[ale] Blocking ad sites with ipchains

smn smnoldelinux at mediaone.net
Mon Nov 29 22:12:42 EST 1999


OK, I found it... from the IPCHAINS HOWTO:

4.2 Useful Examples 

I have a dialup PPP connection (-i ppp0). I grab news (-p TCP -s
news.virtual.net.au nntp) and mail (-p TCP -s
mail.virtual.net.au pop-3) every time I dial up. I use Debian's FTP
method to update my machine regularly (-p TCP -y -s
ftp.debian.org.au ftp-data). I surf the web through my ISP's proxy while
this is going on (-p TCP -d proxy.virtual.net.au 8080),
but hate the ads from doubleclick.net on the Dilbert Archive (-p TCP -y
-d 199.95.207.0/24 and -p TCP -y -d 199.95.208.0/24). 

I don't mind people trying to ftp to my machine while I'm online (-p TCP
-d $LOCALIP ftp), but don't want anyone outside pretending to have an IP
address of my internal network (-s 192.168.1.0/24). This is commonly
called IP spoofing, and there is a better way to protect yourself from
it in the
2.1.x kernels and above: see How do I set up IP spoof protection?. 

This setup is fairly simple, because there are currently no other boxes
on my internal network. 

I don't want any local process (ie. Netscape, lynx etc.) to connect to
doubleclick.net: 

     # ipchains -A output -d 199.95.207.0/24 -j REJECT
     # ipchains -A output -d 199.95.208.0/24 -j REJECT
     # 

- Scott

smn wrote:
> 
> Basically, the pictures aren't loaded.
> 
> However, if a web site sites behind a domain (or IP address) I've
> blocked then I can't get to it.  There is no nasty message until the
> page times out.  But if you are careful then you can successfully block
> the larger ad servers.
> 
> I originally saw this syntax in a HOW-TO, either firewall or ipchains
> (but I couldn't find it mentioned recently in these docs!).
> 
> - Scott






More information about the Ale mailing list