Xjyuk

My Project Manager does not accept carry-over in Scrum, Is that normal?

What is the white pattern on trim wheel for?

Does every piano need tuning every year?

Proper way to shut down consumer

Is the use of language other than English 'Reasonable Suspicion' for detention?

Do we have any particular tonal center in mind when we are NOT listening music?

Tesla coil and Tesla tower

Safe to use 220V electric clothes dryer when building has been bridged down to 110V?

1, 2, 4, 8, 16, ... 33?

Does wetting a beer glass change the foam characteristics?

Does the Way of Shadow monk's Shadow Step feature count as a magical ability?

Examples of "unsuccessful" theories with afterlives

Does "as soon as" imply simultaneity?

List of 1000 most common words across all languages

What exactly did this mechanic sabotage on the American Airlines 737, and how dangerous was it?

Is it impolite to ask for halal food when traveling to and in Thailand?

Why does this image of Jupiter look so strange?

What should I consider when deciding whether to delay an exam?

Is there any relation/leak between two sections of LM358 op-amp?

What is the meaning of word 'crack' in chapter 33 of A Game of Thrones?

Received a package but didn't order it

Is there something that can completely prevent the effects of the Hold Person spell?

How can this Stack Exchange site have an animated favicon?

How can an attacker use robots.txt?

Youtube not blocked by iptables

iptables port forward forwardingFsockOpen problem with Iptables inside OpenVZ VMFirewall still blocking port 53 despite listing otherwise?iptables allow http incoming connections, state NEW, ESTABLISHEDForward http traffic to another ip address with iptablesssh connection refused with out iptables rullesTrying to make iptables stateless is causing unforeseen filteringIptables port forwarding for specific host dd-wrt/tomatoiptables outgoing default policy is accept, but some ports appear blocked

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

1

On our Ubuntu machine I have attempted to block internet access to one of the user accounts by adding the following line to /etc/network/interfaces:

pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner 1001 -j DROP

This works well except somehow Youtube and other Google properties are not blocked.

I'm not an expert in iptables, but I assumed the above command would drop all outgoing requests from the specified user. Is there something special about Google properties that would somehow cause them to be exempted?

For reference here is my iptables list:

$ sudo iptables --list

Chain INPUT (policy ACCEPT)
target prot opt source destination 

Chain FORWARD (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
DROP tcp -- anywhere anywhere owner UID match ****

iptables

share|improve this question

asked 9 hours ago

spencerrecnepsspencerrecneps

10833 bronze badges

New contributor

spencerrecneps is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment
 | 

1

On our Ubuntu machine I have attempted to block internet access to one of the user accounts by adding the following line to /etc/network/interfaces:

pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner 1001 -j DROP

This works well except somehow Youtube and other Google properties are not blocked.

I'm not an expert in iptables, but I assumed the above command would drop all outgoing requests from the specified user. Is there something special about Google properties that would somehow cause them to be exempted?

For reference here is my iptables list:

$ sudo iptables --list

Chain INPUT (policy ACCEPT)
target prot opt source destination 

Chain FORWARD (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
DROP tcp -- anywhere anywhere owner UID match ****

iptables

share|improve this question

asked 9 hours ago

spencerrecnepsspencerrecneps

10833 bronze badges

New contributor

spencerrecneps is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment
 | 

On our Ubuntu machine I have attempted to block internet access to one of the user accounts by adding the following line to /etc/network/interfaces:

pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner 1001 -j DROP

This works well except somehow Youtube and other Google properties are not blocked.

I'm not an expert in iptables, but I assumed the above command would drop all outgoing requests from the specified user. Is there something special about Google properties that would somehow cause them to be exempted?

For reference here is my iptables list:

$ sudo iptables --list

Chain INPUT (policy ACCEPT)
target prot opt source destination 

Chain FORWARD (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
DROP tcp -- anywhere anywhere owner UID match ****

iptables

share|improve this question

asked 9 hours ago

spencerrecnepsspencerrecneps

10833 bronze badges

New contributor

spencerrecneps is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner 1001 -j DROP

$ sudo iptables --list

Chain INPUT (policy ACCEPT)
target prot opt source destination 

Chain FORWARD (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
DROP tcp -- anywhere anywhere owner UID match ****

share|improve this question

asked 9 hours ago

spencerrecnepsspencerrecneps

10833 bronze badges

New contributor

spencerrecneps is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 9 hours ago

spencerrecnepsspencerrecneps

10833 bronze badges

New contributor

spencerrecneps is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 9 hours ago

spencerrecnepsspencerrecneps

10833 bronze badges

New contributor

spencerrecneps is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 9 hours ago

spencerrecnepsspencerrecneps

10833 bronze badges

1 Answer
1

active

oldest

votes

5

Is the user using Chrome/Chromium? Then the browser is most likely using QUIC for those sites, and that protocol uses UDP as the transport.

You can block UDP ports 80 and 443 to solve it.

share|improve this answer

answered 8 hours ago

Eduardo TrápaniEduardo Trápani

6611 bronze badge

New contributor

Eduardo Trápani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You can also just remove -p tcp and thereby block everything.
  
  – Michael Hampton♦
  5 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I wondered if there was something special about Chrome with Google sites. That was definitely it. I removed -p tcp and everything is now blocked.
  
  – spencerrecneps
  3 hours ago
  

  
  
  
  

add a comment
 | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

spencerrecneps is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f985129%2fyoutube-not-blocked-by-iptables%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

5

Is the user using Chrome/Chromium? Then the browser is most likely using QUIC for those sites, and that protocol uses UDP as the transport.

You can block UDP ports 80 and 443 to solve it.

share|improve this answer

answered 8 hours ago

Eduardo TrápaniEduardo Trápani

6611 bronze badge

New contributor

Eduardo Trápani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You can also just remove -p tcp and thereby block everything.
  
  – Michael Hampton♦
  5 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I wondered if there was something special about Chrome with Google sites. That was definitely it. I removed -p tcp and everything is now blocked.
  
  – spencerrecneps
  3 hours ago
  

  
  
  
  

add a comment
 | 

5

Is the user using Chrome/Chromium? Then the browser is most likely using QUIC for those sites, and that protocol uses UDP as the transport.

You can block UDP ports 80 and 443 to solve it.

share|improve this answer

answered 8 hours ago

Eduardo TrápaniEduardo Trápani

6611 bronze badge

New contributor

Eduardo Trápani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You can also just remove -p tcp and thereby block everything.
  
  – Michael Hampton♦
  5 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I wondered if there was something special about Chrome with Google sites. That was definitely it. I removed -p tcp and everything is now blocked.
  
  – spencerrecneps
  3 hours ago
  

  
  
  
  

add a comment
 | 

Is the user using Chrome/Chromium? Then the browser is most likely using QUIC for those sites, and that protocol uses UDP as the transport.

You can block UDP ports 80 and 443 to solve it.

share|improve this answer

answered 8 hours ago

Eduardo TrápaniEduardo Trápani

6611 bronze badge

New contributor

Eduardo Trápani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered 8 hours ago

Eduardo TrápaniEduardo Trápani

6611 bronze badge

New contributor

Eduardo Trápani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 8 hours ago

Eduardo TrápaniEduardo Trápani

6611 bronze badge

New contributor

Eduardo Trápani is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 8 hours ago

Eduardo TrápaniEduardo Trápani

6611 bronze badge