LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables host name wildcards, like *.examples.com (http://www.linuxquestions.org/questions/linux-security-4/iptables-host-name-wildcards-like-%2A-examples-com-442842/)

ahz10 05-08-2006 01:07 PM

iptables host name wildcards, like *.examples.com
 
How do I match with a wild card on the host name? Something like this:

iptables -A FORWARD -d *.hamachi.cc -j ACCEPT

I checked a few of the IP addresses, and they are not in the same subnet. Also, the subnet does not even belong to Hamachi. :( That means I cannot just use the IP subnet instead of a wildcard.

ledow 05-09-2006 07:17 AM

Erm... you can't really.

Do you really want the computer to be doing DNS lookups on every unique IP before it decides whether to accept them or not? Even if you COULD do this, the chances are that your computer will spend most of it's time looking up DNS for every connection and you'll either be blocked from the DNS server or your computer will slow to a crawl.

Additionally, even looking up the IP's and blocking them may not work because the point of DNS is that you can change IP's as often as you like without having to change anything but your DNS entry. So the IP you block today won't be the IP they are using tomorrow.

If you're being spammed, attacked or accessed by these people, you have to block the IP's. If you're trying to stop people visiting sites on that domain, it's a job for a HTTP filter, not iptables.

iptables deals with IP, not DNS. It works with IP's, not hostnames. Therefore you can only block IP's, not domains.

ahz10 05-09-2006 10:48 AM

Quote:

Originally Posted by ledow
Erm... you can't really.

No such thing! :)

Quote:

Do you really want the computer to be doing DNS lookups on every unique IP before it decides whether to accept them or not?
I prefer iptables caches it, but even if it doesn't, I run dnsmasq, a caching DNS server.

Quote:

Additionally, even looking up the IP's and blocking them may not work because the point of DNS is that you can change IP's as often as you like without having to change anything but your DNS entry. So the IP you block today won't be the IP they are using tomorrow.
So, the cache expires every once in a while.

Quote:

If you're being spammed, attacked or accessed by these people, you have to block the IP's. If you're trying to stop people visiting sites on that domain, it's a job for a HTTP filter, not iptables.
Our office has a firewall with strict outbound rules, but I want to make an exception for the Hamachi VPN system. (If you haven't seen Hamachi: check it out--very cool.) Unfortunately, Hamachi connects to various "mediation" servers, and I don't know how many there are. In a short time, I found three on two different subnets.

Quote:

iptables deals with IP, not DNS. It works with IP's, not hostnames. Therefore you can only block IP's, not domains.
The good news is that you can map IP addresses to hostnames and visa versa.

Xeta 05-24-2006 07:18 PM

actually, i think a lookup into the string match functionality would help you out there

#iptables -A FORWARD -m string --algo bm --string "hostname" -j ACCEPT

ahz10 08-02-2006 05:24 PM

Quote:

Originally Posted by Xeta
actually, i think a lookup into the string match functionality would help you out there

#iptables -A FORWARD -m string --algo bm --string "hostname" -j ACCEPT

As far as I can tell, that matches strings in the packets, but the hostname is probably not in the packet (header or payload). Besides, I really rather just look at the header.

http://www.netfilter.org/projects/pa...m-extra-string
http://www.netfilter.org/documentati...-3.html#ss3.18

BTW, I couldn't find the documentation for "--algo bm".

r0b0 08-03-2006 06:51 AM

Just forget it, it's not going to work this way. You need to find a way how to do this on IP layer. That is - protocols, IP addresses, ports, etc. No DNS. Iptables is a IP layer tool, it won't resolve DNS names for you.

axida 08-08-2006 10:28 PM

help :
who can tell me how to install g77 in linux ?
thanks!

win32sux 08-08-2006 10:32 PM

Quote:

Originally Posted by axida
help :
who can tell me how to install g77 in linux ?
thanks!

what, the compiler?? if so, please open your own thread, as this would be considered thread hijacking...


All times are GMT -5. The time now is 03:20 AM.