LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-21-2006, 10:26 AM   #1
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Rep: Reputation: 38
IPTables - How to block an entire domain?


Pretending I wanted to block the entire blah.com domain (just an example):

Currently I have to enter the following commands into my script:
iptables -A block_outgoing -j DROP -d blah.com
iptables -A block_outgoing -j DROP -d ww1.blah.com
iptables -A block_outgoing -j DROP -d ww2.blah.com
iptables -A block_outgoing -j DROP -d ww3.blah.com

Since sites like blah.com have multiple servers, with different hostnames, trying to keep track of them is a hassle.

I would like to tell IPTables to block all traffic from the entire blah.com domain.

How can this be done?

Thank you.
 
Old 04-21-2006, 11:41 AM   #2
voip_tech_2004
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Rep: Reputation: 0
I would either do two of below,

1) edit /etc/hosts.deny

ALL : .blah.com

OR

2)I am not 100% sure but I would think this would work,
do host -l blah.com to get list of all address
iptables -A block_outgoing -j DROP -d 192.168.0.0/24 <-- do multiple for whatever other network they own..

let me know if this helps.
thanks.
 
Old 04-21-2006, 12:31 PM   #3
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
When I use 'host freearcade.com' it delivers only the information for that server, not for the entire network. Same as dig or nslookup.

For instance:
#host freearcade.com
freearcade.com has address 67.15.107.250
#host ww1.freearcade.com
ww1.freearcade.com has address 67.15.107.194

As you see they have different IPs because they are different servers. What I would like to accomplish is to block all hosts on the freearcade.com domain.

Can it be done easily?
 
Old 04-21-2006, 06:08 PM   #4
elfy
LQ Newbie
 
Registered: Mar 2006
Location: Sevastopol, Ukraine
Distribution: CRUX/From Scratch
Posts: 12

Rep: Reputation: 0
I want to state several notions:
  • iptables's not a separate progam, it's configurator for kernel's firewall
  • kernel's firewall has nothing to do with DNS names

Detailed explatation:
When you type something like iptables -A INPUT -s mygirl.love.org -j DROP, then mygirl.love.org's ip adress is passed to kernel instead of symbolical name. This means the kernel does not care about names. And it is correct because most packets does not contain DNS names, but digital ip's only. By the way DNS-IP matching is slow even when cached so it's gonna be kind of horror if ALL the packets are matched that way.
The second example iptables -A INPUT -s gunner.evilparty/18 -j DROP. Here we a not just providing the ip adress but a mask, wich means this applies to all subnet. If you don't know what's a mask - here an example
IP: 10.4.2.1
mask: 255.0.0.0
BINARY
00001010 00000100 00000010 00000001
11111111 00000000 00000000 00000000
When we specify the mask in "ip/number" format it means "first number bytes are ones others - zero".
The bits of IP wich correspond to "1" bits in mask are invariant for the given network or maybe domain(in some cases that's false). The "0" ones are left to identify a host in a subnet. The more "0" we have the bigger newtwork we are dealing with. For instance /24 means a 255 computer(class C) network.
That was a bit of teory.
The two solutions for you:
if you just want to restrict your servers' usage, the best one is inetd configuration(hosts.allow etc) as shown above.
if you want to completely block the incoming traffic you should find out their IP range, then try to detect their mask by studing what changes in their IP's and what remain constant. Finally iptables -A INPUT -s 67.15.107.194/X -j DROP, where X is a mask width. Note: the bits of IP wich are zero's in mask may be zeros in specification. For example 10.17.39.220/24 is just the same as 10.17.39.0/24 is. It is recommended to put zeros to have a visual difference between network and subnet parts of IP

PS: sorry for such a huge flood )
 
Old 04-21-2006, 06:15 PM   #5
elfy
LQ Newbie
 
Registered: Mar 2006
Location: Sevastopol, Ukraine
Distribution: CRUX/From Scratch
Posts: 12

Rep: Reputation: 0
PPS: I guest they have a /24 or even smaller network cause 67.15.107. does not change(but a statistic is VERY small ).
Also smaller then class C networks are easy to buy so sometimes it's happen to see even /30 ones.
If I were you I would likely ban 67.15.107.0/24 and if not just the needed domain was banned but some other hosts, I'd narrowed the mask bit by bit until I got the +- correct one
 
Old 04-21-2006, 07:41 PM   #6
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
I just wanted to add, for the benefit of anyone else reading this (as it's a very common mistake) that iptables does not currently allow you to pass host names as parameters--you need the IP address.

After some thought the reason for this is clear: the TCP packet contains the IP address of the originator but not it's domain name. So, for every single packet that comes in, iptables would have to do a reverse lookup (or make use of a cache) to figure out where the packet came from. That's BIG overhead and probably won't ever be implemented, IMHO.
 
Old 04-22-2006, 12:35 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by michaelsanford
I just wanted to add, for the benefit of anyone else reading this (as it's a very common mistake) that iptables does not currently allow you to pass host names as parameters--you need the IP address.

After some thought the reason for this is clear: the TCP packet contains the IP address of the originator but not it's domain name. So, for every single packet that comes in, iptables would have to do a reverse lookup (or make use of a cache) to figure out where the packet came from. That's BIG overhead and probably won't ever be implemented, IMHO.
actually, iptables DOES let you pass host names as parameters...

yes, it's not something that's recommended, but it is indeed something you *can* do with a stock iptables install...
 
Old 04-22-2006, 12:40 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
check this out:
Code:
bash-3.00# iptables -F INPUT

bash-3.00# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
     
bash-3.00# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

bash-3.00# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

bash-3.00# iptables -I INPUT -s cnn.com -j DROP

bash-3.00# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  www2.cnn.com         anywhere            
DROP       all  --  www6.cnn.com         anywhere
DROP       all  --  www5.cnn.com         anywhere
DROP       all  --  www3.cnn.com         anywhere
DROP       all  --  www7.cnn.com         anywhere
DROP       all  --  www4.cnn.com         anywhere
DROP       all  --  www8.cnn.com         anywhere
DROP       all  --  www.cnn.com          anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

bash-3.00# iptables -L INPUT -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  64.236.16.20         0.0.0.0/0
DROP       all  --  64.236.16.84         0.0.0.0/0
DROP       all  --  64.236.24.20         0.0.0.0/0
DROP       all  --  64.236.24.12         0.0.0.0/0
DROP       all  --  64.236.24.28         0.0.0.0/0
DROP       all  --  64.236.16.52         0.0.0.0/0
DROP       all  --  64.236.16.116        0.0.0.0/0
DROP       all  --  64.236.29.120        0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Last edited by win32sux; 04-22-2006 at 12:51 PM.
 
Old 04-24-2006, 01:07 AM   #9
voip_tech_2004
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Rep: Reputation: 0
did u try solution 1)??

1) edit /etc/hosts.deny

ALL : .blah.com
 
Old 04-24-2006, 02:09 PM   #10
pradeepmenon777
Member
 
Registered: Jan 2004
Location: India
Distribution: Ubuntu 8.04
Posts: 122

Rep: Reputation: 16
Even i found the solution to my mental query,
using hosts.deny and the masking method appear really helpful.
I was finding difficulty as specified above.

Thanks for the solution.
 
Old 05-03-2006, 12:42 PM   #11
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Original Poster
Rep: Reputation: 38
voip_tech_2004: It's my understanding that hosts.deny only handles packets destined for the local computer. I am running my IPTables firewall for my network, and it seems to work very well. I just have a few issues to iron out.

elfy: Yep, I am aware that iptables is a part of the kernel, and that only the IP/mask is directly passed directly to the kernel, but the iptables command does allow host names, which it converts to IP before sending to the kernel.

win32sux: That is effectively what I do. But it doesn't work to block an entire network. For instance, if I put in iptables -A FORWARD -j DROP -d aol.com
it may block www.aol.com, mail.aol.com, etc., but might not block aim.aol.com or myscreenname.aol.com.
 
Old 05-03-2006, 01:41 PM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by SlowCoder
I am aware that iptables is a part of the kernel
iptables is NOT part of the kernel... netfilter is what is part of the kernel - iptables is just the tool we use to configure netfilter...

Quote:
win32sux: That is effectively what I do. But it doesn't work to block an entire network. For instance, if I put in iptables -A FORWARD -j DROP -d aol.com it may block www.aol.com, mail.aol.com, etc., but might not block aim.aol.com or myscreenname.aol.com.
yeah, i know... keep in mind i wasn't suggesting that you use the iptables for this - i was just illustrating to michaelsanford that iptables does indeed accept host names and not just IP addresses...

anyways, have you considered using a transparent proxy server to whitelist your sites?? this way you can make sure only allowed websites are used, you can even specify them using regex or whatever you want... then also whitelist (default deny) other kinds of traffic to only the IPs you want/need... this would be a million times more effective than trying to blacklist sites, as you are currently doing...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
IP Table help, Droping entire 200 block of ip's? Wide glide Linux - Security 2 12-03-2004 12:39 AM
get Squidguard to block entire countries web sites? Possible? Pcghost Linux - Software 3 09-19-2004 02:25 PM
how to block an entire IP range? enzo250gto Linux - Networking 2 05-01-2004 08:59 AM
Port 80 -- How to block from one specific domain? (RedHat 7.0) jcroft Linux - Security 1 02-17-2002 03:50 PM


All times are GMT -5. The time now is 03:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration