In a previous article, we showed how to block specific domains at the DNS level using iptables. Today, we will expand into that and show how to also block HTTP requests for a specific domain (or URL) in there.
IPTables String Matching
Iptables string matching is very powerful and easier to use than the hex-string module we used before. When you specify -m string –string, it will activate the string module and inspect at the packet content for the keyword you are looking for.
HTTP Packet
If you ever looked inside a HTTP packet, it is divided by multiple headers, generally something like:
GET /URL HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5. ...Where the GET (or POST) /URL has the page you are visiting and the Host: header has the domain name. With that in mind, we can easily create our iptables rule.
IPTables Blocking Example.com
First, let’s block example.com. HTTP generally runs on port 80, so we restrict our pattern matching only to that port:
/sbin/iptables -I INPUT -p tcp --dport 80 -m string --string "Host: example.com" --algo kmp -j DROPThat way every HTTP request going to example.com, will be blocked.
Iptables blocking example.com/admin
We can expand our rule to have multiple string matches if also want to block a specific URL. For example, if we wanted to block /admin on example.com, that’s how we would do it:
/sbin/iptables -I INPUT -p tcp --dport 80 -m string --string "Host: example.com" --algo kmp -m
string --string "GET /admin" --algo kmp -j DROP