Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
How do I match with a wild card on the host name? Something like this:
iptables -A FORWARD -d *.hamachi.cc -j ACCEPT
I checked a few of the IP addresses, and they are not in the same subnet. Also, the subnet does not even belong to Hamachi. That means I cannot just use the IP subnet instead of a wildcard.
Do you really want the computer to be doing DNS lookups on every unique IP before it decides whether to accept them or not? Even if you COULD do this, the chances are that your computer will spend most of it's time looking up DNS for every connection and you'll either be blocked from the DNS server or your computer will slow to a crawl.
Additionally, even looking up the IP's and blocking them may not work because the point of DNS is that you can change IP's as often as you like without having to change anything but your DNS entry. So the IP you block today won't be the IP they are using tomorrow.
If you're being spammed, attacked or accessed by these people, you have to block the IP's. If you're trying to stop people visiting sites on that domain, it's a job for a HTTP filter, not iptables.
iptables deals with IP, not DNS. It works with IP's, not hostnames. Therefore you can only block IP's, not domains.
Do you really want the computer to be doing DNS lookups on every unique IP before it decides whether to accept them or not?
I prefer iptables caches it, but even if it doesn't, I run dnsmasq, a caching DNS server.
Quote:
Additionally, even looking up the IP's and blocking them may not work because the point of DNS is that you can change IP's as often as you like without having to change anything but your DNS entry. So the IP you block today won't be the IP they are using tomorrow.
So, the cache expires every once in a while.
Quote:
If you're being spammed, attacked or accessed by these people, you have to block the IP's. If you're trying to stop people visiting sites on that domain, it's a job for a HTTP filter, not iptables.
Our office has a firewall with strict outbound rules, but I want to make an exception for the Hamachi VPN system. (If you haven't seen Hamachi: check it out--very cool.) Unfortunately, Hamachi connects to various "mediation" servers, and I don't know how many there are. In a short time, I found three on two different subnets.
Quote:
iptables deals with IP, not DNS. It works with IP's, not hostnames. Therefore you can only block IP's, not domains.
The good news is that you can map IP addresses to hostnames and visa versa.
As far as I can tell, that matches strings in the packets, but the hostname is probably not in the packet (header or payload). Besides, I really rather just look at the header.
Just forget it, it's not going to work this way. You need to find a way how to do this on IP layer. That is - protocols, IP addresses, ports, etc. No DNS. Iptables is a IP layer tool, it won't resolve DNS names for you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
iptables host name wildcards, like *.examples.com
That means I cannot just use the IP subnet instead of a wildcard.
