iptables question
Dan Ritter
dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org
Fri Oct 23 18:07:01 EDT 2009
On Fri, Oct 23, 2009 at 01:13:01PM -0700, Dave Peters wrote:
> Is there anyway to use iptables blocking domain name not IP address?
>
> Example to block hotmail.com.
>
> I tried this iptables -A FORWARD -d hotmail.com -j REJECT and it won't work.
Right. You need to use a DNS lookup utility (say, dig) to turn
domain names into lists of IPs.
If you're doing a lot of this, you may want to create new chains
per service to maintain performance, i.e.
iptables -N ssh
iptables -N smtp
iptables -N web
iptables -A FORWARD -p tcp --dport 22 -j ssh
iptables -A FORWARD -p tcp --dport 25 -j smtp
iptables -A FORWARD -p tcp --dport 587 -j smtp
iptables -A FORWARD -p tcp --dport 80 -j web
iptables -A FORWARD -p tcp --dport 443 -j web
as a presort, then do the more complex manipulations in those
chains.
-dsr-
--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.
More information about the Discuss
mailing list