Re: Iptable rule required to block youtube

2012-10-05 Thread David Sommerseth 
- Original Message - 
> From: "vivek chalotra" 
> To: "Henrique Junior" 
> Cc: "Konstantin Olchanski" ,
> scientific-linux-us...@fnal.gov
> Sent: Friday, 5 October, 2012 9:10:24 AM
> Subject: Re: Iptable rule required to block youtube
>
> I have blocked youtube(ips from 74.125.236.0- 74.125.236.14) in my
> gateway machine using the below rules:
>
> iptables -A INPUT -i eth1 -s 74.125.236.0 -j DROP
> iptables -A INPUT -i eth1 -p tcp -s 74.125.236.0 -j DROP
> iptables -A INPUT -i eth0 -s 74.125.236.0 -j DROP
> iptables -A INPUT -i eth0 -p tcp -s 74.125.236.0 -j DROP

> but how to block on the whole network. Other hosts are still able to
> access youtube.

With "whole network", do you mean your local LAN which your firewall (this SL 
box you're configuring) controls?  If so, you should probably add those DROP 
rules to the FORWARD chain and not the INPUT chain.

See this URL for more info: 
<http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html>


kind regards,

David Sommerseth

Re: Iptable rule required to block youtube

2012-10-05 Thread jdow 

Presuming that is the right address for your region on this ball of
dirt, how do you access Google? Google and YouTube share the same
address block, which is addresses 74.125.239.0-74.125.239.14.

Google owns 74.125.0.0/16 for that matter. I don't doubt that they
have other netblocks, too.

{o.o}

On 2012/10/05 00:10, vivek chalotra wrote:

I have blocked youtube(ips from 74.125.236.0- 74.125.236.14) in my gateway
machine using the below rules:


iptables -A INPUT -i eth1 -s 74.125.236.0 -j DROP
iptables -A INPUT -i eth1 -p tcp -s 74.125.236.0 -j DROP
iptables -A INPUT -i eth0 -s 74.125.236.0 -j DROP
iptables -A INPUT -i eth0 -p tcp -s 74.125.236.0 -j DROP

but how to block on the whole network. Other hosts are still able to access 
youtube.

Vivek Chalotra
GRID Project Associate,
High Energy Physics Group,
Department of Physics & Electronics,
University of Jammu,
Jammu 180006,
INDIA.


On Thu, Oct 4, 2012 at 11:57 PM, Henrique Junior mailto:henrique...@gmail.com>> wrote:

Maybe you should take a look at ClearOS[1].
It is a RHEL based distribution from a company that, now, develops
layer7-filter. In a simple way I was able to block all FLV videos (even if
the users are still able to reach youtube.com <http://youtube.com>, they can
not see any videos).

[1] - http://www.clearfoundation.com/Software/overview.html
--
Henrique "LonelySpooky" Junior
http://about.me/henriquejunior



*From:* Konstantin Olchanski mailto:olcha...@triumf.ca>>
*To:* vivek chalotra mailto:vivekat...@gmail.com>>
*Cc:* scientific-linux-us...@fnal.gov
<mailto:scientific-linux-us...@fnal.gov>
*Sent:* Thursday, October 4, 2012 3:10 PM

    *Subject:* Re: Iptable rule required to block youtube

On Thu, Oct 04, 2012 at 12:57:00PM +0530, vivek chalotra wrote:
 >
 > And now i want to block youtube on my network. kindly suggest iptable
rules to do that.
 >

"block youtube on my network" is not a very well defined wish.

If you want to merely block the well known youtube IP and DNS addresses,
you can use iptables, etc. Be prepared to update these lists frequently
to keep up with things like youtu.be <http://youtu.be> & co.

If you want to prevent users of the network from watching all youtube
videos always,
give up now.

First of all, you will have to be able to handle legitimate exceptions:
"how do I watch training videos for Altera Quartus software that
happen to be hosted on youtube?!?".

Second, you will have to handle all the possible 3rd party redirectors,
proxies, and other kludges specifically designed to circumvent
youtube blockers such as you are try to build.

--
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

Re: Iptable rule required to block youtube

2012-10-05 Thread vivek chalotra 
I have blocked youtube(ips from 74.125.236.0- 74.125.236.14) in my gateway
machine using the below rules:


iptables -A INPUT -i eth1 -s 74.125.236.0 -j DROP
iptables -A INPUT -i eth1 -p tcp -s 74.125.236.0 -j DROP
iptables -A INPUT -i eth0 -s 74.125.236.0 -j DROP
iptables -A INPUT -i eth0 -p tcp -s 74.125.236.0 -j DROP

but how to block on the whole network. Other hosts are still able to access
youtube.

Vivek Chalotra
GRID Project Associate,
High Energy Physics Group,
Department of Physics & Electronics,
University of Jammu,
Jammu 180006,
INDIA.


On Thu, Oct 4, 2012 at 11:57 PM, Henrique Junior wrote:

> Maybe you should take a look at ClearOS[1].
> It is a RHEL based distribution from a company that, now, develops
> layer7-filter. In a simple way I was able to block all FLV videos (even if
> the users are still able to reach youtube.com, they can not see any
> videos).
>
> [1] - http://www.clearfoundation.com/Software/overview.html
>
> --
> Henrique "LonelySpooky" Junior
> http://about.me/henriquejunior
>
>   --
> *From:* Konstantin Olchanski 
> *To:* vivek chalotra 
> *Cc:* scientific-linux-us...@fnal.gov
> *Sent:* Thursday, October 4, 2012 3:10 PM
>
> *Subject:* Re: Iptable rule required to block youtube
>
> On Thu, Oct 04, 2012 at 12:57:00PM +0530, vivek chalotra wrote:
> >
> > And now i want to block youtube on my network. kindly suggest iptable
> rules to do that.
> >
>
> "block youtube on my network" is not a very well defined wish.
>
> If you want to merely block the well known youtube IP and DNS addresses,
> you can use iptables, etc. Be prepared to update these lists frequently
> to keep up with things like youtu.be & co.
>
> If you want to prevent users of the network from watching all youtube
> videos always,
> give up now.
>
> First of all, you will have to be able to handle legitimate exceptions:
> "how do I watch training videos for Altera Quartus software that
> happen to be hosted on youtube?!?".
>
> Second, you will have to handle all the possible 3rd party redirectors,
> proxies, and other kludges specifically designed to circumvent
> youtube blockers such as you are try to build.
>
> --
> Konstantin Olchanski
> Data Acquisition Systems: The Bytes Must Flow!
> Email: olchansk-at-triumf-dot-ca
> Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
>
>
>

Re: Iptable rule required to block youtube

2012-10-04 Thread Henrique Junior 
Maybe you should take a look at ClearOS[1].
It is a RHEL based distribution from a company that, now, develops 
layer7-filter. In a simple way I was able to block all FLV videos (even if the 
users are still able to reach youtube.com, they can not see any videos).

[1] - http://www.clearfoundation.com/Software/overview.html
 
--
Henrique "LonelySpooky" Junior
http://about.me/henriquejunior



>
> From: Konstantin Olchanski 
>To: vivek chalotra  
>Cc: scientific-linux-us...@fnal.gov 
>Sent: Thursday, October 4, 2012 3:10 PM
>Subject: Re: Iptable rule required to block youtube
> 
>On Thu, Oct 04, 2012 at 12:57:00PM +0530, vivek chalotra wrote:
>> 
>> And now i want to block youtube on my network. kindly suggest iptable rules 
>> to do that.
>>
>
>"block youtube on my network" is not a very well defined wish.
>
>If you want to merely block the well known youtube IP and DNS addresses,
>you can use iptables, etc. Be prepared to update these lists frequently
>to keep up with things like youtu.be & co.
>
>If you want to prevent users of the network from watching all youtube videos 
>always,
>give up now.
>
>First of all, you will have to be able to handle legitimate exceptions:
>"how do I watch training videos for Altera Quartus software that
>happen to be hosted on youtube?!?".
>
>Second, you will have to handle all the possible 3rd party redirectors,
>proxies, and other kludges specifically designed to circumvent
>youtube blockers such as you are try to build.
>
>-- 
>Konstantin Olchanski
>Data Acquisition Systems: The Bytes Must Flow!
>Email: olchansk-at-triumf-dot-ca
>Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
>
>
>

Re: Iptable rule required to block youtube

2012-10-04 Thread Konstantin Olchanski 
On Thu, Oct 04, 2012 at 12:57:00PM +0530, vivek chalotra wrote:
> 
> And now i want to block youtube on my network. kindly suggest iptable rules 
> to do that.
>

"block youtube on my network" is not a very well defined wish.

If you want to merely block the well known youtube IP and DNS addresses,
you can use iptables, etc. Be prepared to update these lists frequently
to keep up with things like youtu.be & co.

If you want to prevent users of the network from watching all youtube videos 
always,
give up now.

First of all, you will have to be able to handle legitimate exceptions:
"how do I watch training videos for Altera Quartus software that
happen to be hosted on youtube?!?".

Second, you will have to handle all the possible 3rd party redirectors,
proxies, and other kludges specifically designed to circumvent
youtube blockers such as you are try to build.

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

Re: Iptable rule required to block youtube

2012-10-04 Thread Steven Miano 
Disregard this. You can not stop youtube at Layer 3. Or you will lose
Google pretty much.

Sorry.

On Thu, Oct 4, 2012 at 1:12 PM, Steven Miano  wrote:

> I'm confused as to why it would block the Google DNS servers (which I
> believe are 8.8.8.8 and 8.8.4.4 unless they have more? resolve to):
>
> 8.8.8.8.in-addr.arpa.   43194   IN  PTR
> google-public-dns-a.google.com.
>
> My results to both of our suggestions seem to be identical. Very
> interesting that we get completely different results though. :-)
>
> [mianosm@dev ~]$ host youtube.com | awk '/has address/ {print $NF}'
> 173.194.37.100
> 173.194.37.105
> 173.194.37.96
> 173.194.37.104
> 173.194.37.102
> 173.194.37.101
> 173.194.37.99
> 173.194.37.110
> 173.194.37.98
> 173.194.37.103
> 173.194.37.97
> [mianosm@dev ~]$ dig youtube.com | egrep youtube.com | awk '{ print $5 }'
> | grep -v '<<' | grep .
> 173.194.37.100
> 173.194.37.105
> 173.194.37.96
> 173.194.37.104
> 173.194.37.102
> 173.194.37.101
> 173.194.37.99
> 173.194.37.110
> 173.194.37.98
> 173.194.37.103
> 173.194.37.97
>
>
> On Thu, Oct 4, 2012 at 11:27 AM, Chris Schanzle  wrote:
>
>> On 10/04/2012 09:58 AM, Steven Miano wrote:
>>
>>>   dig youtube.com  | egrep youtube.com <
>>> http://youtube.com> | awk '{ print $5 }' | grep . | grep -v '<<' >
>>> yt.dig
>>>
>>
>> You'd block google's DNS servers with that, which might not be a problem
>> on the client, but may I suggest a "new and improved" method:
>>
>> host youtube.com | awk '/has address/ {print $NF}'
>> 74.125.228.5
>> 74.125.228.3
>> 74.125.228.1
>> 74.125.228.14
>> 74.125.228.0
>> 74.125.228.8
>> 74.125.228.2
>> 74.125.228.6
>> 74.125.228.4
>> 74.125.228.9
>> 74.125.228.7
>>
>>
>> Remove the awk filter and you'll also see the IPv6:
>>
>> youtube.com has IPv6 address 2607:f8b0:400d:c00::5d
>>
>
>
>
> --
>  Miano, Steven M.
> http://stevenmiano.com
>
>


-- 
 Miano, Steven M.
http://stevenmiano.com

Re: Iptable rule required to block youtube

2012-10-04 Thread Steven Miano 
I'm confused as to why it would block the Google DNS servers (which I
believe are 8.8.8.8 and 8.8.4.4 unless they have more? resolve to):

8.8.8.8.in-addr.arpa.   43194   IN  PTR
google-public-dns-a.google.com.

My results to both of our suggestions seem to be identical. Very
interesting that we get completely different results though. :-)

[mianosm@dev ~]$ host youtube.com | awk '/has address/ {print $NF}'
173.194.37.100
173.194.37.105
173.194.37.96
173.194.37.104
173.194.37.102
173.194.37.101
173.194.37.99
173.194.37.110
173.194.37.98
173.194.37.103
173.194.37.97
[mianosm@dev ~]$ dig youtube.com | egrep youtube.com | awk '{ print $5 }' |
grep -v '<<' | grep .
173.194.37.100
173.194.37.105
173.194.37.96
173.194.37.104
173.194.37.102
173.194.37.101
173.194.37.99
173.194.37.110
173.194.37.98
173.194.37.103
173.194.37.97


On Thu, Oct 4, 2012 at 11:27 AM, Chris Schanzle  wrote:

> On 10/04/2012 09:58 AM, Steven Miano wrote:
>
>>   dig youtube.com  | egrep youtube.com <
>> http://youtube.com> | awk '{ print $5 }' | grep . | grep -v '<<' > yt.dig
>>
>
> You'd block google's DNS servers with that, which might not be a problem
> on the client, but may I suggest a "new and improved" method:
>
> host youtube.com | awk '/has address/ {print $NF}'
> 74.125.228.5
> 74.125.228.3
> 74.125.228.1
> 74.125.228.14
> 74.125.228.0
> 74.125.228.8
> 74.125.228.2
> 74.125.228.6
> 74.125.228.4
> 74.125.228.9
> 74.125.228.7
>
>
> Remove the awk filter and you'll also see the IPv6:
>
> youtube.com has IPv6 address 2607:f8b0:400d:c00::5d
>



-- 
 Miano, Steven M.
http://stevenmiano.com

Re: Iptable rule required to block youtube

2012-10-04 Thread Chris Schanzle 

On 10/04/2012 09:58 AM, Steven Miano wrote:

  dig youtube.com  | egrep youtube.com  | awk '{ 
print $5 }' | grep . | grep -v '<<' > yt.dig


You'd block google's DNS servers with that, which might not be a problem on the client, 
but may I suggest a "new and improved" method:

host youtube.com | awk '/has address/ {print $NF}'
74.125.228.5
74.125.228.3
74.125.228.1
74.125.228.14
74.125.228.0
74.125.228.8
74.125.228.2
74.125.228.6
74.125.228.4
74.125.228.9
74.125.228.7


Remove the awk filter and you'll also see the IPv6:

youtube.com has IPv6 address 2607:f8b0:400d:c00::5d

Re: Iptable rule required to block youtube

2012-10-04 Thread Steven Miano 
To start a little bash-fu:

 dig youtube.com | egrep youtube.com | awk '{ print $5 }' | grep . | grep
-v '<<' > yt.dig

>From here it isn't hard to append your blocking rules.

If you need more help I'm sure myself or others on the list can further
script this and you can choose how often you'd want to rewrite your
iptables rules kept here:

/etc/sysconfig/iptables

Best of luck!

On Thu, Oct 4, 2012 at 9:40 AM, Novick, Jeffrey L CTR (US) <
jeffrey.l.novick@mail.mil> wrote:

> Content filtering would be the way to go.
> For an interim solution, if you control your DNS servers, block it at the
> DNS level.
>
> From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:
> owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Trenton Ray
> Sent: Thursday, October 04, 2012 4:29 AM
> To: vivekat...@gmail.com
> Cc: scientific-linux-us...@fnal.gov
> Subject: Re: Iptable rule required to block youtube
>
> Have you looked into setting up a Squid proxy/filter? Much less of a
> headache than doing it at the iptables level.
>
> On 10/04/2012 08:26 AM, Michael Tiernan wrote:
> On 10/4/12 3:27 AM, vivek chalotra wrote:
> And now i want to block youtube on my network.
>
> It can be done with iptables however it's not for the faint of heart. I
> did some reading about it on a dd-wrt website and it wasn't something I
> found as an easy solution to a single problem such as this.
>
> However, blocking by name string leaves open the ipaddress approach so you
> have to do both things and this isn't something easily maintained.
>
> May I respectfully suggest that the problem isn't at the iptables level
> but at the user level?
> A simple "You do it, you're cut off." rule is more effective and would
> move the responsibility from you and the system software to those managing
> the users.
>
> --
>   << MCT >>   Michael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173
>   MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu
>   High Perf Research Computing Facility at The Bates Linear Accelerator
> Please avoid sending me MS-Word or MS-PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>



-- 
<http://stevenmiano.com/> Miano, Steven M.
http://stevenmiano.com

RE: Iptable rule required to block youtube

2012-10-04 Thread Novick, Jeffrey L CTR (US) 
Content filtering would be the way to go.
For an interim solution, if you control your DNS servers, block it at the DNS 
level. 

From: owner-scientific-linux-us...@listserv.fnal.gov 
[mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Trenton Ray
Sent: Thursday, October 04, 2012 4:29 AM
To: vivekat...@gmail.com
Cc: scientific-linux-us...@fnal.gov
Subject: Re: Iptable rule required to block youtube

Have you looked into setting up a Squid proxy/filter? Much less of a headache 
than doing it at the iptables level. 

On 10/04/2012 08:26 AM, Michael Tiernan wrote:
On 10/4/12 3:27 AM, vivek chalotra wrote: 
And now i want to block youtube on my network.

It can be done with iptables however it's not for the faint of heart. I did 
some reading about it on a dd-wrt website and it wasn't something I found as an 
easy solution to a single problem such as this.

However, blocking by name string leaves open the ipaddress approach so you have 
to do both things and this isn't something easily maintained.

May I respectfully suggest that the problem isn't at the iptables level but at 
the user level?
A simple "You do it, you're cut off." rule is more effective and would move the 
responsibility from you and the system software to those managing the users.

-- 
  << MCT >>   Michael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173
  MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu
  High Perf Research Computing Facility at The Bates Linear Accelerator
Please avoid sending me MS-Word or MS-PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: Iptable rule required to block youtube

2012-10-04 Thread Trenton Ray 
Have you looked into setting up a Squid proxy/filter? Much less of a
headache than doing it at the iptables level.

On 10/04/2012 08:26 AM, Michael Tiernan wrote:
> On 10/4/12 3:27 AM, vivek chalotra wrote:
>> And now i want to block youtube on my network.
>
> It can be done with iptables however it's not for the faint of heart.
> I did some reading about it on a dd-wrt website and it wasn't
> something I found as an easy solution to a single problem such as this.
>
> However, blocking by name string leaves open the ipaddress approach so
> you have to do both things and this isn't something easily maintained.
>
> May I respectfully suggest that the problem isn't at the iptables
> level but at the user level?
> A simple "You do it, you're cut off." rule is more effective and would
> move the responsibility from you and the system software to those
> managing the users.
> -- 
>   << MCT >>   Michael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173
>   MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu
>   High Perf Research Computing Facility at The Bates Linear Accelerator
> Please avoid sending me MS-Word or MS-PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html

Re: Iptable rule required to block youtube

2012-10-04 Thread Michael Tiernan 

On 10/4/12 3:27 AM, vivek chalotra wrote:

And now i want to block youtube on my network.


It can be done with iptables however it's not for the faint of heart. I 
did some reading about it on a dd-wrt website and it wasn't something I 
found as an easy solution to a single problem such as this.


However, blocking by name string leaves open the ipaddress approach so 
you have to do both things and this isn't something easily maintained.


May I respectfully suggest that the problem isn't at the iptables level 
but at the user level?
A simple "You do it, you're cut off." rule is more effective and would 
move the responsibility from you and the system software to those 
managing the users.


--
  <<  MCT>>Michael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173
  MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu
  High Perf Research Computing Facility at The Bates Linear Accelerator
Please avoid sending me MS-Word or MS-PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: Iptable rule required to block youtube

2012-10-04 Thread Rich 
You don't - not easily, at least.

iptables allows you to configure rules by IP.

Blocking e.g. *.youtube.com/* [to say nothing of aliases thereof] is
hostname-based, not IP-based. And I would imagine, at a glance, that
Youtube has a lot of IPs.

Your easiest answer would be to do HTTP proxying and filter it that way.

- Rich

On Thu, Oct 4, 2012 at 3:27 AM, vivek chalotra  wrote:
> Dear all,
>
> i have used the following ip table rules to implement gateway in my linux
> server:
>
>  iptables --flush
>  iptables --table nat --flush
>  iptables --delete-chain
>  iptables --table nat --delete-chain
>  iptables --table nat --append POSTROUTING --out-interface eth0 -j
> MASQUERADE
>  iptables --append FORWARD --in-interface eth1 -j ACCEPT
>  echo 1 > /proc/sys/net/ipv4/ip_forward
>  iptables-save
>
> And now i want to block youtube on my network. kindly suggest iptable rules
> to do that. My server has two ethernet card, eth0 is external network and
> eth1 is for local LAN.
>
> Any help is appreciated
>
> Regard
>
> Vivek Chalotra
> GRID Project Associate,
> High Energy Physics Group,
> Department of Physics & Electronics,
> University of Jammu,
> Jammu 180006,
> INDIA.