Designed by Rahul Sil.

⚜ Network Setup of blocking one site from the Routing Table ⚜

Rahul Sil
7 min readMar 15, 2021

--

Nowadays, people are very much involved in the social medias like Facebook, Twitter, Instagram, etc. Sometimes in order to restrict usage to social medias for certain time they block those sites using some certain site blocking software.

📌 Similar setup of blocking certain websites can be achieved in a more core technical form using the Routing Table and its modifications.

👉 In this blog I am going to discuss how you can modify the routing table so that you can connect to one website like Google but not Facebook. I am going to show two methods of making changes to the routing table.

Before going into the practical setup, let us understand few things about Networking.

Networking is a way of exchanging data between multiple nodes over a shared medium like a LAN network or a WAN network ( Internet ). Our system can generate network packets for those set of IP address that is present in our routing table.

For connecting to the Internet we require a Gateway which takes our network packets to the destination IP address.

I am going to use RedHat Enterprise Linux 8 system.

We can check the routing table of our system using the following command -

route -n
Routing Table

Here in the routing table we can see that there is an entry where it says Destination = 0.0.0.0 and gateway is 192.168.0.1

Basically this 192.168.0.1 is the Gateway IP of my system which allows network packets transfer between my system and the Internet. We can check what is the gateway IP of the system by reading the file /etc/resolv.conf

Gateway IP of the system

The Destination IP = 0.0.0.0 means that my system can connect to any IP in the world.

🔰 Now lets get on with the practical demo.

Method 1 -

First lets look at what Google and Facebook server our system is connected to.

nslookup <domain name>

📍If in your RHEL system nslookup command does not work, then you need to install a package for that.

yum install bind-utils -y

Now lets see what is the google server IP and Facebook server IP that my system is connected to.

Google IP.
Facebook IP.

Now when we have made no alterations to the routing table we can ping both Google and Facebook and also any other domain.

[root@localhost ~]# ping google.com -c 3PING google.com (172.217.167.46) 56(84) bytes of data.
64 bytes from del03s16-in-f14.1e100.net (172.217.167.46): icmp_seq=1 ttl=119 time=46.8 ms
64 bytes from del03s16-in-f14.1e100.net (172.217.167.46): icmp_seq=2 ttl=119 time=48.8 ms
64 bytes from del03s16-in-f14.1e100.net (172.217.167.46): icmp_seq=3 ttl=119 time=46.6 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 46.626/47.411/48.774/0.967 ms
[root@localhost ~]# [root@localhost ~]# ping facebook.com -c 3PING facebook.com (157.240.16.35) 56(84) bytes of data.
64 bytes from edge-star-mini-shv-01-bom1.facebook.com (157.240.16.35): icmp_seq=1 ttl=55 time=39.1 ms
64 bytes from edge-star-mini-shv-01-bom1.facebook.com (157.240.16.35): icmp_seq=2 ttl=55 time=37.2 ms
64 bytes from edge-star-mini-shv-01-bom1.facebook.com (157.240.16.35): icmp_seq=3 ttl=55 time=34.9 ms
--- facebook.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 34.884/37.065/39.104/1.732 ms
[root@localhost ~]# [root@localhost ~]# ping twitter.com -c 3
PING twitter.com (104.244.42.65) 56(84) bytes of data.
64 bytes from 104.244.42.65 (104.244.42.65): icmp_seq=1 ttl=56 time=74.5 ms
64 bytes from 104.244.42.65 (104.244.42.65): icmp_seq=2 ttl=56 time=73.7 ms
64 bytes from 104.244.42.65 (104.244.42.65): icmp_seq=3 ttl=56 time=79.9 ms
--- twitter.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 73.731/76.035/79.903/2.751 ms
[root@localhost ~]#

This is possible because we have an entry in the routing table where Destination network = 0.0.0.0/0 and Gateway = 192.168.0.1

Now, let’s delete this route and see what happens…

route del -net 0.0.0.0

After we run the above command in the terminal our routing table will look like this -

[root@localhost ~]# route -nKernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Iface172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 ens160192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0[root@localhost ~]#

The 0.0.0.0 route gets deleted and due to this we now cannot ping to any website on the internet.

[root@localhost ~]# ping google.com -c 3
connect: Network is unreachable
[root@localhost ~]#
[root@localhost ~]# ping facebook.com -c 3
connect: Network is unreachable
[root@localhost ~]#
[root@localhost ~]# ping twitter.com -c 3
connect: Network is unreachable
[root@localhost ~]#

Now in order to make connectivity to only google, we will add the google server IP that we have found out previously using the nslookup command in the routing table and also add the gateway IP in this route.

route add -net 172.217.0.0/16 gw 192.168.0.1 dev ens160

After we have made the above entry to the routing table, our routing table looks like this -

[root@localhost ~]# route -nKernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Iface172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0172.217.0.0     192.168.0.1     255.255.0.0     UG    0      0        0 ens160192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 ens160192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0[root@localhost ~]#

And as per this we can now only ping google server and no other server in the world.

[root@localhost ~]# ping google.com -c 3PING google.com (172.217.166.206) 56(84) bytes of data.
64 bytes from del03s13-in-f14.1e100.net (172.217.166.206): icmp_seq=1 ttl=119 time=33.4 ms
64 bytes from del03s13-in-f14.1e100.net (172.217.166.206): icmp_seq=2 ttl=119 time=35.3 ms
64 bytes from del03s13-in-f14.1e100.net (172.217.166.206): icmp_seq=3 ttl=119 time=32.5 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 7ms
rtt min/avg/max/mdev = 32.519/33.728/35.260/1.151 ms
[root@localhost ~]# [root@localhost ~]# ping facebook.com
connect: Network is unreachable
[root@localhost ~]# [root@localhost ~]# ping twitter.com
connect: Network is unreachable

From the browser also we can check that these websites cannot be connected.

Google is accessible.
Facebook is not accessible.

This way we successfully created the setup where we can ping to Google but not Facebook !! 🙌

But there is a drawback using the above method.

🎯 Using the above method, it blocks all other websites except the specific one that is added in the routing table. If the use case is that or to allow only 2–3 websites access then we can go ahead with this.

But if the use case is to block only one site and allow the rest then we need a different approach. From this use case idea we come to our Method 2.

Method 2 —

To reverse all the changes made previously and to get a fresh routing table we need to restart our network connection. We can do so from the cli using the below commands -

nmcli conn down ens160
nmcli conn up ens160

🎯 “ens160” is my network card name. Your case it might be different. Check that using the “ifconfig” command.

Now to only block Facebook we run the following command -

route add -net 157.240.0.0/16 reject dev ens160

Using the “reject” option we can just block the network traffic to the that domain.

📌 So now we can ping to other domains except Facebook.

[root@localhost ~]# ping facebook.com
connect: Network is unreachable
[root@localhost ~]# [root@localhost ~]# ping google.com -c 3
PING google.com (172.217.167.46) 56(84) bytes of data.
64 bytes from del03s16-in-f14.1e100.net (172.217.167.46): icmp_seq=1 ttl=119 time=47.3 ms
64 bytes from del03s16-in-f14.1e100.net (172.217.167.46): icmp_seq=2 ttl=119 time=53.3 ms
64 bytes from del03s16-in-f14.1e100.net (172.217.167.46): icmp_seq=3 ttl=119 time=51.2 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 47.270/50.589/53.334/2.508 ms
[root@localhost ~]# [root@localhost ~]# ping twitter.com -c 3
PING twitter.com (104.244.42.193) 56(84) bytes of data.
64 bytes from 104.244.42.193 (104.244.42.193): icmp_seq=1 ttl=56 time=75.3 ms
64 bytes from 104.244.42.193 (104.244.42.193): icmp_seq=2 ttl=56 time=75.3 ms
64 bytes from 104.244.42.193 (104.244.42.193): icmp_seq=3 ttl=56 time=77.10 ms
--- twitter.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 123ms
rtt min/avg/max/mdev = 75.288/76.194/77.984/1.304 ms

This way we successfully managed to create the setup for the other use-case as well where we needed to block only a specific site. 🙌

📍 If you want to remove the route that you have added using the “reject” option then use the below mentioned command -

ip route del unreachable 157.240.0.0/16

In a summary -

✨ Method 1 — Use case when we want to allow traffic only to specific sites and block all other sites. ✨

✨ Method 2 — Use case when we want to block traffic only to specific sites and allow all other sites. ✨

Hope you liked this blog. 💖

I tried to explain it in very simple terms. If any doubt you can contact me over LinkedIn.

Thank you for reading the article !! 💖

--

--

Rahul Sil

I am a tech enthusiasts. I love exploring new technologies and creating stuff out of them !! ✌