FQDN filtering

/dev/rob0 rob0 at gmx.co.uk
Tue Aug 30 19:23:48 CEST 2005


Please do not top-post. Thank you.

On Tuesday 2005-August-30 10:22, InfoMail wrote:
> this is the rule and below is the error .. is this ment to work
> 
> $IPTAB -A OUTPUT -p tcp -o eth0 -s 0/0 -d www.microsoft.com -j DROP
> ##$IPTAB -A FORWARD -s 0/0 -d www.microsoft.com -m state --state NEW
> -j DROP

To do this most effectively, consider using HTTP proxy servers, like 
Squid ( http://www.squid-cache.org/ ).

Again you're not explicit about your goal. Allow me to give an example: 
"I want to block all HTTP access to servers at www.microsoft.com., for 
hosts in my NAT'ed network." Squid is the best means of that; my DNS 
hijacking idea in the other post might also work, although it would 
also affect anything else resolving from www.microsoft.com, not just 
HTTP.

Or: "I want to block all access, all protocols, to all Microsoft 
servers, from my host and from NAT'ed hosts."

Say what it is you want to do!

I sense also a likely misunderstanding of the roles of the built-in 
chains. OUTPUT only affects traffic which originated on the machine 
itself. If you're wanting to block NAT'ed traffic, you need to do this 
in FORWARD. Please see "man iptables".

> starting rules for NATing
> iptables v1.2.11: host/network `www.microsoft.com' not found
> Try `iptables -h' or 'iptables --help' for more information.

The problem here is that at the time your script tries to run that 
iptables command, your rules do not yet allow DNS access to your 
nameserver[s].
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



More information about the netfilter mailing list