How DENY an adress(+name, i.e everything from microsoft..)

[sophie24]

I want deny acces from the firewall everything which has something to do with a 'speciefied name' is it possible to configure the firewall with a wordfile or little appended program?

i.e access from or to
- 'microsoft',
- '.bxo or .bzo',
- '999.999.999.99',
- 'bullsocks',
- 'xyz'

regards
sophie

 

[ifincham]

Hi,





iptables works at IP address / port /interface etc level and doesn't deal in canonical names (e.g.

http://www.microsoft.com)

as such. You can of course do stuff like :





/sbin/iptables -A INPUT -s 207.46.0.0/16 -j DROP


/sbin/iptables -A OUTPUT -d 207.46.0.0/16 -j DROP


/sbin/iptables -t nat -A POSTROUTING -o eth1 -d ! 207.46.0.0 -j MASQUERADE





(eth1 being internet interface)





... which would drop most (all ?) of traffic to and from the evil empire.





If you want to control access to the internet on a site by site, etc., basis its actually easier to use the squid cache proxy server and to use the acl provided by that -->

http://squid-docs.sourceforge.net/latest/html/c1494.htm

- thats got what you are looking for and more.

The only drawback to using squid vs IP masquerading is that it only proxies http protocols which can be a constraint, however you can use it in conjunction with masquerading by just having the masquerade rules active but not for ports 80, 443, etc.



Hope this helps