Tips for using iptables to filter URL target requests

Recently found that more and more office hours in the misuse of video sites, may be due to the impact of the brain, but must be working time, should not do things unrelated to the work, but also too much impact on office bandwidth. I tested a rule on routing to block video site access requests, found to be very effective:

Iptables-a forward-m string–string "ku6.com" –algo bm-j DROP

Iptables-a forward-m string–string "tudou.com" –algo bm-j DROP

Iptables-a forward-m string–string "ouou.com" –algo bm-j DROP

...

...

The meanings of the parameters are as follows:

-A FORWARD

Increase the rules of the forward chain, because I enabled the routing function (that is, echo 1 >/proc/sys/net/ipv4/ip_forward), so all the packets from the forward chain rules go, but directly access to the input or output used.

-M string

Using the string feature, string is a module of iptables, which is a string match.

–string "XXXX"

The definition of string content, can be any character in the URL, if you need block to download certain types of files or requests, this has a lot of space to play, can be free to imagine oh.

–algo BM

Set character matching query algorithm, the general default to use BM algorithm effect on it, but also can set the KMP algorithm, which is a more complex algorithm, detailed content can see the information in higher mathematics. (BM = boyer-moore, KMP = Knuth-pratt-morris)

-j DROP

Set the handling of packages that meet this condition, drop is discarded, also reject meaning.

Other: I do not set the parameters for-p, then the default includes all package processing of the protocol. If necessary, you can also specify the type of protocol for setting-p TCP or-p UDP, and so on. If necessary, I think it can also be used for this application to the IM software, Peer-to-peer software, some of the objectives of filtering.

Advantages: This approach has the advantage of high efficiency, almost no use of redundant system resources, and some hardware routers integrated URL filtering function often cause system panic.

Disadvantage: The set goal is too simple to handle for decentralized URLs and does not support matching regular expressions.

More wonderful Linux video tutorials at 51CTO College: http://edu.51cto.com/course/courseList/id-48.html