Home > Developer > Web Develop
Use the Iptables string extension module primarily, use the string parameter to block access to the HTTP/HTTPS service for a specific Web site, and use the hex-string parameter to prevent DNS resolution for a specific domain name.
For example, block access to Baidu.com's Http/https service. Where the--string parameter specifies the string keyword that is contained in the Web site address that needs to be masked,--algo specifies a string matching algorithm that supports BM and KMP two algorithms.
#disable some Http/https requestiptables-a output-p tcp-m multiport--dports 80,443-m string--string "Baidu.com"--al Go bm-j dropiptables-a input-p tcp-m multiport--dports 80,443-m string--string "baidu.com"--algo bm-j DROPiptable S-a forward-p tcp-m multiport--dports 80,443-m string--string "baidu.com"--algo bm-j DROP
The code to prevent parsing of a domain name that contains baidu.com is as follows. where 05 and 03 in the--hex-string parameter represent the length of the string.
#disable some DNS query.iptables-a output-p tcp-m multiport--dports 53-m string--hex-string "|05|baidu|03|com"--alg o bm-j dropiptables-a input-p tcp-m multiport--dports 53-m string--hex-string "|05|baidu|03|com"--algo bm-j DROPi Ptables-a forward-p tcp-m multiport--dports 53-m string--hex-string "|05|baidu|03|com"--algo bm-j dropiptables-a Output-p udp-m multiport--dports 53-m string--hex-string "|05|baidu|03|com"--algo bm-j dropiptables-a input-p UDP -M multiport--dports 53-m string--hex-string "|05|baidu|03|com"--algo bm-j dropiptables-a forward-p udp-m Multipo RT--dports 53-m String--hex-string "|05|baidu|03|com"--algo bm-j DROP
The complete code is as follows:
Iptables-fiptables-xiptables-ziptables-t nat-fiptables-t nat-xiptables-t nat-ziptables-t mangle-fiptables-t ma Ngle-xiptables-t mangle-ziptables-t raw-fiptables-t raw-xiptables-t raw-ziptables-t security-fiptables-t secur Ity-xiptables-t Security-zif ["$" = "Stop"]thenecho "Warning:iptables stopped." Iptables-p input acceptiptables-p OUTPUT acceptiptables-p FORWARD acceptiptables-t nat-p INPUT acceptiptables-t NAT -P output acceptiptables-t nat-p prerouting acceptiptables-t nat-p postrouting acceptiptables-t mangle-p output ACCE Ptiptables-t mangle-p prerouting acceptiptables-t raw-p prerouting acceptiptables-t raw-p OUTPUT acceptiptables-t s Ecurity-p INPUT acceptiptables-t security-p OUTPUT acceptiptables-t security-p FORWARD acceptiptables-l-n-v--line -numbersexitfiiptables-p INPUT dropiptables-p output dropiptables-p FORWARD dropiptables-t mangle-p output Acce Ptiptables-t mangle-p prerouting acceptiptables-t raw-p PRerouting acceptiptables-t raw-p output acceptiptables-t security-p INPUT acceptiptables-t security-p output ACCEPTi Ptables-t security-p FORWARD accept#localhostiptables-a input-i lo-s 127.0.0.1-d 127.0.0.1-j acceptiptables-a OUTP Ut-o lo-s 127.0.0.1-d 127.0.0.1-j acceptiptables-a input-s ${ip_wan}-D ${ip_wan}-j acceptiptables-a output-s ${ip_wan}-D ${ip_wan}-j acceptiptables-a input-s ${ip_lan}-D ${ip_lan}-j acceptiptables-a output-s ${IP_LAN}-D ${ip_lan}-j accept#inside subnet.iptables-a input-s ${ip_inside}-j REJECT iptables-a output-d ${IP_INSIDE}-j REJE Ct#disable some Http/https requestiptables-a output-p tcp-m multiport--dports 80,443-m string--string "baidu.com"-- Algo bm-j dropiptables-a input-p tcp-m multiport--dports 80,443-m string--string "baidu.com"--algo bm-j DROPiptab Les-a forward-p tcp-m multiport--dports 80,443-m string--string "baidu.com"--algo bm-j drop#disable some DNS query . iptables-a Output-p TCp-m multiport--dports 53-m string--hex-string "|05|baidu|03|com"--algo bm-j dropiptables-a input-p tcp-m Multipo RT--dports 53-m String--hex-string "|05|baidu|03|com"--algo bm-j dropiptables-a forward-p tcp-m multiport--dports 53-m string--hex-string "|05|baidu|03|com"--algo bm-j dropiptables-a output-p udp-m multiport--dports 53-m Strin G--hex-string "|05|baidu|03|com"--algo bm-j dropiptables-a input-p udp-m multiport--dports 53-m string--hex-strin G "|05|baidu|03|com"--algo bm-j dropiptables-a forward-p udp-m multiport--dports 53-m string--hex-string "|05|baid U|03|com "--algo bm-j dropiptables-a output-p tcp-m multiport--dports 53-m string--hex-string" |03|163|03|com "--al Go bm-j dropiptables-a input-p tcp-m multiport--dports 53-m string--hex-string "|03|163|03|com"--algo bm-j DROPip Tables-a forward-p tcp-m multiport--dports 53-m string--hex-string "|03|163|03|com"--algo bm-j dropiptables-a out Put-p udp-m multiport--dports 53-m string--hex-string "|03|163|03|com"--algo bm-j dropiptables-a input-p udp-m multiport--dports 53-m String--hex-string "|03|163|03|com"--algo bm-j dropiptables-a forward-p udp-m multiport--dports 53-m string--hex- String "|03|163|03|com"--algo bm-j drop#ping xxxiptables-a output-o ${eth_wan}-P icmp-s ${this_server}-j ACCEPTipta Bles-a input-i ${eth_wan}-P icmp-d ${this_server}-j accept#dns lookupiptables-a output-o ${ETH_WAN}-P udp-s ${ This_server}-D ${dns_server}--dport ${dns_port}-j acceptiptables-a input-i ${eth_wan}-P udp-s ${DNS_SERVER}--SP ORT ${dns_port}-D ${this_server}-j ACCEPT iptables-a output-o ${eth_wan}-P tcp-s ${this_server}-D ${dns_server} --dport ${dns_port}-j acceptiptables-a input-i ${eth_wan}-P tcp-s ${dns_server}--sport ${DNS_PORT}-D ${THIS_SERV ER}-M state--state related,established-j ACCEPT #http browseriptables-a output-o ${eth_wan}-p TCP--match multiport --dports ${http_port}-J Acceptiptables-a Input-i ${eth_wan}-P tcp--match multiport--sports ${http_port}-M State--state Related,establishe D-j acceptiptables-a input-j LOG--log-prefix "iptables" Iptables-save >/etc/sysconfig/iptables
Linux system security 04 using Iptables to block access to specific Web sites
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
