Re: Iptable rule required to block youtube
I have blocked youtube(ips from 74.125.236.0- 74.125.236.14) in my gateway machine using the below rules: iptables -A INPUT -i eth1 -s 74.125.236.0 -j DROP iptables -A INPUT -i eth1 -p tcp -s 74.125.236.0 -j DROP iptables -A INPUT -i eth0 -s 74.125.236.0 -j DROP iptables -A INPUT -i eth0 -p tcp -s 74.125.236.0 -j DROP but how to block on the whole network. Other hosts are still able to access youtube. Vivek Chalotra GRID Project Associate, High Energy Physics Group, Department of Physics Electronics, University of Jammu, Jammu 180006, INDIA. On Thu, Oct 4, 2012 at 11:57 PM, Henrique Junior henrique...@gmail.comwrote: Maybe you should take a look at ClearOS[1]. It is a RHEL based distribution from a company that, now, develops layer7-filter. In a simple way I was able to block all FLV videos (even if the users are still able to reach youtube.com, they can not see any videos). [1] - http://www.clearfoundation.com/Software/overview.html -- Henrique LonelySpooky Junior http://about.me/henriquejunior -- *From:* Konstantin Olchanski olcha...@triumf.ca *To:* vivek chalotra vivekat...@gmail.com *Cc:* scientific-linux-us...@fnal.gov *Sent:* Thursday, October 4, 2012 3:10 PM *Subject:* Re: Iptable rule required to block youtube On Thu, Oct 04, 2012 at 12:57:00PM +0530, vivek chalotra wrote: And now i want to block youtube on my network. kindly suggest iptable rules to do that. block youtube on my network is not a very well defined wish. If you want to merely block the well known youtube IP and DNS addresses, you can use iptables, etc. Be prepared to update these lists frequently to keep up with things like youtu.be co. If you want to prevent users of the network from watching all youtube videos always, give up now. First of all, you will have to be able to handle legitimate exceptions: how do I watch training videos for Altera Quartus software that happen to be hosted on youtube?!?. Second, you will have to handle all the possible 3rd party redirectors, proxies, and other kludges specifically designed to circumvent youtube blockers such as you are try to build. -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: Iptable rule required to block youtube
Presuming that is the right address for your region on this ball of dirt, how do you access Google? Google and YouTube share the same address block, which is addresses 74.125.239.0-74.125.239.14. Google owns 74.125.0.0/16 for that matter. I don't doubt that they have other netblocks, too. {o.o} On 2012/10/05 00:10, vivek chalotra wrote: I have blocked youtube(ips from 74.125.236.0- 74.125.236.14) in my gateway machine using the below rules: iptables -A INPUT -i eth1 -s 74.125.236.0 -j DROP iptables -A INPUT -i eth1 -p tcp -s 74.125.236.0 -j DROP iptables -A INPUT -i eth0 -s 74.125.236.0 -j DROP iptables -A INPUT -i eth0 -p tcp -s 74.125.236.0 -j DROP but how to block on the whole network. Other hosts are still able to access youtube. Vivek Chalotra GRID Project Associate, High Energy Physics Group, Department of Physics Electronics, University of Jammu, Jammu 180006, INDIA. On Thu, Oct 4, 2012 at 11:57 PM, Henrique Junior henrique...@gmail.com mailto:henrique...@gmail.com wrote: Maybe you should take a look at ClearOS[1]. It is a RHEL based distribution from a company that, now, develops layer7-filter. In a simple way I was able to block all FLV videos (even if the users are still able to reach youtube.com http://youtube.com, they can not see any videos). [1] - http://www.clearfoundation.com/Software/overview.html -- Henrique LonelySpooky Junior http://about.me/henriquejunior *From:* Konstantin Olchanski olcha...@triumf.ca mailto:olcha...@triumf.ca *To:* vivek chalotra vivekat...@gmail.com mailto:vivekat...@gmail.com *Cc:* scientific-linux-us...@fnal.gov mailto:scientific-linux-us...@fnal.gov *Sent:* Thursday, October 4, 2012 3:10 PM *Subject:* Re: Iptable rule required to block youtube On Thu, Oct 04, 2012 at 12:57:00PM +0530, vivek chalotra wrote: And now i want to block youtube on my network. kindly suggest iptable rules to do that. block youtube on my network is not a very well defined wish. If you want to merely block the well known youtube IP and DNS addresses, you can use iptables, etc. Be prepared to update these lists frequently to keep up with things like youtu.be http://youtu.be co. If you want to prevent users of the network from watching all youtube videos always, give up now. First of all, you will have to be able to handle legitimate exceptions: how do I watch training videos for Altera Quartus software that happen to be hosted on youtube?!?. Second, you will have to handle all the possible 3rd party redirectors, proxies, and other kludges specifically designed to circumvent youtube blockers such as you are try to build. -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: Iptable rule required to block youtube
- Original Message - From: vivek chalotra vivekat...@gmail.com To: Henrique Junior henrique...@gmail.com Cc: Konstantin Olchanski olcha...@triumf.ca, scientific-linux-us...@fnal.gov Sent: Friday, 5 October, 2012 9:10:24 AM Subject: Re: Iptable rule required to block youtube I have blocked youtube(ips from 74.125.236.0- 74.125.236.14) in my gateway machine using the below rules: iptables -A INPUT -i eth1 -s 74.125.236.0 -j DROP iptables -A INPUT -i eth1 -p tcp -s 74.125.236.0 -j DROP iptables -A INPUT -i eth0 -s 74.125.236.0 -j DROP iptables -A INPUT -i eth0 -p tcp -s 74.125.236.0 -j DROP but how to block on the whole network. Other hosts are still able to access youtube. With whole network, do you mean your local LAN which your firewall (this SL box you're configuring) controls? If so, you should probably add those DROP rules to the FORWARD chain and not the INPUT chain. See this URL for more info: http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html kind regards, David Sommerseth
Re: Iptable rule required to block youtube
You don't - not easily, at least. iptables allows you to configure rules by IP. Blocking e.g. *.youtube.com/* [to say nothing of aliases thereof] is hostname-based, not IP-based. And I would imagine, at a glance, that Youtube has a lot of IPs. Your easiest answer would be to do HTTP proxying and filter it that way. - Rich On Thu, Oct 4, 2012 at 3:27 AM, vivek chalotra vivekat...@gmail.com wrote: Dear all, i have used the following ip table rules to implement gateway in my linux server: iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT echo 1 /proc/sys/net/ipv4/ip_forward iptables-save And now i want to block youtube on my network. kindly suggest iptable rules to do that. My server has two ethernet card, eth0 is external network and eth1 is for local LAN. Any help is appreciated Regard Vivek Chalotra GRID Project Associate, High Energy Physics Group, Department of Physics Electronics, University of Jammu, Jammu 180006, INDIA.
Re: Iptable rule required to block youtube
On 10/4/12 3:27 AM, vivek chalotra wrote: And now i want to block youtube on my network. It can be done with iptables however it's not for the faint of heart. I did some reading about it on a dd-wrt website and it wasn't something I found as an easy solution to a single problem such as this. However, blocking by name string leaves open the ipaddress approach so you have to do both things and this isn't something easily maintained. May I respectfully suggest that the problem isn't at the iptables level but at the user level? A simple You do it, you're cut off. rule is more effective and would move the responsibility from you and the system software to those managing the users. -- MCTMichael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173 MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu High Perf Research Computing Facility at The Bates Linear Accelerator Please avoid sending me MS-Word or MS-PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: Iptable rule required to block youtube
Have you looked into setting up a Squid proxy/filter? Much less of a headache than doing it at the iptables level. On 10/04/2012 08:26 AM, Michael Tiernan wrote: On 10/4/12 3:27 AM, vivek chalotra wrote: And now i want to block youtube on my network. It can be done with iptables however it's not for the faint of heart. I did some reading about it on a dd-wrt website and it wasn't something I found as an easy solution to a single problem such as this. However, blocking by name string leaves open the ipaddress approach so you have to do both things and this isn't something easily maintained. May I respectfully suggest that the problem isn't at the iptables level but at the user level? A simple You do it, you're cut off. rule is more effective and would move the responsibility from you and the system software to those managing the users. -- MCTMichael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173 MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu High Perf Research Computing Facility at The Bates Linear Accelerator Please avoid sending me MS-Word or MS-PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
RE: Iptable rule required to block youtube
Content filtering would be the way to go. For an interim solution, if you control your DNS servers, block it at the DNS level. From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Trenton Ray Sent: Thursday, October 04, 2012 4:29 AM To: vivekat...@gmail.com Cc: scientific-linux-us...@fnal.gov Subject: Re: Iptable rule required to block youtube Have you looked into setting up a Squid proxy/filter? Much less of a headache than doing it at the iptables level. On 10/04/2012 08:26 AM, Michael Tiernan wrote: On 10/4/12 3:27 AM, vivek chalotra wrote: And now i want to block youtube on my network. It can be done with iptables however it's not for the faint of heart. I did some reading about it on a dd-wrt website and it wasn't something I found as an easy solution to a single problem such as this. However, blocking by name string leaves open the ipaddress approach so you have to do both things and this isn't something easily maintained. May I respectfully suggest that the problem isn't at the iptables level but at the user level? A simple You do it, you're cut off. rule is more effective and would move the responsibility from you and the system software to those managing the users. -- MCTMichael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173 MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu High Perf Research Computing Facility at The Bates Linear Accelerator Please avoid sending me MS-Word or MS-PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: Iptable rule required to block youtube
To start a little bash-fu: dig youtube.com | egrep youtube.com | awk '{ print $5 }' | grep . | grep -v '' yt.dig From here it isn't hard to append your blocking rules. If you need more help I'm sure myself or others on the list can further script this and you can choose how often you'd want to rewrite your iptables rules kept here: /etc/sysconfig/iptables Best of luck! On Thu, Oct 4, 2012 at 9:40 AM, Novick, Jeffrey L CTR (US) jeffrey.l.novick@mail.mil wrote: Content filtering would be the way to go. For an interim solution, if you control your DNS servers, block it at the DNS level. From: owner-scientific-linux-us...@listserv.fnal.gov [mailto: owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Trenton Ray Sent: Thursday, October 04, 2012 4:29 AM To: vivekat...@gmail.com Cc: scientific-linux-us...@fnal.gov Subject: Re: Iptable rule required to block youtube Have you looked into setting up a Squid proxy/filter? Much less of a headache than doing it at the iptables level. On 10/04/2012 08:26 AM, Michael Tiernan wrote: On 10/4/12 3:27 AM, vivek chalotra wrote: And now i want to block youtube on my network. It can be done with iptables however it's not for the faint of heart. I did some reading about it on a dd-wrt website and it wasn't something I found as an easy solution to a single problem such as this. However, blocking by name string leaves open the ipaddress approach so you have to do both things and this isn't something easily maintained. May I respectfully suggest that the problem isn't at the iptables level but at the user level? A simple You do it, you're cut off. rule is more effective and would move the responsibility from you and the system software to those managing the users. -- MCTMichael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173 MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu High Perf Research Computing Facility at The Bates Linear Accelerator Please avoid sending me MS-Word or MS-PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- http://stevenmiano.com/ Miano, Steven M. http://stevenmiano.com
Re: Iptable rule required to block youtube
On 10/04/2012 09:58 AM, Steven Miano wrote: dig youtube.com http://youtube.com | egrep youtube.com http://youtube.com | awk '{ print $5 }' | grep . | grep -v '' yt.dig You'd block google's DNS servers with that, which might not be a problem on the client, but may I suggest a new and improved method: host youtube.com | awk '/has address/ {print $NF}' 74.125.228.5 74.125.228.3 74.125.228.1 74.125.228.14 74.125.228.0 74.125.228.8 74.125.228.2 74.125.228.6 74.125.228.4 74.125.228.9 74.125.228.7 Remove the awk filter and you'll also see the IPv6: youtube.com has IPv6 address 2607:f8b0:400d:c00::5d
Re: Iptable rule required to block youtube
I'm confused as to why it would block the Google DNS servers (which I believe are 8.8.8.8 and 8.8.4.4 unless they have more? resolve to): 8.8.8.8.in-addr.arpa. 43194 IN PTR google-public-dns-a.google.com. My results to both of our suggestions seem to be identical. Very interesting that we get completely different results though. :-) [mianosm@dev ~]$ host youtube.com | awk '/has address/ {print $NF}' 173.194.37.100 173.194.37.105 173.194.37.96 173.194.37.104 173.194.37.102 173.194.37.101 173.194.37.99 173.194.37.110 173.194.37.98 173.194.37.103 173.194.37.97 [mianosm@dev ~]$ dig youtube.com | egrep youtube.com | awk '{ print $5 }' | grep -v '' | grep . 173.194.37.100 173.194.37.105 173.194.37.96 173.194.37.104 173.194.37.102 173.194.37.101 173.194.37.99 173.194.37.110 173.194.37.98 173.194.37.103 173.194.37.97 On Thu, Oct 4, 2012 at 11:27 AM, Chris Schanzle schan...@nist.gov wrote: On 10/04/2012 09:58 AM, Steven Miano wrote: dig youtube.com http://youtube.com | egrep youtube.com http://youtube.com | awk '{ print $5 }' | grep . | grep -v '' yt.dig You'd block google's DNS servers with that, which might not be a problem on the client, but may I suggest a new and improved method: host youtube.com | awk '/has address/ {print $NF}' 74.125.228.5 74.125.228.3 74.125.228.1 74.125.228.14 74.125.228.0 74.125.228.8 74.125.228.2 74.125.228.6 74.125.228.4 74.125.228.9 74.125.228.7 Remove the awk filter and you'll also see the IPv6: youtube.com has IPv6 address 2607:f8b0:400d:c00::5d -- http://stevenmiano.com/ Miano, Steven M. http://stevenmiano.com
Re: Iptable rule required to block youtube
Disregard this. You can not stop youtube at Layer 3. Or you will lose Google pretty much. Sorry. On Thu, Oct 4, 2012 at 1:12 PM, Steven Miano mian...@gmail.com wrote: I'm confused as to why it would block the Google DNS servers (which I believe are 8.8.8.8 and 8.8.4.4 unless they have more? resolve to): 8.8.8.8.in-addr.arpa. 43194 IN PTR google-public-dns-a.google.com. My results to both of our suggestions seem to be identical. Very interesting that we get completely different results though. :-) [mianosm@dev ~]$ host youtube.com | awk '/has address/ {print $NF}' 173.194.37.100 173.194.37.105 173.194.37.96 173.194.37.104 173.194.37.102 173.194.37.101 173.194.37.99 173.194.37.110 173.194.37.98 173.194.37.103 173.194.37.97 [mianosm@dev ~]$ dig youtube.com | egrep youtube.com | awk '{ print $5 }' | grep -v '' | grep . 173.194.37.100 173.194.37.105 173.194.37.96 173.194.37.104 173.194.37.102 173.194.37.101 173.194.37.99 173.194.37.110 173.194.37.98 173.194.37.103 173.194.37.97 On Thu, Oct 4, 2012 at 11:27 AM, Chris Schanzle schan...@nist.gov wrote: On 10/04/2012 09:58 AM, Steven Miano wrote: dig youtube.com http://youtube.com | egrep youtube.com http://youtube.com | awk '{ print $5 }' | grep . | grep -v '' yt.dig You'd block google's DNS servers with that, which might not be a problem on the client, but may I suggest a new and improved method: host youtube.com | awk '/has address/ {print $NF}' 74.125.228.5 74.125.228.3 74.125.228.1 74.125.228.14 74.125.228.0 74.125.228.8 74.125.228.2 74.125.228.6 74.125.228.4 74.125.228.9 74.125.228.7 Remove the awk filter and you'll also see the IPv6: youtube.com has IPv6 address 2607:f8b0:400d:c00::5d -- http://stevenmiano.com/ Miano, Steven M. http://stevenmiano.com -- http://stevenmiano.com/ Miano, Steven M. http://stevenmiano.com
Re: Iptable rule required to block youtube
On Thu, Oct 04, 2012 at 12:57:00PM +0530, vivek chalotra wrote: And now i want to block youtube on my network. kindly suggest iptable rules to do that. block youtube on my network is not a very well defined wish. If you want to merely block the well known youtube IP and DNS addresses, you can use iptables, etc. Be prepared to update these lists frequently to keep up with things like youtu.be co. If you want to prevent users of the network from watching all youtube videos always, give up now. First of all, you will have to be able to handle legitimate exceptions: how do I watch training videos for Altera Quartus software that happen to be hosted on youtube?!?. Second, you will have to handle all the possible 3rd party redirectors, proxies, and other kludges specifically designed to circumvent youtube blockers such as you are try to build. -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: Iptable rule required to block youtube
Maybe you should take a look at ClearOS[1]. It is a RHEL based distribution from a company that, now, develops layer7-filter. In a simple way I was able to block all FLV videos (even if the users are still able to reach youtube.com, they can not see any videos). [1] - http://www.clearfoundation.com/Software/overview.html -- Henrique LonelySpooky Junior http://about.me/henriquejunior From: Konstantin Olchanski olcha...@triumf.ca To: vivek chalotra vivekat...@gmail.com Cc: scientific-linux-us...@fnal.gov Sent: Thursday, October 4, 2012 3:10 PM Subject: Re: Iptable rule required to block youtube On Thu, Oct 04, 2012 at 12:57:00PM +0530, vivek chalotra wrote: And now i want to block youtube on my network. kindly suggest iptable rules to do that. block youtube on my network is not a very well defined wish. If you want to merely block the well known youtube IP and DNS addresses, you can use iptables, etc. Be prepared to update these lists frequently to keep up with things like youtu.be co. If you want to prevent users of the network from watching all youtube videos always, give up now. First of all, you will have to be able to handle legitimate exceptions: how do I watch training videos for Altera Quartus software that happen to be hosted on youtube?!?. Second, you will have to handle all the possible 3rd party redirectors, proxies, and other kludges specifically designed to circumvent youtube blockers such as you are try to build. -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada