iptables is helpful if it is only a few ip / domain names.
With iptables you can restrict based on user, group, and/or time although to do so you need to use the OUTPUT table. So to allow root, and a group "web", use
# this allows root for things such as apt-get sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT # this allows users of the group web # create a group, web, and add users to it to allow access sudo iptables -A OUTPUT -m owner --gid-owner web -j ACCEPT # These two rules allow access to port 80 and 443 over the lunch hour sudo iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m time --timestart 12:00 --timestop 13:00 -j ACCEPT sudo iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -j DROP
But as your needs grow more complex, it is helpful to use proxies. For example you can use privoxy (and others) for adblock. Squid adds in filtering and more complex rules (acl or access control lists), but is likely over kill for a home user.
You then make the proxy transparent with iptables
# This allows root sudo iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT # This allows privoxy, which serves as adblock sudo iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner privoxy -j ACCEPT # this blocks direct access to ports 80 to all other users sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP # This allows squid to access privoxy (I think squid runs as "proxy") #sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner proxy -j ACCEPT # this rule blocks other users from direct access to privoxy sudo iptables -A OUTPUT -o lo -p tcp --dport 8118 -j DROP # Redirect all outgoing traffic on port 80 to squid listening on port 3128 sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 3128
outgoing example :
iptables -A OUTPUT -p tcp -m string --string "xxx.com" --algo kmp -j DROP
then with a cron job you could block all domains you want at the specifc time you want, and later