Nov 6

URL Filtering using IOS

Posted by Radu

Today, while I was trying to keep my students awake during a CCNA1 presentation I noticed that two of them were looking at 9Gag and they ignored me. Not that I was saying something so deep and meaningful but it was a little bit frustrating for me. So, as soon I finished my presentation, I opened a console to the local router (a Cisco 2821 ) and began to filter 9gag.

Obviously you cannot do that with ACLs when you want to filter a website running on multiple addresses like 9gag. Even if you use hostname instead of an IP address, that hostname is resolved once using dns servers defined in your configuration and that’s it.

So I used a policy and five minutes later those two were the frustrated ones. This is how I did it :

!
class-map match-any URLFILTER
    match protocol http host *9gag.com
!
policy-map DROPURL
    class URLFILTER
      drop
!
!
interface FastEthernet 0/1
    desc Internal
    service-policy input DROPURL
!

And that was it. Next time, facebook, prepare your url, I wanna filter you.

Or, using CBAC (Context-Based Access Control) :

!
ip inspect name WEBFILTER http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .9gag.com
!
!
interface FastEthernet 0/1
   desc Internal
   ip inspect WEBFILTER in
!

Oh, and if you’re wondering how to do url filtering with linux the answer is “it’s complicated”. You need either a proxy (squid, privoxy) or, if you are shameless, you can do it using DNS hijacking.