In a previous article, we showed how to block specific domains at the DNS level using iptables. Today, we will expand into that and show how to also block HTTP requests for a specific domain (or URL) in there.
Iptables string matching is very powerful and easier to use than the hex-string module we used before. When you specify -m string –string, it will activate the string module and inspect at the packet content for the keyword you are looking for.
If you ever looked inside a HTTP packet, it is divided by multiple headers, generally something like:
GET /URL HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5. ...
Where the GET (or POST) /URL has the page you are visiting and the Host: header has the domain name. With that in mind, we can easily create our iptables rule.
First, let's block example.com. HTTP generally runs on port 80, so we restrict our pattern matching only to that port:
/sbin/iptables -I INPUT -p tcp --dport 80 -m string --string "Host: example.com" --algo kmp -j DROP
That way every HTTP request going to example.com, will be blocked.
We can expand our rule to have multiple string matches if also want to block a specific URL. For example, if we wanted to block /admin on example.com, that's how we would do it:
/sbin/iptables -I INPUT -p tcp --dport 80 -m string --string "Host: example.com" --algo kmp -m string --string "GET /admin" --algo kmp -j DROP