Blocking social networks using iptables

Once on one of the NAT servers I needed to block some sites.

If the sites are located on several IP addresses, then you need to find out these ranges of IP addresses, for example, look for VKontakte on bgp.he.net, for example, a list of subnets for one of the AS belonging to VK “http://bgp.he.net/AS47541#_prefixes”.

When networks or hosts are known, add rules for them in iptables, for example:

/sbin/iptables -A FORWARD -s 87.240.128.0/18 -j DROP
/sbin/iptables -A FORWARD -s 95.142.192.0/20 -j DROP

Thus, we prohibit the passage of the traffic of these networks through the server.

See also my articles:
Blocking social networks on Cisco
Blocking social networks on Mikrotik routers

IPTables rules for DHCP

Assume the default server INPUT DROP, now I will give an example of a simple rule permitting DHCP requests to the server, this will be enough for clients to get IP from the server (where em1 is the network interface on which the DHCP server is running):

iptables -I INPUT -p udp -i em1 --dport 67 -j ACCEPT

To remove a rule, we’ll specify the same command, replacing -A with -D, for example:

iptables -D INPUT -p udp -i em1 --dport 67 -j ACCEPT

Restrict access by IP is strictly impossible, because clients that do not have an IP address usually send a broadcast request from the IP address 0.0.0.0 to 255.255.255.255, and extend already unicast from their received IP.

Here is an example of an IP restriction (where 192.168.5.1 is the IP on which the DHCP server is running, and 172.17.0.0/16 is the network of clients with which it is allowed to renew the IP lease):

iptables -t filter -A INPUT -i em1 -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
iptables -t filter -A INPUT -i em1 -p udp -s 0.0.0.0 --sport 68 -d 192.168.5.1 --dport 67 -j ACCEPT
iptables -t filter -A INPUT -i em1 -p udp -s 172.17.0.0/16 --sport 68 -d 192.168.5.1 --dport 67 -j ACCEPT

See also my articles:
Configuring IPTables
IPTables rules for TFTP