← All writeups

Block Specific Websites System-Wide with nftables

Learn how to block domains at the system level using nftables on Arch Linux (or CachyOS).

avatar

Riki Phukon

· views

Block Specific Websites System-Wide with nftables post image

I've been addicted to online games lately and it has tanked my productivity a lot. This one is a browser based game that makes it easy to access on a whim.

So instead of relying on browser extensions or the old /etc/hosts trick, I wanted a clean, system-wide solution.

So imma use nftables, the modern Linux firewall.

nftables is the successor to iptables. It's a packet filtering framework built into the Linux kernel, designed to replace older tools with a more unified and efficient system.

By the end of this guide, you’ll have krunker.io (or any website you choose) completely blocked across your entire system, regardless of the app or browser.

1. Install & Enable nftables

Make sure nftables is installed and running:

sudo pacman -S nftables
sudo systemctl enable nftables
sudo systemctl start nftables

2. Resolve the Website's IP Address

Since nftables works at the network layer, you need the website’s IPs. For krunker.io:

dig krunker.io

Example result:

krunker.io.    283   IN   A   104.18.8.28
krunker.io.    283   IN   A   104.18.9.28

So, Krunker lives at 104.18.8.28 and 104.18.9.28 (at least for now).

Websites like Krunker use Cloudflare, which means their IPs can change. If the block stops working, rerun dig and update the rules.

3. Edit nftables Configuration

Open your config:

sudo nano /etc/nftables.conf

Here’s an example config with an output chain that blocks Krunker:

#!/usr/bin/nft -f

destroy table inet filter
table inet filter {
  chain input {
    type filter hook input priority filter
    policy drop

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iif lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"
    tcp dport ssh accept comment "allow sshd"
    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
    counter
  }

  chain forward {
    type filter hook forward priority filter
    policy drop
  }

  chain output {
    type filter hook output priority filter
    policy accept

    # Block krunker.io
    ip daddr { 104.18.8.28, 104.18.9.28 } drop
  }
}

Save and exit.

4. Apply the Rules

Run:

sudo nft -f /etc/nftables.conf

Verify the ruleset:

sudo nft list ruleset

5. Test the Block

Try:

curl -I https://krunker.io

It should fail to connect. Opening krunker.io in your browser should also hang or display an error.

Troubleshooting

If Krunker still loads, flush the old rules first:

sudo nft flush ruleset
sudo nft -f /etc/nftables.conf
← All writeups