|
IPTables - How to block an entire domain?
Pretending I wanted to block the entire blah.com domain (just an example):
Currently I have to enter the following commands into my script: iptables -A block_outgoing -j DROP -d blah.com iptables -A block_outgoing -j DROP -d ww1.blah.com iptables -A block_outgoing -j DROP -d ww2.blah.com iptables -A block_outgoing -j DROP -d ww3.blah.com Since sites like blah.com have multiple servers, with different hostnames, trying to keep track of them is a hassle. I would like to tell IPTables to block all traffic from the entire blah.com domain. How can this be done? Thank you. |
I would either do two of below,
1) edit /etc/hosts.deny ALL : .blah.com OR 2)I am not 100% sure but I would think this would work, do host -l blah.com to get list of all address iptables -A block_outgoing -j DROP -d 192.168.0.0/24 <-- do multiple for whatever other network they own.. let me know if this helps. thanks. |
When I use 'host freearcade.com' it delivers only the information for that server, not for the entire network. Same as dig or nslookup.
For instance: #host freearcade.com freearcade.com has address 67.15.107.250 #host ww1.freearcade.com ww1.freearcade.com has address 67.15.107.194 As you see they have different IPs because they are different servers. What I would like to accomplish is to block all hosts on the freearcade.com domain. Can it be done easily? |
I want to state several notions:
Detailed explatation: When you type something like iptables -A INPUT -s mygirl.love.org -j DROP, then mygirl.love.org's ip adress is passed to kernel instead of symbolical name. This means the kernel does not care about names. And it is correct because most packets does not contain DNS names, but digital ip's only. By the way DNS-IP matching is slow even when cached so it's gonna be kind of horror if ALL the packets are matched that way. The second example iptables -A INPUT -s gunner.evilparty/18 -j DROP. Here we a not just providing the ip adress but a mask, wich means this applies to all subnet. If you don't know what's a mask - here an example IP: 10.4.2.1 mask: 255.0.0.0 BINARY 00001010 00000100 00000010 00000001 11111111 00000000 00000000 00000000 When we specify the mask in "ip/number" format it means "first number bytes are ones others - zero". The bits of IP wich correspond to "1" bits in mask are invariant for the given network or maybe domain(in some cases that's false). The "0" ones are left to identify a host in a subnet. The more "0" we have the bigger newtwork we are dealing with. For instance /24 means a 255 computer(class C) network. That was a bit of teory. The two solutions for you: if you just want to restrict your servers' usage, the best one is inetd configuration(hosts.allow etc) as shown above. if you want to completely block the incoming traffic you should find out their IP range, then try to detect their mask by studing what changes in their IP's and what remain constant. Finally iptables -A INPUT -s 67.15.107.194/X -j DROP, where X is a mask width. Note: the bits of IP wich are zero's in mask may be zeros in specification. For example 10.17.39.220/24 is just the same as 10.17.39.0/24 is. It is recommended to put zeros to have a visual difference between network and subnet parts of IP PS: sorry for such a huge flood ;)) |
PPS: I guest they have a /24 or even smaller network cause 67.15.107. does not change(but a statistic is VERY small :( ).
Also smaller then class C networks are easy to buy so sometimes it's happen to see even /30 ones. If I were you I would likely ban 67.15.107.0/24 and if not just the needed domain was banned but some other hosts, I'd narrowed the mask bit by bit until I got the +- correct one |
I just wanted to add, for the benefit of anyone else reading this (as it's a very common mistake) that iptables does not currently allow you to pass host names as parameters--you need the IP address.
After some thought the reason for this is clear: the TCP packet contains the IP address of the originator but not it's domain name. So, for every single packet that comes in, iptables would have to do a reverse lookup (or make use of a cache) to figure out where the packet came from. That's BIG overhead and probably won't ever be implemented, IMHO. |
Quote:
yes, it's not something that's recommended, but it is indeed something you *can* do with a stock iptables install... |
check this out:
Code:
bash-3.00# iptables -F INPUT |
did u try solution 1)??
1) edit /etc/hosts.deny ALL : .blah.com |
Even i found the solution to my mental query,
using hosts.deny and the masking method appear really helpful. I was finding difficulty as specified above. Thanks for the solution. |
voip_tech_2004: It's my understanding that hosts.deny only handles packets destined for the local computer. I am running my IPTables firewall for my network, and it seems to work very well. I just have a few issues to iron out.
elfy: Yep, I am aware that iptables is a part of the kernel, and that only the IP/mask is directly passed directly to the kernel, but the iptables command does allow host names, which it converts to IP before sending to the kernel. win32sux: That is effectively what I do. But it doesn't work to block an entire network. For instance, if I put in iptables -A FORWARD -j DROP -d aol.com it may block www.aol.com, mail.aol.com, etc., but might not block aim.aol.com or myscreenname.aol.com. |
Quote:
Quote:
anyways, have you considered using a transparent proxy server to whitelist your sites?? this way you can make sure only allowed websites are used, you can even specify them using regex or whatever you want... then also whitelist (default deny) other kinds of traffic to only the IPs you want/need... this would be a million times more effective than trying to blacklist sites, as you are currently doing... |
| All times are GMT -5. The time now is 04:07 PM. |