LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-12-2009, 07:58 AM   #1
benjalien
Member
 
Registered: Aug 2003
Location: Belgium
Distribution: Debian (i686/ppc/amd64)
Posts: 85

Rep: Reputation: 15
IPtables - block subdomains (a.domain.com, b.domain.com, c.domain.com,...)


Hi everyone,

I'm trying to use iptables (debian machine with two nics filtering the net connection) to block a domain including all of it's subdomains (a.domain.com, b.domain.com, c.domain.com,...).

What I actually do is

<code>
iptables -A FORWARD -d a.domain.com -j dropAndLog;
</code>

but the domain seems to have several servers... how could I block them all at a time?

Thanks!

P.S.: If this has been answered before, redirecting me to the post would be fair game
 
Old 06-12-2009, 08:12 AM   #2
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by benjalien View Post
Hi everyone,

I'm trying to use iptables (debian machine with two nics filtering the net connection) to block a domain including all of it's subdomains (a.domain.com, b.domain.com, c.domain.com,...).

What I actually do is

<code>
iptables -A FORWARD -d a.domain.com -j dropAndLog;
</code>

but the domain seems to have several servers... how could I block them all at a time?

Thanks!

P.S.: If this has been answered before, redirecting me to the post would be fair game
Should be easy enough to find all the servers this domain has from a dns lookup.
Take google.com for example:-

Code:
host www.google.com
www.google.com is an alias for www.l.google.com.
www.l.google.com has address 209.85.229.103
www.l.google.com has address 209.85.229.104
www.l.google.com has address 209.85.229.147
www.l.google.com has address 209.85.229.99
Code:
NetRange:   209.85.128.0 - 209.85.255.255 
CIDR:       209.85.128.0/17 
NetName:    GOOGLE

so from this you could add a rule such as

Code:
iptables -A FORWARD -d 209.85.128.0/17 -j dropAndLog
A bit drastic maybe, but you could always try tcp wrappers..
hosts.deny / hosts.allow.

man hosts.deny
then search for examples


NOTE: tcpwrappers only work with apps that have libwrap.so compiled in. check with
Code:
ldd `which <progname` | grep libwrap

Last edited by centosboy; 06-12-2009 at 08:14 AM.
 
Old 06-12-2009, 12:17 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Right, if the daemon is compiled with tcp wrapper support, that would be easier. Otherwise you will be doing some whois(1) investigation to get each CIDR block, as noted above, and using it in an iptables(8) rule.
 
Old 06-12-2009, 01:43 PM   #4
CarLost
Member
 
Registered: Jun 2004
Location: Sentado en mi trasero en Chile
Distribution: ArchLinux
Posts: 45

Rep: Reputation: 16
You can deny on the DNS request as a "sctring" extension

Code:
iptables -A FORWARD -p tcp --dport 53 -m string --algo kmp --string "domain.com" -j DROP
iptables -A FORWARD -p udp --dport 53 -m string --algo kmp --string "domain.com" -j DROP
on TOP of your fw_script

Last edited by CarLost; 06-12-2009 at 01:45 PM.
 
Old 06-14-2009, 03:41 PM   #5
benjalien
Member
 
Registered: Aug 2003
Location: Belgium
Distribution: Debian (i686/ppc/amd64)
Posts: 85

Original Poster
Rep: Reputation: 15
I'll try these!

Thanks for all your replies, I'll try these solutions to see the one that best fit my verry own needs.

I won't miss telling you the one I've personnaly found most usuable in my solution (they all look good...), or ask for more details.

Thanks already!
 
Old 06-24-2009, 04:30 AM   #6
benjalien
Member
 
Registered: Aug 2003
Location: Belgium
Distribution: Debian (i686/ppc/amd64)
Posts: 85

Original Poster
Rep: Reputation: 15
I think I'll go for the "host way"

Hi everyone, I looked ad your answers and I think that I'll go for the iptables way hard-coding the host's server's IP adresses.

I'll do it this way mainly because this way I can keep it centralised in one script file.

Thanks for your help!
 
Old 06-24-2009, 07:03 AM   #7
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by benjalien View Post
Hi everyone, I looked ad your answers and I think that I'll go for the iptables way hard-coding the host's server's IP adresses.

I'll do it this way mainly because this way I can keep it centralised in one script file.

Thanks for your help!
This way (ip) is always advised anyway for security reasons and use -m comment to label your rules so y ou know which is which
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stop one profile from roaming in domain with samba domain controller aiurm Linux - Server 4 10-16-2008 06:12 AM
filtering a list of domain names for subdomains fmillion Linux - General 2 06-04-2008 10:58 AM
Joining a linux machine to a windows domain having a wndows 2003 as domain contoller sukalyan_g Suse/Novell 1 03-28-2008 01:31 AM
IPTables - How to block an entire domain? SlowCoder Linux - Networking 11 05-03-2006 01:41 PM
Subdomains and security with regards to root domain htmlcoder Linux - Security 1 03-10-2005 05:48 PM


All times are GMT -5. The time now is 08:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration