Linux – dropping all requests for a specific domain

iptableslinuxport-forwardingPROXY

I'm on a simple linux proxy. I'd like to add iptable rules to drop all requests for a specific domain. I figured I run a dig command to get the ip addresses for the domain and then add an iptable rule for each one. It seems, however, that it doesn't work to bind to more than one ip address. So, it seems I need to add ip ranges like this…

iptables -I FORWARD -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j DROP

That seems to work. However, it has proven pretty problematic to parse the output of dig and correctly create the appropriate iptable rules. Is there a better way?

Best Answer

You can specify hostnames in iptables commands which will get resolved at rule-add time. Hostnames which resolve to multiple IPs are also supported, although they generate multiple rules.

% sudo iptables --append FORWARD --protocol tcp --destination www.google.com --dport 443 --jump DROP
% sudo iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            74.125.224.147       tcp dpt:443
DROP       tcp  --  0.0.0.0/0            74.125.224.145       tcp dpt:443
DROP       tcp  --  0.0.0.0/0            74.125.224.148       tcp dpt:443
DROP       tcp  --  0.0.0.0/0            74.125.224.144       tcp dpt:443
DROP       tcp  --  0.0.0.0/0            74.125.224.146       tcp dpt:443

Related Solutions

Iptables – Flushing iptables on ubuntu

If the default policy for the chains is DENY then all connections will be cut since there's no longer any way to communicate via TCP/IP. Set the default policies to ACCEPT before flushing, and then back to DENY after re-establishing the rules.

Iptables ESTABLISHED,RELATED chain problems

Netfilter has dropped the connection from the state table. One of the timeouts in /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_* has expired. I'm guessing it is nf_conntrack_tcp_timeout_last_ack.

Here is a scenario: Your web server sends a final packet with some data and fin set. The client goes comatose for 30 seconds. Netfilter removes the entry from the state table. The client wakes up and sends a fin ack that is not part of a tracked connection anymore.

I see this all the time on web servers. It is client problem.

If you want to verify that you could record the state table (/proc/net/nf_conntrack) and correlate that with the firewall log.

Edit: I had the direction reversed but the concept applies. In this case his server is making outgoing https connections so it is actually the client and the remote web server may be slow to respond.

The rule

/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT

has nothing to do with it. It is about DST port 443 and this is SPT 443.

Best Answer

Related Solutions

Iptables – Flushing iptables on ubuntu

Iptables ESTABLISHED,RELATED chain problems

Related Topic