1.eonline.com.www > 192.168.169.12.2118: .
39230:40590(1360) ack 360 win 65280 (DF)
19:47:58.220756 192.168.169.12.2118 > ace1-vip1.atdc1.eonline.com.www: . ack
40590 win 9520 (DF)
19:47:58.253513 ace1-vip1.atdc1.eonline.com.www > 192.168.169.12.2118: .
40590:41950(1360) ack 360 win 65280 (DF)
19:47:58.286283 ace1-vip1.atdc1.eonline.com.www > 192.168.169.12.2118: .
41950:43310(1360) ack 360 win 65280 (DF)
19:47:58.286745 192.168.169.12.2118 > ace1-vip1.atdc1.eonline.com.www: . ack
43310 win 9520 (DF)
19:47:58.293730 ace2-vip1.atdc1.eonline.com.www > 192.168.169.12.2123: S
2279783737:2279783737(0) ack 22680249 win 65535 <mss 1360>
19:47:58.294006 192.168.169.12.2123 > ace2-vip1.atdc1.eonline.com.www: . ack
1 win 9520 (DF)
19:47:58.301898 192.168.169.12.2123 > ace2-vip1.atdc1.eonline.com.www: P
1:349(348) ack 1 win 9520 (DF)
19:47:58.328417 ace1-vip1.atdc1.eonline.com.www > 192.168.169.12.2118: .
43310:44670(1360) ack 360 win 65280 (DF)
19:47:58.361706 ace1-vip1.atdc1.eonline.com.www > 192.168.169.12.2118: .
44670:46030(1360) ack 360 win 65280 (DF)
19:47:58.362163 192.168.169.12.2118 > ace1-vip1.atdc1.eonline.com.www: . ack
46030 win 9520 (DF)
19:47:58.394938 ace1-vip1.atdc1.eonline.com.www > 192.168.169.12.2118: .
46030:47390(1360) ack 360 win 65280 (DF)
19:47:58.395562 ace2-vip1.atdc1.eonline.com.www > 192.168.169.12.2124: S
1977336900:1977336900(0) ack 22680256 win 65535 <mss 1360>
19:47:58.395794 192.168.169.12.2124 > ace2-vip1.atdc1.eonline.com.www: . ack
1 win 9520 (DF)
19:47:58.396234 192.168.169.12.2124 > ace2-vip1.atdc1.eonline.com.www: P
1:337(336) ack 1 win 9520 (DF)
19:47:58.398417 ace1-vip1.atdc1.eonline.com.www > 192.168.169.12.2125: S
2329528086:2329528086(0) ack 22680265 win 65280 <nop,nop,sackOK,mss 1360>
(DF)


Thanks for your help.

Mike

I'm getting quite different ip addresses, specifically 216.136.194.248 for eonline.com and 63.240.204.202 for www.eonline.com. What you pasted seem to be the dns servers for that domain.

Originally posted by dfx
I'm getting quite different ip addresses, specifically 216.136.194.248 for eonline.com and 63.240.204.202 for www.eonline.com. What you pasted seem to be the dns servers for that domain.


Ahh, very good observation, Mr. DFX.
I thought one of those DNS servers must be the actual ip address of the site.

I guess I need to use another tool than WHOIS. Please tell me what you used to translate eonline.com to the exact ip address of their site.

Thanks for your response. Hope to hear from you soon.

Mike

There are several: host, nslookup, dig, resolveip all do that. Take your pick.

even 'ping' will resolve the addy's for ya

to be quite blunt... this is *not* what iptables is designed to do. *grin* ... Yes it *can* do this ... here's something to keep in mind... eonline may well have hundreds of ips. Thats a heck of a lot of work for the sysadmin at your end...

Iptables is excellent in one respect.. you can make squid completely transparent to the users .. .no proxying at the client end required, by using iptables to redirect all requests to port 80 outside *through* squid. Squid is excellent at filtering web access on a url level ... which is what it is designed to do...

You can use attached file also.
Unfortunatelly it is Windows file, but it quite useful.
Unzip it first.

Just out of curiosity, why do you want to block eonline? I know e! is an insipid, basically worthless channel but it seems you are going through a lot of trouble to block it.

Originally posted by i_like_peanut_butter
Just out of curiosity, why do you want to block eonline?

Hey now!! I struck gold with all your responses. Thank you everyone for helping me out. I definitely want to look into Squid now to see if I can figure out a bit more about how to use it for Internet Connection Filtering.

To answer Mr. Peanut Butter--- Indeed, I know what you mean. I hate to spend time blocking users' access, but my employers are very serious about using the internet as a professional tool of research and communication. I've been begging them to let me introduce Linux into the work-place. They said okay, but only if I could demonstrate that I could control bandwidth, access, and monitor what's being done on the network.

So, unfortunately I have to be a bit of an ogre and keep on cutting out the fluff time in the employees internet use until the employees stop using it for entertainment and personal use.

Thank you everyone. You've given me some more food for thought about how to use and not use iptables and how to translate ip's. It seemed like all I could find online was WHOIS services to tranlate domain addresses. I should have been looking for the right tools on the linux box all along. :-)

Best regards.

Mike

Originally posted by liquidfx13
even 'ping' will resolve the addy's for ya

Well well...this is super-easy isn't it. I just tried to ping a few sites that I know block pings. And yeah, my pings were re-buffed but the ip addresses for each site was stated.

Thanks man!

Mike

*grins*

I can block icmp all I want, but your initial request to ping www.mysite.at.home.net *still* has to resolve the address *before* it sends a darn thing my way....


squid is great ... and there are several pre-compiled lists of sites for it (and reg ex lists as well) that will lock your internet browsers down nice and tight.

Originally posted by Lorithar
squid is great ... and there are several pre-compiled lists of sites for it (and reg ex lists as well) that will lock your internet browsers down nice and tight.

Whoa--- http://squid.visolve.com/

Whole lotta info. for a fella to dig into. I think this app. is exactly what I need in combination with iptables. I guess one thing worries me a bit. My slackware routerbox is only a Pentium 166 Mhz. with 64 megs. of RAM and no X-window-system. It sounds like more processing power is needed to take advantage of many of squid's capabilities. What has your experience shown you regarding this.

Mike

Your problem is IDENTICAL to mine. The owner wants I-access to some or all empls, but no porn, no games, no chat, etc.

I read this thread with great interest -- printed it and put it in my notebook and subscribed to the thread.

I am re-configureing as I write this and plan to implement squid.

I may even get them to help me if I have problems.

Anyway, thanks again for asking the Q and thereby providing me a new approach to the iptables rules problem!!

Chuck Moore
CNMoore@Knology.net

Originally posted by Cadillac84
Your problem is IDENTICAL to mine. The owner wants I-access to some or all empls, but no porn, no games, no chat, etc.

I read this thread with great interest -- printed it and put it in my notebook and subscribed to the thread.

I am re-configureing as I write this and plan to implement squid.

I may even get them to help me if I have problems.

Anyway, thanks again for asking the Q and thereby providing me a new approach to the iptables rules problem!!

Chuck Moore
CNMoore@Knology.net

Hey, no prob. Cadillac, my linux life is full of problems and issues that I enjoy sharing with anyone that will listen. I'm a regular walking disaster as I strut around trying to learn my ever-beloved open source operating system. <G>.

But seriously, I appreciate your kind words. It is nice to know that finding an answer to my question also answered someone else's too.

Now maybe you can help me figure out a very diplomatic way to get my employer to pay for a more powerful linux router/firewall/proxy-caching/network monitoring/file-sharing box. :-)

Best regards.

Mike

Thanks for the reply. Best way to get a fast Linux box is to convince some Windoze user that he/she needs a new computer. Since Linux loves any kind of Pentium, you could end up with a real fast 2nd hand computer.

My first Linux box was a Cyrix "486" with 32 MB or RAM on a 16-bit ISA Taiwan-special motherboard. I installed Red Hat 6.2 and I couldn't read the messages they flew by so fast. That had been a DOS workstation on a Novell 4.11 net and was replaced because of incompatibility between WordPerfect 5.1 and WordPerfect 8 that others in the office were running.

Ever since then, I've been collecting second-hand 'puters. My current installation is on a Dell 590-ME which is a P-90 with Five EISA and 2 PCI (shared) slots. It will hold up to 512 MB and has an onboard video of little value, so I'll load it up with 36 bit DIMMs (8 sockets) and put a video card in it so I can get -- well, hell! I like command line.

Anyway, I've got a Monday deadline that I won't meet to have this IPtables thing squared away.

You would be my hero forever if you e-mailed your iptables script file to me at CNMoore@Knology.net

Since we're both aiming at the same target (tho you're a bit ahead of me), we might be able to compare notes along the way.

Just a thought.

Not much info on squid, but I presume you have seen the squid PDF file.

If not, go to:

http://squid.visolve.com/

and download the manual. It's 103 pgs, but you can d/l it and search for what you want using your 5.0.5 Acrobat.

Good luck! Drop me a script if you're in the mood to share, and I'll do likewise if I hit the bullseye.

Regards,
Chuck Moore
CNMoroe@Knology.net