Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It is possible, however yahoo.com has several subdomains. I was searching for the other thread where I posted the iptables line for this, but we ended up with 6 rules I think. That was several months ago that this questions was brought up. The kicker here is to push an entry to the /etc/hosts file telling the computer that yahoo.com is 127.0.0.1. This is your best bet to get this working properly.
IPTABLES -A OUTPUT -d yahoo.com -reject-with icmp-host-unreachable
Since I'm not on a linux machine, I can't tell you the other names you'll need. Open a terminal and type dig yahoo.com then input the rules for each name.
You say you want to be able to access it but nobody else? What's your setup? Is this computer acting as a gateway for other computers or do you all share the same one?
Will this work?
IPTABLES -A OUTPUT -s 10.10.0.9 -j ACCEPT
IPTABLES -A OUTPUT -d yahoo.com -reject-with icmp-host-unreachable
iptables -N state_chk
iptables -A state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A state_chk -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A state_chk -j LOG --log-prefix fw-state:
iptables -A state_chk -j DROP
Is this the correct syntax?
IPTABLES -A OUTPUT -s 10.10.0.9 -j ACCEPT
If I only want to block the guy next to me can I do:
IPTABLES -A OUTPUT -s 10.10.0.10 -d yahoo.com -reject-with icmp-host-unreachable
iptables -t nat -A PREROUTING -d yahoo.com ! -s 10.10.0.9 -j DROP
Which reads as "Append to NAT table's PREROUTING chain: if destination is yahoo.com and source is not 10.10.0.9, reject it"
That way you can still use your chain policy since the jump (-j) directive stops the processing of the chain there may be rules you may wish to add in the future to prevent output from 10.10.0.9.
Also what is the purpose of the state_check chain?
PS musicman_ace still has the simplest solution, though it is not server-centric.
EDIT I fixed the above rule's target.
Last edited by michaelsanford; 05-02-2005 at 10:16 AM.
Originally posted by michaelsanford You can compress that idea into one rule
I'm not sure that would still work. Since yahoo.com isn't the FQDN, it will get resolved to one of the other FQDNs that exist. The other thread that discussed this was using hotmail as an example and in the end I think the person went with content filters rather than IP tables.
[edit]
I known this seems odd. It should block all IP's that get resolved from yahoo.com, but the last time we discussed this idea it didn't work the way we logically think it should.
Last edited by musicman_ace; 05-02-2005 at 02:29 AM.
Thanks! But I tried
iptables -t nat -A PREROUTING -d yahoo.com ! -s 10.10.0.9 -j REJECT
and got the error:
iptables v1.2.8: ! not allowed with multiple source or destination IP addresses
Try `iptables -h' or 'iptables --help' for more information.
When I removed
! -s 10.10.0.9
It gave the error:
iptables: Invalid argument
You need to add a rule for each IP you wish to block, not each hostname. I assume, of course, that yahoo is the a "theoretical" domain here: I don't know why you'd want to block yahoo, but that's not the point.
The rules above should work for you without a problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.