Forward outgoing connections to port 80 through Squid (known as Transparent Proxying) and then get Squid to block access to the sites that you require.
Thanks, will that work for incoming connections as well? and will it stealth the connection? idea is to silence the port scanning kiddies.
Well, you can put the proxy in place of the webserver, and proxy to a backend webserver that never communicates with anyone except via the proxy -- which is called reverse proxying --, and then you could filter incoming connections this way.
But no, obviously neither of these will "stealth" the ports.
I was thinking of something like that, but the non-stealthing is a down side.
The idea is to save the DSL cap from being blown by un-needed offshore connections.
It looks like some serious coding is in order for an iptables extension.
The shame of it all is I can do just what I wont in windows using the Kerio firewall, but cannot find anything for Linux that will do it.
You are doing things the most illogical and stupid way. you cant rely on DNS, the only fact you can rely on (mostly) is the IP at the other end.. What you do want to do is drop/deny all non nz ip ranges, allow only nz ipranges.. and this still may not save your adsl quota from people who want to keep poking international data down your adsl to be dropped on the floor. I have had my system setup with a national and international routing system.. its not easy.. and not 100%.. Most of the people that want this system are stupid kiddies who want to use p2p apps all month or run their own file trading system with only their unlimited national adsl connection. Is this you?