VMmanager Knowledge Base
en En
es Es

How to block access to a particular website

The following terms are used in the article:

Description

It is required to block access for all VMs to a certain IP address, website, or resource.

How to block access to a website

To block access to a website, add a rule to the PREROUTING chain. See below for two options of blocking access:

  • with the rule saved after server restart;
  • without saving the rule after server restart.
Important
The solution was tested on the Switching network type. For other network types, the rule may be different.
Note

The register in the PREROUTING chain name depends on your OS. To define a register, run the command:

nft list ruleset

With the rule saved after a server restart

Blocking with rule saved after restart is performed via table bridge nat and works for virtual machines on a bridge network.

To block access to a website:

  1. Identify the IP addresses of the website:
    dig +short <website_address>
    Example output
    dig +short <website_address>
    10.10.10.1
    10.10.11.1
  2. Connect to the cluster node via SSH. For more information about connecting via SSH, see Workstation setup.
  3. Open the /etc/nftables/vmmgr.nft file in edit mode.
  4. Add or modify the bridge nat table as in the example below:
    table bridge nat { chain PREROUTING { type filter hook prerouting priority dstnat; policy accept; ip daddr { 10.10.10.1, 10.10.11.1 } drop } }
    Comment
  5. Apply the changes:
    nft -f /etc/nftables/vmmgr.nft
  6.  Make sure the rule is added:
    nft list ruleset

Without saving the rule after server restart

To block access to a website:

  1. Identify the IP addresses of the website:
    dig +short <website_address>
    Example output
    dig +short <website_address>
    10.10.10.1
    10.10.11.1
  2. Run the command:
    nft add rule bridge nat PREROUTING ip daddr { 10.10.10.1, 10.10.11.1 } drop
    Comment

How to unblock

To unblock, delete the rule you created:

  1. Determine the handle number for deleting the rule:
    nft -a list chain bridge nat PREROUTING
    Example output
    ip daddr { 10.10.10.1, 10.10.11.1 } drop # handle <handle_number>
    
    Comment
  2. Delete the rule:
    nft delete rule bridge nat PREROUTING handle <handle_number>
    Comment
The article was last updated on 07.11.2025. The article was prepared by technical writers of ISPsystem