iptables help please

Lleb_KCir · 11-02-2005, 12:52 PM

just started playing around with iptables and i have a question. if i want to set up a rule to block a domain (doubleclick.net) would it look like the following:

Code:

-A CUSTOMINPUT -s doubleclick.net -j DROP

or do i need something different in the CUSTOMINPUT spot?

Lleb_KCir · 11-02-2005, 01:37 PM

or better yet, how can i track down all of the IPs used by someone like doubleclick.net if i can not block their domain name.

imitheos · 11-02-2005, 04:40 PM

Quote:

Originally posted by Lleb_KCir
or better yet, how can i track down all of the IPs used by someone like doubleclick.net if i can not block their domain name.

If you want to block all ips from doubleclick.net then an easy thing you can do is the following

Code:

nslookup doubleclick.net

Name:   doubleclick.net
Address: 216.73.92.112

and then

Code:

whois 216.73.92.112

which returns among other things

Code:

NetRange:   216.73.80.0 - 216.73.95.255 
CIDR:       216.73.80.0/20

so if you want to block you use the cidr 216.73.80.0/20 and you are ok
for example

Code:

iptables -A CUSTOMINPUT -s 216.73.80.0/20 -j REJECT

This is just a few steps in order you can get easily what ips do they own, but they may own another set of ips too.

In this case you can also setup a proxy or dns and tell it to translate doubleclick.net as 127.0.0.1 for example

Lleb_KCir · 11-02-2005, 07:40 PM

that is awsome. thank you. ill get to work on that tonight.

Lleb_KCir · 11-02-2005, 07:46 PM

ok, really blonde question here, what is the netrange, and how can i block that?

Lleb_KCir · 11-02-2005, 07:52 PM

one more fast question. why REJECT vs DROP?

imitheos · 11-03-2005, 08:16 AM

Quote:

Originally posted by Lleb_KCir
ok, really blonde question here, what is the netrange, and how can i block that?

Netrange ?

Do you mean this "NetRange: 216.73.80.0 - 216.73.95.255"
If yes, this is the set of ips that belong to doubleclick.net according to ARIN
You can block all of them by figuring out what CIDR these ips correspond to.
In this case you don't need to figure it because it is given

CIDR: 216.73.80.0/20

So, if you block 216.73.80.0/20 you essentially block all these ips, that is why i mentioned this rule
"iptables -A CUSTOMINPUT -s 216.73.80.0/20 -j REJECT"

When you drop a packet, then this is it. it is denied and nothing else happens.
When you reject a packet then you send a reply back (usually icmp but you can choose what you want)
to the sender.

So, for example if i do "iptables -A INPUT -p tcp --dport 22 -j DROP"
it will drop all packets and so one who is portscanning will now that my firewall is cutting this port
if i do "iptables -A INPUT -p tcp --dport 22 -j REJECT" then this port will show as it is closed
and whoever is portscanning will not know that i have ssh running on this port.

There are other things, but i try to explain it simply.
If you check the iptables manpage or http://iptables-tutorial.frozentux.net it describes this and many more things.

Lleb_KCir · 11-03-2005, 10:11 AM

thank you for clearing that up for me. always good to understand what you are doing.