Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-08-2006, 02:07 PM
|
#1
|
Member
Registered: Apr 2005
Distribution: Fedora,Trustix,FreeBSD
Posts: 62
Rep:
|
iptables host name wildcards, like *.examples.com
How do I match with a wild card on the host name? Something like this:
iptables -A FORWARD -d *.hamachi.cc -j ACCEPT
I checked a few of the IP addresses, and they are not in the same subnet. Also, the subnet does not even belong to Hamachi. That means I cannot just use the IP subnet instead of a wildcard.
|
|
|
05-09-2006, 08:17 AM
|
#2
|
Member
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241
Rep:
|
Erm... you can't really.
Do you really want the computer to be doing DNS lookups on every unique IP before it decides whether to accept them or not? Even if you COULD do this, the chances are that your computer will spend most of it's time looking up DNS for every connection and you'll either be blocked from the DNS server or your computer will slow to a crawl.
Additionally, even looking up the IP's and blocking them may not work because the point of DNS is that you can change IP's as often as you like without having to change anything but your DNS entry. So the IP you block today won't be the IP they are using tomorrow.
If you're being spammed, attacked or accessed by these people, you have to block the IP's. If you're trying to stop people visiting sites on that domain, it's a job for a HTTP filter, not iptables.
iptables deals with IP, not DNS. It works with IP's, not hostnames. Therefore you can only block IP's, not domains.
|
|
|
05-09-2006, 11:48 AM
|
#3
|
Member
Registered: Apr 2005
Distribution: Fedora,Trustix,FreeBSD
Posts: 62
Original Poster
Rep:
|
Quote:
Originally Posted by ledow
Erm... you can't really.
|
No such thing!
Quote:
Do you really want the computer to be doing DNS lookups on every unique IP before it decides whether to accept them or not?
|
I prefer iptables caches it, but even if it doesn't, I run dnsmasq, a caching DNS server.
Quote:
Additionally, even looking up the IP's and blocking them may not work because the point of DNS is that you can change IP's as often as you like without having to change anything but your DNS entry. So the IP you block today won't be the IP they are using tomorrow.
|
So, the cache expires every once in a while.
Quote:
If you're being spammed, attacked or accessed by these people, you have to block the IP's. If you're trying to stop people visiting sites on that domain, it's a job for a HTTP filter, not iptables.
|
Our office has a firewall with strict outbound rules, but I want to make an exception for the Hamachi VPN system. (If you haven't seen Hamachi: check it out--very cool.) Unfortunately, Hamachi connects to various "mediation" servers, and I don't know how many there are. In a short time, I found three on two different subnets.
Quote:
iptables deals with IP, not DNS. It works with IP's, not hostnames. Therefore you can only block IP's, not domains.
|
The good news is that you can map IP addresses to hostnames and visa versa.
|
|
|
05-24-2006, 08:18 PM
|
#4
|
LQ Newbie
Registered: Apr 2006
Posts: 17
Rep:
|
actually, i think a lookup into the string match functionality would help you out there
#iptables -A FORWARD -m string --algo bm --string "hostname" -j ACCEPT
|
|
|
08-02-2006, 06:24 PM
|
#5
|
Member
Registered: Apr 2005
Distribution: Fedora,Trustix,FreeBSD
Posts: 62
Original Poster
Rep:
|
Quote:
Originally Posted by Xeta
actually, i think a lookup into the string match functionality would help you out there
#iptables -A FORWARD -m string --algo bm --string "hostname" -j ACCEPT
|
As far as I can tell, that matches strings in the packets, but the hostname is probably not in the packet (header or payload). Besides, I really rather just look at the header.
http://www.netfilter.org/projects/pa...m-extra-string
http://www.netfilter.org/documentati...-3.html#ss3.18
BTW, I couldn't find the documentation for "--algo bm".
|
|
|
08-03-2006, 07:51 AM
|
#6
|
Member
Registered: Aug 2004
Location: Europe
Posts: 608
Rep:
|
Just forget it, it's not going to work this way. You need to find a way how to do this on IP layer. That is - protocols, IP addresses, ports, etc. No DNS. Iptables is a IP layer tool, it won't resolve DNS names for you.
|
|
|
08-08-2006, 11:28 PM
|
#7
|
LQ Newbie
Registered: Aug 2006
Posts: 1
Rep:
|
help :
who can tell me how to install g77 in linux ?
thanks!
|
|
|
08-08-2006, 11:32 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by axida
help :
who can tell me how to install g77 in linux ?
thanks!
|
what, the compiler?? if so, please open your own thread, as this would be considered thread hijacking...
|
|
|
All times are GMT -5. The time now is 06:28 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|