Allow particular website/port
spdesai at gnvfc.net
spdesai at gnvfc.net
Mon Feb 14 06:01:52 CET 2005
Thank u so much for yr detail explanation..
Quoting Jason Opperisano <opie at 817west.com>:
> On Sun, 2005-02-13 at 01:53, spdesai at gnvfc.net wrote:
> > Hi all...particularly Askar,Eric Leblond,Jason Opperisano (which help me)
> > I have tried to restrict particular website through IPTABLE and its working
> > file .i have use below rules for that..
> > Suppose we want to open only www.ndtv.com,www.cnn.com ....then i gave rules
> > per below order only...
> > iptables -A FORWARD -s 192.168.1.2 -d www.ndtv.com -p tcp --dport 80 -j
> > iptables -A FORWARD -s 192.168.1.2 -d www.cnn.com -p tcp --dport 80 -j
> > iptables -A FORWARD -p tcp --dport 80 -j DROP
> ok--this is exactly why *i* personally don't think this is a good way to
> do this. i'm not trying to say i'm right, but let me at least explain
> why i feel the way i do. let's go to http://www.cnn.com/ shall we?
> first off; at this moment in time, www.cnn.com resolves to:
> your rule that specifies "-d www.cnn.com" will resolve that name to IP
> address(es) at the time the rule is loaded. if cnn decides to
> add/change the IP's for that FQDN--you will need to reload your rules to
> pick up the change. IMHO: strike one.
> k--now we have our 8 filter rules in place for those IP's--let's
> actually fire up our trusty web browser (mosaic...natch). when i browse
> to http://www.cnn.com/ i make requests to:
> we already have the first one accounted for in our filter rules
> (obviously)--so now, i.a.cnn.net (at this moment in time) resolves to:
> note that these are akamai addresses and they *will* change frequently.
> next up is i.cnn.net, which currently resolves to:
> and lastly, we have cnn.dyn.cnn.com (which judging from its name is
> probably a dynamic; i.e. changing, address):
> alright--so to allow access to cnn.com requires 28 rules to allow access
> to 28 IP addresses (generated from the 4 -d $FQDN rules) that can change
> whenever they gosh darn feel like and it's up to me to figure all this
> out...i s'pose we could just allow access to the entire 18.104.22.168/16
> net and be done, right? one rule, *should* cover whatever IP changes
> they decide, right? it *is* kind of a shame that we would be allowing
> web browsing into a network owned by AOL though, huh? sorta defeats the
> purpose. IMHO: strike two
> let's also keep in mind--i have not clicked through anything on the site
> yet (and i don't plan to, as this is getting a bit ridiculous), but i'm
> guessing i'd need to analyze more traffic, and add more hosts if i
> wanted to watch one of their videos, or listen to their radio etc...
> but there no easier way to do this, right? when all you have is a
> hammer, every problem starts to look like a nail, or something like
> i personally am not willing to go through that much effort for my users
> (or myself, actually). i also prefer not not implement solutions that
> require constant care and feeding like the above. not when i can add:
> acl cnn dstdomain .cnn.com .cnn.net
> http_access allow cnn
> to my squid.conf and move on with my life.
> ps - i'm aware there was never a strike three. if you want to put in
> the effort to do this, more power to you. in my experience people that
> start down this path either (a) give up on it and decide to use a
> app-level filter (b) give up on it and just allow everything or (c) let
> it rot away to the point where users lose faith that the admin has any
> clue as to what he/she is doing.
> "It takes two to lie. One to lie and one to listen."
> --The Simpsons
This mail sent through IMP: http://horde.org/imp/
More information about the netfilter