FQDN filtering

InfoMail infomail at nobarrier.co.za
Tue Aug 30 17:22:17 CEST 2005


this is the rule and below is the error .. is this ment to work

$IPTAB -A OUTPUT -p tcp -o eth0 -s 0/0 -d www.microsoft.com -j DROP
##$IPTAB -A FORWARD -s 0/0 -d www.microsoft.com -m state --state NEW -j DROP


starting rules for NATing
iptables v1.2.11: host/network `www.microsoft.com' not found
Try `iptables -h' or 'iptables --help' for more information.


Leonardo Rodrigues Magalhães wrote:

>
>    Well .... yes it can and no it cannot.
>
>    All rules can have FQDN instead of IPs. But FQDNs will be solved to 
> IPs and rules will be created using IPs.
>
> Rule:
> iptables -A INPUT -s www.microsoft.com -j DROP
>
> is completly valid, but will be translated to:
>
> iptables -A INPUT -s 207.46.198.30 -j DROP
> iptables -A INPUT -s 207.46.198.60 -j DROP
> iptables -A INPUT -s 207.46.199.30 -j DROP
> iptables -A INPUT -s 207.46.225.60 -j DROP
> iptables -A INPUT -s 207.46.18.30 -j DROP
> iptables -A INPUT -s 207.46.19.30 -j DROP
> iptables -A INPUT -s 207.46.19.60 -j DROP
> iptables -A INPUT -s 207.46.20.60 -j DROP
>
>    when you hit the ENTER key or execute your firewall script. You 
> will not see 'www.microsoft.com' if you do 'iptables -nL -v', you will 
> only see the translated IP addresses. If FQDN changes IP addresses, 
> iptables will not see that change because DNS query for searching IPs 
> is done only when the rule is created.
>
>    I think there's a limit on how many IPs iptables can handle for a 
> single FQDN, but I dont know what this limit is.
>
>    iptables seems to CANNOT have rules with FQDN and keep the FQDN 
> instead of IPs.
>
>    Anyway, filtering FQDNs seems to be nice on application level and 
> not always on IP level. Are you thinking on web filtering ??? Why not 
> using a http proxy (squid) for doing that ?? Are you thinking on SPAM 
> fighting ?? Why not using your MTA capabilities for that ??
>
>    Sincerily,
>    Leonardo Rodrigues
>
>
> rockey dada escreveu:
>
>> Is there any way one can use IPTABLES to filter traffic based on "Fully
>> Qualified Domain Names".
>>
>> Rgds
>>
>>  
>>


______________________________________
XamimeLT - installed on mailserver for domain @nobarrier.co.za
Queries to: postmaster at nobarrier.co.za



More information about the netfilter mailing list