0

So i want to include a file with 80k+ urls based on https://github.com/StevenBlack/hosts hosts file to a rule in IPTABLES. There is a way to do it manualy, but as u can understand doing that manualy for 80k+ entries will be a headache.

filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :upnp - [0:0] :vpnlist - [0:0] :bfplimit - [0:0] :maclist - [0:0]
:urllist - [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp ! --icmp-type echo-request -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A urllist -p tcp -m webstr --url "ada.com aaa.com ffff.com" -j REJECT --reject-with tcp-reset
-A FORWARD -i br0 -j urllist
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT COMMIT

The bold part is the one I want to fill with all the url or include a file

Any ideas how to do that?

Improve this question
4
  • iptables don't have such method. You need to use another tool that capable of url filtering.
    – ibrahim
    Commented Sep 28, 2020 at 7:26
  • Loop through each line in the file and run the iptables command with the line as parameter - YMMV
    – Panki
    Commented Sep 28, 2020 at 7:33
  • ibrahim, they have, this line is working perfectly with url, "-A urllist -p tcp -m webstr --url "ada.com aaa.com ffff.com" -j REJECT --reject-with tcp-reset", wha i need is to use a file as urllist
    – Alway
    Commented Sep 28, 2020 at 9:28
  • looping for 80000 will make each request to be to long, i want this to act as an adblock
    – Alway
    Commented Sep 28, 2020 at 9:29

2 Answers 2

Reset to default
0

iptables does not understand URLs or domains as far as I know. You must convert all URLs to IP addresses first. Use this online tool http://domaintoipconverter.com/index.php

To extract IP addresses from previous results, use this online tool https://www.ipvoid.com/ip-extractor/

Save your IP addresses to a text file (list.txt for example), one entry per line. Your list.txt file should look similar to this:

$ cat list.txt
145.14.145.222
145.14.144.69
192.243.59.20
192.243.59.12
150.242.210.158
150.242.210.187
122.226.186.3

Then use a simple "for loop" bash script to add all IP addresses from list.txt file to iptables:

#!/bin/bash
for i in $(cat list.txt);
do 
iptables -A OUTPUT -d "$i" -j DROP
done
# Save the rules
service iptables save
Improve this answer
0

iptables will allow you to filter packets on their content but only as long as they are not encrypted.

Since you want to use this as an adblock:

  • this will not work for https connections
  • every packet would be matched against 80k+ rules

Please consider an alternative (e.g. https://pi-hole.net/).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .