iptables question

Is there anyway to use iptables blocking domain name not IP address?

Example to block hotmail.com.

I tried this iptables -A FORWARD -d hotmail.com -j REJECT and it won't work.

Thanks.

--D



     
_______________________________________________
Discuss mailing list
Discuss@...
http://lists.blu.org/mailman/listinfo/discuss

On Fri, Oct 23, 2009 at 01:13:01PM -0700, Dave Peters wrote:
> Is there anyway to use iptables blocking domain name not IP address?
>
> Example to block hotmail.com.
>
> I tried this iptables -A FORWARD -d hotmail.com -j REJECT and it won't work.

Right. You need to use a DNS lookup utility (say, dig) to turn
domain names into lists of IPs.

If you're doing a lot of this, you may want to create new chains
per service to maintain performance, i.e.

iptables -N ssh
iptables -N smtp
iptables -N web

iptables -A FORWARD -p tcp --dport 22 -j ssh
iptables -A FORWARD -p tcp --dport 25 -j smtp
iptables -A FORWARD -p tcp --dport 587 -j smtp
iptables -A FORWARD -p tcp --dport 80 -j web
iptables -A FORWARD -p tcp --dport 443 -j web

as a presort, then do the more complex manipulations in those
chains.

-dsr-

--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.
_______________________________________________
Discuss mailing list
Discuss@...
http://lists.blu.org/mailman/listinfo/discuss

On 10/23/2009 04:13 PM, Dave Peters wrote:
> Is there anyway to use iptables blocking domain name not IP address?
>
> Example to block hotmail.com.
>
> I tried this iptables -A FORWARD -d hotmail.com -j REJECT and it won't work.

No.  iptables will just do a DNS lookup on that and convert it to an ip
address, then add a rule.  The problem is that high-volume, load-balanced
domains won't have a single ip address.  And it certainly wouldn't work to
try and block anything under the hotmail domain.

What is it that you're trying to do?  There might be an easier way...

Matt
_______________________________________________
Discuss mailing list
Discuss@...
http://lists.blu.org/mailman/listinfo/discuss

On Fri, Oct 23, 2009 at 06:07:01PM -0400, Dan Ritter wrote:
> On Fri, Oct 23, 2009 at 01:13:01PM -0700, Dave Peters wrote:
> > Is there anyway to use iptables blocking domain name not IP address?
> >
> > Example to block hotmail.com.
> >
> > I tried this iptables -A FORWARD -d hotmail.com -j REJECT and it won't work.
>
> Right. You need to use a DNS lookup utility (say, dig) to turn
> domain names into lists of IPs.

Even this probably won't work the way you expect, and may actually
cause more problems than it fixes.  Why?  Simple: hosting.  A lot of,
ah, let's call them "internet entities" are hosting a variety of
services on someone else's equipment.  For example, if you're trying
to block all traffic from a prominent ad server, you may find that
blocking the IPs that resolve to their servers also results in
blocking a TON of other sites, because they're in fact all served from
the same machines, provided by the same hosting service.  Web traffic
is the most obvious widely hosted service, but it's far from the only
one.

There are other problems too.  If -- for example -- you're trying to
block all e-mail from some web mail site, you may find that the
incoming traffic comes from servers (their outgoing mail relays) which
are not advertised as being systems in that domain, nor are they on IP
address space registered to that company.  Identifying the correct IP
ranges to block may be a real challenge.

Unless the site you're trying to block is very small, or the traffic
you are trying to block is very targeted (which seems opposite the
intent here), it may well be that there is no practical way to do
this, and trying will only cause you pain.  But, as the man said, it
really depends on what you're trying to do.

--
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.


_______________________________________________
Discuss mailing list
Discuss@...
http://lists.blu.org/mailman/listinfo/discuss

Dave Peters <gameslover987@...> writes:

> Is there anyway to use iptables blocking domain name not IP address?
>
> Example to block hotmail.com.
>
> I tried this iptables -A FORWARD -d hotmail.com -j REJECT and it won't work.

You might have better luck running a local DNS and hosting a master zone
"hotmail.com" and sending all results to either NXDOMAIN or 127.0.0.1.

Or use a browser plugin...

> Thanks.
>
> --D

-derek

--
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@...                        PGP key available
_______________________________________________
Discuss mailing list
Discuss@...
http://lists.blu.org/mailman/listinfo/discuss

Derek Atkins wrote:
Or, just put hotmail.com into the source computer's HOSTS file: point it
to 127.0.0.1.

It's all a question of how much time and effort you're able to spend
dealing with exceptions.

Bill

--
E. William Horne
William Warren Consulting
Computer & Network Installations, Security, and Service
http://william-warren.com
781-784-7287


_______________________________________________
Discuss mailing list
Discuss@...
http://lists.blu.org/mailman/listinfo/discuss