FQDN filtering

/dev/rob0 rob0 at gmx.co.uk
Tue Aug 30 19:23:48 CEST 2005

Please do not top-post. Thank you.

On Tuesday 2005-August-30 10:22, InfoMail wrote:
> this is the rule and below is the error .. is this ment to work
> $IPTAB -A OUTPUT -p tcp -o eth0 -s 0/0 -d www.microsoft.com -j DROP
> ##$IPTAB -A FORWARD -s 0/0 -d www.microsoft.com -m state --state NEW
> -j DROP

To do this most effectively, consider using HTTP proxy servers, like 
Squid ( http://www.squid-cache.org/ ).

Again you're not explicit about your goal. Allow me to give an example: 
"I want to block all HTTP access to servers at www.microsoft.com., for 
hosts in my NAT'ed network." Squid is the best means of that; my DNS 
hijacking idea in the other post might also work, although it would 
also affect anything else resolving from www.microsoft.com, not just 

Or: "I want to block all access, all protocols, to all Microsoft 
servers, from my host and from NAT'ed hosts."

Say what it is you want to do!

I sense also a likely misunderstanding of the roles of the built-in 
chains. OUTPUT only affects traffic which originated on the machine 
itself. If you're wanting to block NAT'ed traffic, you need to do this 
in FORWARD. Please see "man iptables".

> starting rules for NATing
> iptables v1.2.11: host/network `www.microsoft.com' not found
> Try `iptables -h' or 'iptables --help' for more information.

The problem here is that at the time your script tries to run that 
iptables command, your rules do not yet allow DNS access to your 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

More information about the netfilter mailing list