通过iptables屏蔽youtube.com失败的问题排查与解决方法咨询
Hey there, let's figure out why your current iptables setup isn't blocking YouTube and walk through some practical fixes!
First, let's break down the key issues with your approach:
- YouTube uses a huge pool of dynamic CDN IPs: Running
dig A youtube.com +shortonly grabs a tiny fraction of the thousands of IPs YouTube actually uses. As soon as their CDN rotates nodes or your traffic hits an unblocked IP, access will start working again. - You might be ignoring IPv6 traffic:
iptablesonly handles IPv4 traffic. If your system and network support IPv6, YouTube will happily route traffic over IPv6, completely bypassing your IPv4 rules. - DNS caching could be tricking you: Your browser or system might have cached old DNS records for YouTube, so even if you block some IPs, the cached ones still let you access the site.
- Quick sanity check: You mentioned "youbute.com is reachable"—make sure you're testing the correct domain (
youtube.com) and not a typo!
Here are the actionable fixes you can try:
1. Block both IPv4 and IPv6 traffic temporarily
If your network supports IPv6, add equivalent rules in ip6tables to cover IPv6 addresses for YouTube:
# Grab IPv6 addresses and block them dig AAAA youtube.com +short | while read ip; do sudo ip6tables -A OUTPUT -p all --dst $ip -j DROP done
Note: This still has the same limitation as your original method—it only blocks a small set of IPs that will change over time.
2. Use ipset to dynamically manage YouTube's IPs
ipset lets you create a dynamic group of IPs, which you can update regularly to keep up with YouTube's changing CDN nodes. Here's how to set it up:
- First, create two ipset groups (one for IPv4, one for IPv6):
sudo ipset create youtube_ips hash:ip family inet sudo ipset create youtube_ips_v6 hash:ip family inet6 - Create a script to update these IP sets (save this as
update_youtube_ips.sh):#!/bin/bash # Clear old IPs from the sets sudo ipset flush youtube_ips sudo ipset flush youtube_ips_v6 # Add all current IPv4 addresses for YouTube dig A youtube.com +short | while read ip; do sudo ipset add youtube_ips $ip done # Add all current IPv6 addresses for YouTube dig AAAA youtube.com +short | while read ip; do sudo ipset add youtube_ips_v6 $ip done - Make the script executable:
chmod +x update_youtube_ips.sh - Add iptables/ip6tables rules to block traffic to these IP sets:
sudo iptables -A OUTPUT -m set --match-set youtube_ips dst -j DROP sudo ip6tables -A OUTPUT -m set --match-set youtube_ips_v6 dst -j DROP - Set up a cron job to run the script every hour (so you stay up-to-date with IP changes):
sudo crontab -e # Add this line at the bottom (replace /path/to with your actual script path) 0 * * * * /path/to/update_youtube_ips.sh
3. Use the hosts file for simpler domain blocking
If you don't want to mess with ipset/iptables, editing your /etc/hosts file can redirect YouTube to a dead IP:
- Open the hosts file with sudo privileges:
sudo nano /etc/hosts - Add these lines at the bottom:
0.0.0.0 youtube.com 0.0.0.0 www.youtube.com ::1 youtube.com ::1 www.youtube.com - Save and exit, then flush your system's DNS cache:
# For systemd-based systems (most modern Linux distros) sudo systemd-resolve --flush-caches # For older systems using nscd sudo service nscd restart - Don't forget to clear your browser's DNS cache too (usually found in settings > privacy > clear browsing data).
4. Disable DNS over HTTPS (DoH) if needed
Many modern browsers use DoH, which bypasses your system's DNS settings (and thus the hosts file or local DNS changes). Check your browser settings to disable DoH for your network if the above methods don't work.
That should cover most scenarios. Let me know if you run into any snags with these steps!
备注:内容来源于stack exchange,提问作者gobbolo22
