IPtables - block subdomains (a.domain.com, b.domain.com, c.domain.com,...)
 

Hi everyone,

I'm trying to use iptables (debian machine with two nics filtering the net connection) to block a domain including all of it's subdomains (a.domain.com, b.domain.com, c.domain.com,...).

What I actually do is

<code>
iptables -A FORWARD -d a.domain.com -j dropAndLog;
</code>

but the domain seems to have several servers... how could I block them all at a time?

Thanks!

P.S.: If this has been answered before, redirecting me to the post would be fair game :)

Should be easy enough to find all the servers this domain has from a dns lookup.
Take google.com for example:-


so from this you could add a rule such as

A bit drastic maybe, but you could always try tcp wrappers..
hosts.deny / hosts.allow.

man hosts.deny
then search for examples


NOTE: tcpwrappers only work with apps that have libwrap.so compiled in. check with

Right, if the daemon is compiled with tcp wrapper support, that would be easier. Otherwise you will be doing some whois(1) investigation to get each CIDR block, as noted above, and using it in an iptables(8) rule.

You can deny on the DNS request as a "sctring" extension

on TOP of your fw_script

I'll try these!
 

Thanks for all your replies, I'll try these solutions to see the one that best fit my verry own needs.

I won't miss telling you the one I've personnaly found most usuable in my solution (they all look good...), or ask for more details.

Thanks already!

I think I'll go for the "host way"
 

Hi everyone, I looked ad your answers and I think that I'll go for the iptables way hard-coding the host's server's IP adresses.

I'll do it this way mainly because this way I can keep it centralised in one script file.

Thanks for your help!

This way (ip) is always advised anyway for security reasons :) and use -m comment to label your rules so y ou know which is which :)