LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-08-2006, 02:07 PM   #1
ahz10
Member
 
Registered: Apr 2005
Distribution: Fedora,Trustix,FreeBSD
Posts: 62

Rep: Reputation: 15
Thumbs up iptables host name wildcards, like *.examples.com


How do I match with a wild card on the host name? Something like this:

iptables -A FORWARD -d *.hamachi.cc -j ACCEPT

I checked a few of the IP addresses, and they are not in the same subnet. Also, the subnet does not even belong to Hamachi. That means I cannot just use the IP subnet instead of a wildcard.
 
Old 05-09-2006, 08:17 AM   #2
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Erm... you can't really.

Do you really want the computer to be doing DNS lookups on every unique IP before it decides whether to accept them or not? Even if you COULD do this, the chances are that your computer will spend most of it's time looking up DNS for every connection and you'll either be blocked from the DNS server or your computer will slow to a crawl.

Additionally, even looking up the IP's and blocking them may not work because the point of DNS is that you can change IP's as often as you like without having to change anything but your DNS entry. So the IP you block today won't be the IP they are using tomorrow.

If you're being spammed, attacked or accessed by these people, you have to block the IP's. If you're trying to stop people visiting sites on that domain, it's a job for a HTTP filter, not iptables.

iptables deals with IP, not DNS. It works with IP's, not hostnames. Therefore you can only block IP's, not domains.
 
Old 05-09-2006, 11:48 AM   #3
ahz10
Member
 
Registered: Apr 2005
Distribution: Fedora,Trustix,FreeBSD
Posts: 62

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ledow
Erm... you can't really.
No such thing!

Quote:
Do you really want the computer to be doing DNS lookups on every unique IP before it decides whether to accept them or not?
I prefer iptables caches it, but even if it doesn't, I run dnsmasq, a caching DNS server.

Quote:
Additionally, even looking up the IP's and blocking them may not work because the point of DNS is that you can change IP's as often as you like without having to change anything but your DNS entry. So the IP you block today won't be the IP they are using tomorrow.
So, the cache expires every once in a while.

Quote:
If you're being spammed, attacked or accessed by these people, you have to block the IP's. If you're trying to stop people visiting sites on that domain, it's a job for a HTTP filter, not iptables.
Our office has a firewall with strict outbound rules, but I want to make an exception for the Hamachi VPN system. (If you haven't seen Hamachi: check it out--very cool.) Unfortunately, Hamachi connects to various "mediation" servers, and I don't know how many there are. In a short time, I found three on two different subnets.

Quote:
iptables deals with IP, not DNS. It works with IP's, not hostnames. Therefore you can only block IP's, not domains.
The good news is that you can map IP addresses to hostnames and visa versa.
 
Old 05-24-2006, 08:18 PM   #4
Xeta
LQ Newbie
 
Registered: Apr 2006
Posts: 17

Rep: Reputation: 0
actually, i think a lookup into the string match functionality would help you out there

#iptables -A FORWARD -m string --algo bm --string "hostname" -j ACCEPT
 
Old 08-02-2006, 06:24 PM   #5
ahz10
Member
 
Registered: Apr 2005
Distribution: Fedora,Trustix,FreeBSD
Posts: 62

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Xeta
actually, i think a lookup into the string match functionality would help you out there

#iptables -A FORWARD -m string --algo bm --string "hostname" -j ACCEPT
As far as I can tell, that matches strings in the packets, but the hostname is probably not in the packet (header or payload). Besides, I really rather just look at the header.

http://www.netfilter.org/projects/pa...m-extra-string
http://www.netfilter.org/documentati...-3.html#ss3.18

BTW, I couldn't find the documentation for "--algo bm".
 
Old 08-03-2006, 07:51 AM   #6
r0b0
Member
 
Registered: Aug 2004
Location: Europe
Posts: 608

Rep: Reputation: 50
Just forget it, it's not going to work this way. You need to find a way how to do this on IP layer. That is - protocols, IP addresses, ports, etc. No DNS. Iptables is a IP layer tool, it won't resolve DNS names for you.
 
Old 08-08-2006, 11:28 PM   #7
axida
LQ Newbie
 
Registered: Aug 2006
Posts: 1

Rep: Reputation: 0
help :
who can tell me how to install g77 in linux ?
thanks!
 
Old 08-08-2006, 11:32 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by axida
help :
who can tell me how to install g77 in linux ?
thanks!
what, the compiler?? if so, please open your own thread, as this would be considered thread hijacking...
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ALLOW host name lookup through iptables ? qwijibow Linux - Security 7 08-02-2006 02:07 PM
iptables trusted host msrinath80 Linux - Security 4 08-14-2004 07:57 PM
iptables - blocking a host by MAC address retiem Linux - Security 6 08-29-2003 12:58 PM
IPTables examples? tarballed Linux - Security 7 12-27-2002 11:07 AM
IPTABLES and DMZ Host htimst Linux - Security 1 12-21-2001 08:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration