Allow particular website/port

spdesai at gnvfc.net spdesai at gnvfc.net
Mon Feb 14 06:01:52 CET 2005 

Thank u so much for yr detail explanation..


Quoting Jason Opperisano <opie at 817west.com>:

> On Sun, 2005-02-13 at 01:53, spdesai at gnvfc.net wrote:
> > Hi all...particularly Askar,Eric Leblond,Jason Opperisano (which help me)
> > 
> > I have tried to restrict particular website through IPTABLE and its working
> 
> > file .i have use below rules for that..
> > 
> > Suppose we want to open only www.ndtv.com,www.cnn.com ....then i gave rules
> as 
> > per below order only...
> > 
> > iptables -A FORWARD -s 192.168.1.2 -d www.ndtv.com -p tcp --dport 80 -j
> ACCEPT
> > iptables -A FORWARD -s 192.168.1.2 -d www.cnn.com -p tcp --dport 80 -j
> ACCEPT
> > iptables -A FORWARD -p tcp --dport 80 -j DROP
> 
> ok--this is exactly why *i* personally don't think this is a good way to
> do this.  i'm not trying to say i'm right, but let me at least explain
> why i feel the way i do.  let's go to http://www.cnn.com/ shall we?
> 
> first off; at this moment in time, www.cnn.com resolves to:
> 
>   64.236.16.20
>   64.236.16.52
>   64.236.16.84
>   64.236.16.116
>   64.236.24.4
>   64.236.24.12
>   64.236.24.20
>   64.236.24.28
> 
> your rule that specifies "-d www.cnn.com" will resolve that name to IP
> address(es) at the time the rule is loaded.  if cnn decides to
> add/change the IP's for that FQDN--you will need to reload your rules to
> pick up the change.  IMHO:  strike one.
> 
> k--now we have our 8 filter rules in place for those IP's--let's
> actually fire up our trusty web browser (mosaic...natch).  when i browse
> to http://www.cnn.com/ i make requests to:
> 
>   www.cnn.com
>   i.a.cnn.net
>   i.cnn.net
>   cnn.dyn.cnn.com
> 
> we already have the first one accounted for in our filter rules
> (obviously)--so now, i.a.cnn.net (at this moment in time) resolves to:
> 
>   64.236.40.64
>   64.236.40.5
>   64.236.40.8
>   64.236.40.21
>   64.236.40.32
>   64.236.40.46
>   64.236.40.53
>   64.236.40.63
> 
> note that these are akamai addresses and they *will* change frequently.
> 
> next up is i.cnn.net, which currently resolves to:
> 
>   64.236.16.138
>   64.236.16.139
>   64.236.24.136
>   64.236.24.137
>   64.236.24.138
>   64.236.24.139
>   64.236.16.136
>   64.236.16.137
> 
> and lastly, we have cnn.dyn.cnn.com (which judging from its name is
> probably a dynamic; i.e. changing, address):
> 
>   64.236.22.20
>   64.236.22.21
>   64.236.29.20
>   64.236.29.21
> 
> alright--so to allow access to cnn.com requires 28 rules to allow access
> to 28 IP addresses (generated from the 4 -d $FQDN rules) that can change
> whenever they gosh darn feel like and it's up to me to figure all this
> out...i s'pose we could just allow access to the entire 64.236.0.0/16
> net and be done, right?  one rule, *should* cover whatever IP changes
> they decide, right?  it *is* kind of a shame that we would be allowing
> web browsing into a network owned by AOL though, huh?  sorta defeats the
> purpose.  IMHO:  strike two
> 
> let's also keep in mind--i have not clicked through anything on the site
> yet (and i don't plan to, as this is getting a bit ridiculous), but i'm
> guessing i'd need to analyze more traffic, and add more hosts if i
> wanted to watch one of their videos, or listen to their radio etc...
> 
> but there no easier way to do this, right?  when all you have is a
> hammer, every problem starts to look like a nail, or something like
> that.
> 
> i personally am not willing to go through that much effort for my users
> (or myself, actually).  i also prefer not not implement solutions that
> require constant care and feeding like the above.  not when i can add:
> 
>   acl cnn dstdomain .cnn.com .cnn.net
>   http_access allow cnn
> 
> to my squid.conf and move on with my life.
> 
> -j
> 
> ps - i'm aware there was never a strike three.  if you want to put in
> the effort to do this, more power to you.  in my experience people that
> start down this path either (a) give up on it and decide to use a
> app-level filter (b) give up on it and just allow everything or (c) let
> it rot away to the point where users lose faith that the admin has any
> clue as to what he/she is doing.
> 
> --
> "It takes two to lie. One to lie and one to listen."
> 	--The Simpsons
> 
> 
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

More information about the netfilter mailing list