* Quick IP Blocking question
@ 2014-03-14 13:58 Danny
2014-03-14 14:49 ` Greg Folkert
0 siblings, 1 reply; 3+ messages in thread
From: Danny @ 2014-03-14 13:58 UTC (permalink / raw)
To: netfilter
Hi,
Can you please check if the following rule is correct. The purpose of this rule
is to allow only access to youtube from 15:00 to 18:00
iptables -A OUTPUT -p tcp --dport 80 -d 208.65.153.238 -m time --timestart 15:00 --timeend 18:00 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -d 208.65.153.238 -j REJECT
How can I modify the above rule to block a specific IP or MAC address from my
internal network to access youtube at specific times?
Thank you guys
Have a nice day
Danny
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Quick IP Blocking question
2014-03-14 13:58 Quick IP Blocking question Danny
@ 2014-03-14 14:49 ` Greg Folkert
2014-03-14 15:17 ` Ing. Juan Cardoza
0 siblings, 1 reply; 3+ messages in thread
From: Greg Folkert @ 2014-03-14 14:49 UTC (permalink / raw)
To: Danny; +Cc: netfilter
On Fri, 2014-03-14 at 15:58 +0200, Danny wrote:
> Hi,
>
> Can you please check if the following rule is correct. The purpose of this rule
> is to allow only access to youtube from 15:00 to 18:00
>
> iptables -A OUTPUT -p tcp --dport 80 -d 208.65.153.238 -m time --timestart 15:00 --timeend 18:00 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 80 -d 208.65.153.238 -j REJECT
>
> How can I modify the above rule to block a specific IP or MAC address from my
> internal network to access youtube at specific times?
>
> Thank you guys
>
> Have a nice day
>
> Danny
Danny,
I hate to break this to you... but Youtube is served by hundreds of IP
Addresses. Depnding on time of day, the round robin DNS, the cname
rotation and various other things like locations and source netowrk
(your ISP). My current list shows a completely different set of IP
Addresses that even is close your IP Address here at home
(173.194.46.32-46), at Work I get a different set (74.125.225.192-206)
If you are going to do that properly, you'll need to use either
transparent proxy or force the browsers to use something like squid and
then use name based ACLs with the time restrictions.
Good Luck.
--
greg folkert - systems administration and support
web: donor.com
email: greg@donor.com
phone: 877-751-3300 x416
direct: 616-328-6449 (direct dial and fax)
"There's something to be said in favor of working in isolation in the
real world."
-- A. R. Ammons
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Quick IP Blocking question
2014-03-14 14:49 ` Greg Folkert
@ 2014-03-14 15:17 ` Ing. Juan Cardoza
0 siblings, 0 replies; 3+ messages in thread
From: Ing. Juan Cardoza @ 2014-03-14 15:17 UTC (permalink / raw)
To: 'Greg Folkert', 'Danny'; +Cc: netfilter
You can use squid integrated with squidgard, that is the best option to manage youtube.
I redirect the requests to a warning webpage with they try to use it during HOO.
Regards
-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Greg Folkert
Sent: viernes 14 de marzo de 2014 08:50 a.m.
To: Danny
Cc: netfilter@vger.kernel.org
Subject: Re: Quick IP Blocking question
On Fri, 2014-03-14 at 15:58 +0200, Danny wrote:
> Hi,
>
> Can you please check if the following rule is correct. The purpose of
> this rule is to allow only access to youtube from 15:00 to 18:00
>
> iptables -A OUTPUT -p tcp --dport 80 -d 208.65.153.238 -m time
> --timestart 15:00 --timeend 18:00 -j ACCEPT iptables -A OUTPUT -p tcp
> --dport 80 -d 208.65.153.238 -j REJECT
>
> How can I modify the above rule to block a specific IP or MAC address
> from my internal network to access youtube at specific times?
>
> Thank you guys
>
> Have a nice day
>
> Danny
Danny,
I hate to break this to you... but Youtube is served by hundreds of IP Addresses. Depnding on time of day, the round robin DNS, the cname rotation and various other things like locations and source netowrk (your ISP). My current list shows a completely different set of IP Addresses that even is close your IP Address here at home (173.194.46.32-46), at Work I get a different set (74.125.225.192-206)
If you are going to do that properly, you'll need to use either transparent proxy or force the browsers to use something like squid and then use name based ACLs with the time restrictions.
Good Luck.
--
greg folkert - systems administration and support
web: donor.com
email: greg@donor.com
phone: 877-751-3300 x416
direct: 616-328-6449 (direct dial and fax) "There's something to be said in favor of working in isolation in the real world."
-- A. R. Ammons
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-03-14 15:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-14 13:58 Quick IP Blocking question Danny
2014-03-14 14:49 ` Greg Folkert
2014-03-14 15:17 ` Ing. Juan Cardoza
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).