Block some website in Linux machine

Solution 1:

If you're the boss:

Any technical solution to this problem will not solve the actual problem, which is people in your office being bored and wanting to browse facebook / look at porn / whatever instead of working.

This is a management issue, and needs to be resolved through the use of management tools, such as clear corporate acceptable internet use policies that detail clearly what is, and isn't acceptable, and what happens if they're broken. If a guy's using facebook all day rather than doing his job, don't block facebook, fire his ass*.

*Juristictional / local legal environment and restrictions notwithstanding.

If you're the technical guy the boss has asked to do this:

This is really dodgy ground. You can't effectively censor the internet without a lot of resources, expertise and control. What will end up happening is that you'll implement some sort of hack (your iptables posting indicates you might not have all the expertise required to do this), your users will work around it and now you've got an angry boss who demands to know why you can't do your job right.

You need to set expectations with your management that while you can implement something given the resources and skills you have, it's probably not going to be effective and therefore a waste of your time.

Solution 2:

If your users are clever, then your task may be difficult to fully enforce, and iptables cannot easily and reliably do what you want. Here are a few considerations.

  1. Your iptables rules block filter traffic based on IP addresses and ports. Facebook presents multiple IP addresses, and may change those IP addresses from time to time.

  2. Your users can always use an open proxy to access Facebook, bypassing limitations based on IP address.

  3. You should enact a corporate policy governing the use of internet access at the workplace and specify what usage is regarded as appropriate or inappropriate.

  4. You can gain some control if you're managing your company's DNS servers, which would enable you to redefine the IP address of facebook.com for your users. There are some decent firewalls and services that provide categorization (Fortinet Fortigate-60, OpenDNS, BlueCoat, etc.). You also might try a proxy like Squid to do such filtering if you're looking for a free solution on existing equipment.

Solution 3:

Since your Linux box is the gateway, why don't you setup Squid as a transparent proxy and then add .facebook.com to a squid blacklist file like so:

In /etc/squid/blacklist_domains:

.facebook.com
.whatever.com

In your squid.conf:

acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS