LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPtables - block subdomains (a.domain.com, b.domain.com, c.domain.com,...) (http://www.linuxquestions.org/questions/linux-networking-3/iptables-block-subdomains-a-domain-com-b-domain-com-c-domain-com-732457/)

benjalien 06-12-2009 07:58 AM

IPtables - block subdomains (a.domain.com, b.domain.com, c.domain.com,...)
 
Hi everyone,

I'm trying to use iptables (debian machine with two nics filtering the net connection) to block a domain including all of it's subdomains (a.domain.com, b.domain.com, c.domain.com,...).

What I actually do is

<code>
iptables -A FORWARD -d a.domain.com -j dropAndLog;
</code>

but the domain seems to have several servers... how could I block them all at a time?

Thanks!

P.S.: If this has been answered before, redirecting me to the post would be fair game :)

centosboy 06-12-2009 08:12 AM

Quote:

Originally Posted by benjalien (Post 3571653)
Hi everyone,

I'm trying to use iptables (debian machine with two nics filtering the net connection) to block a domain including all of it's subdomains (a.domain.com, b.domain.com, c.domain.com,...).

What I actually do is

<code>
iptables -A FORWARD -d a.domain.com -j dropAndLog;
</code>

but the domain seems to have several servers... how could I block them all at a time?

Thanks!

P.S.: If this has been answered before, redirecting me to the post would be fair game :)

Should be easy enough to find all the servers this domain has from a dns lookup.
Take google.com for example:-

Code:

host www.google.com
www.google.com is an alias for www.l.google.com.
www.l.google.com has address 209.85.229.103
www.l.google.com has address 209.85.229.104
www.l.google.com has address 209.85.229.147
www.l.google.com has address 209.85.229.99

Code:

NetRange:  209.85.128.0 - 209.85.255.255
CIDR:      209.85.128.0/17
NetName:    GOOGLE


so from this you could add a rule such as

Code:


iptables -A FORWARD -d 209.85.128.0/17 -j dropAndLog

A bit drastic maybe, but you could always try tcp wrappers..
hosts.deny / hosts.allow.

man hosts.deny
then search for examples


NOTE: tcpwrappers only work with apps that have libwrap.so compiled in. check with
Code:


ldd `which <progname` | grep libwrap


anomie 06-12-2009 12:17 PM

Right, if the daemon is compiled with tcp wrapper support, that would be easier. Otherwise you will be doing some whois(1) investigation to get each CIDR block, as noted above, and using it in an iptables(8) rule.

CarLost 06-12-2009 01:43 PM

You can deny on the DNS request as a "sctring" extension

Code:

iptables -A FORWARD -p tcp --dport 53 -m string --algo kmp --string "domain.com" -j DROP
iptables -A FORWARD -p udp --dport 53 -m string --algo kmp --string "domain.com" -j DROP

on TOP of your fw_script

benjalien 06-14-2009 03:41 PM

I'll try these!
 
Thanks for all your replies, I'll try these solutions to see the one that best fit my verry own needs.

I won't miss telling you the one I've personnaly found most usuable in my solution (they all look good...), or ask for more details.

Thanks already!

benjalien 06-24-2009 04:30 AM

I think I'll go for the "host way"
 
Hi everyone, I looked ad your answers and I think that I'll go for the iptables way hard-coding the host's server's IP adresses.

I'll do it this way mainly because this way I can keep it centralised in one script file.

Thanks for your help!

centosboy 06-24-2009 07:03 AM

Quote:

Originally Posted by benjalien (Post 3584386)
Hi everyone, I looked ad your answers and I think that I'll go for the iptables way hard-coding the host's server's IP adresses.

I'll do it this way mainly because this way I can keep it centralised in one script file.

Thanks for your help!

This way (ip) is always advised anyway for security reasons :) and use -m comment to label your rules so y ou know which is which :)


All times are GMT -5. The time now is 03:41 AM.