Once on one of the NAT servers I needed to block some sites.
If the sites are located on several IP addresses, then you need to find out these ranges of IP addresses, for example, look for VKontakte on bgp.he.net, for example, a list of subnets for one of the AS belonging to VK “http://bgp.he.net/AS47541#_prefixes”.
When networks or hosts are known, add rules for them in iptables, for example:
/sbin/iptables -A FORWARD -s 184.108.40.206/18 -j DROP /sbin/iptables -A FORWARD -s 220.127.116.11/20 -j DROP
Thus, we prohibit the passage of the traffic of these networks through the server.