FQDN filtering

FQDN filtering

[rockey dada]

Is there any way one can use IPTABLES to filter traffic based on "Fully
Qualified Domain Names".

Rgds

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: FQDN filtering

[Leonardo Rodrigues Magalhães]

    Well .... yes it can and no it cannot.

    All rules can have FQDN instead of IPs. But FQDNs will be solved to 
IPs and rules will be created using IPs.

Rule:
iptables -A INPUT -s www.microsoft.com -j DROP

is completly valid, but will be translated to:

iptables -A INPUT -s 207.46.198.30 -j DROP
iptables -A INPUT -s 207.46.198.60 -j DROP
iptables -A INPUT -s 207.46.199.30 -j DROP
iptables -A INPUT -s 207.46.225.60 -j DROP
iptables -A INPUT -s 207.46.18.30 -j DROP
iptables -A INPUT -s 207.46.19.30 -j DROP
iptables -A INPUT -s 207.46.19.60 -j DROP
iptables -A INPUT -s 207.46.20.60 -j DROP

    when you hit the ENTER key or execute your firewall script. You will 
not see 'www.microsoft.com' if you do 'iptables -nL -v', you will only 
see the translated IP addresses. If FQDN changes IP addresses, iptables 
will not see that change because DNS query for searching IPs is done 
only when the rule is created.

    I think there's a limit on how many IPs iptables can handle for a 
single FQDN, but I dont know what this limit is.

    iptables seems to CANNOT have rules with FQDN and keep the FQDN 
instead of IPs.

    Anyway, filtering FQDNs seems to be nice on application level and 
not always on IP level. Are you thinking on web filtering ??? Why not 
using a http proxy (squid) for doing that ?? Are you thinking on SPAM 
fighting ?? Why not using your MTA capabilities for that ??

    Sincerily,
    Leonardo Rodrigues


rockey dada escreveu:

>Is there any way one can use IPTABLES to filter traffic based on "Fully
>Qualified Domain Names".
>
>Rgds
>
>  
>

RE: FQDN filtering

[Baake, Matthias]

hi

afaik it is possible, but the hostname will be resolved if the rule is executed.
this means if there is a dns update, the resolved ip may not match the hostname you want to filter.
so i would say better be careful

greets

Matthias

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of rockey dada
> Sent: Tuesday, August 30, 2005 2:58 PM
> To: netfilter@lists.netfilter.org
> Subject: FQDN filtering
> 
> 
> Is there any way one can use IPTABLES to filter traffic based 
> on "Fully
> Qualified Domain Names".
> 
> Rgds
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> 

Re: FQDN filtering

[/dev/rob0]

> rockey dada escreveu:
> >Is there any way one can use IPTABLES to filter traffic based on
> > "Fully Qualified Domain Names".
> >
On Tuesday 2005-August-30 08:22, Leonardo Rodrigues Magalhães wrote:
>     Anyway, filtering FQDNs seems to be nice on application level and
> not always on IP level. Are you thinking on web filtering ??? Why not
> using a http proxy (squid) for doing that ?? Are you thinking on SPAM
> fighting ?? Why not using your MTA capabilities for that ??

A more basic and cross-protocol approach would be to intercept and 
redirect all DNS traffic into a transparent proxy, and have your 
nameserver be authoritative for the [un]wanted FQDN's. Definitely, the 
OP must be more explicit about the goal, if a useful answer is wanted.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: FQDN filtering

[InfoMail]

this is the rule and below is the error .. is this ment to work

$IPTAB -A OUTPUT -p tcp -o eth0 -s 0/0 -d www.microsoft.com -j DROP
##$IPTAB -A FORWARD -s 0/0 -d www.microsoft.com -m state --state NEW -j DROP


starting rules for NATing
iptables v1.2.11: host/network `www.microsoft.com' not found
Try `iptables -h' or 'iptables --help' for more information.


Leonardo Rodrigues Magalhães wrote:

>
>    Well .... yes it can and no it cannot.
>
>    All rules can have FQDN instead of IPs. But FQDNs will be solved to 
> IPs and rules will be created using IPs.
>
> Rule:
> iptables -A INPUT -s www.microsoft.com -j DROP
>
> is completly valid, but will be translated to:
>
> iptables -A INPUT -s 207.46.198.30 -j DROP
> iptables -A INPUT -s 207.46.198.60 -j DROP
> iptables -A INPUT -s 207.46.199.30 -j DROP
> iptables -A INPUT -s 207.46.225.60 -j DROP
> iptables -A INPUT -s 207.46.18.30 -j DROP
> iptables -A INPUT -s 207.46.19.30 -j DROP
> iptables -A INPUT -s 207.46.19.60 -j DROP
> iptables -A INPUT -s 207.46.20.60 -j DROP
>
>    when you hit the ENTER key or execute your firewall script. You 
> will not see 'www.microsoft.com' if you do 'iptables -nL -v', you will 
> only see the translated IP addresses. If FQDN changes IP addresses, 
> iptables will not see that change because DNS query for searching IPs 
> is done only when the rule is created.
>
>    I think there's a limit on how many IPs iptables can handle for a 
> single FQDN, but I dont know what this limit is.
>
>    iptables seems to CANNOT have rules with FQDN and keep the FQDN 
> instead of IPs.
>
>    Anyway, filtering FQDNs seems to be nice on application level and 
> not always on IP level. Are you thinking on web filtering ??? Why not 
> using a http proxy (squid) for doing that ?? Are you thinking on SPAM 
> fighting ?? Why not using your MTA capabilities for that ??
>
>    Sincerily,
>    Leonardo Rodrigues
>
>
> rockey dada escreveu:
>
>> Is there any way one can use IPTABLES to filter traffic based on "Fully
>> Qualified Domain Names".
>>
>> Rgds
>>
>>  
>>


______________________________________
XamimeLT - installed on mailserver for domain @nobarrier.co.za
Queries to: postmaster@nobarrier.co.za

Re: FQDN filtering

[/dev/rob0]

Please do not top-post. Thank you.

On Tuesday 2005-August-30 10:22, InfoMail wrote:
> this is the rule and below is the error .. is this ment to work
> 
> $IPTAB -A OUTPUT -p tcp -o eth0 -s 0/0 -d www.microsoft.com -j DROP
> ##$IPTAB -A FORWARD -s 0/0 -d www.microsoft.com -m state --state NEW
> -j DROP

To do this most effectively, consider using HTTP proxy servers, like 
Squid ( http://www.squid-cache.org/ ).

Again you're not explicit about your goal. Allow me to give an example: 
"I want to block all HTTP access to servers at www.microsoft.com., for 
hosts in my NAT'ed network." Squid is the best means of that; my DNS 
hijacking idea in the other post might also work, although it would 
also affect anything else resolving from www.microsoft.com, not just 
HTTP.

Or: "I want to block all access, all protocols, to all Microsoft 
servers, from my host and from NAT'ed hosts."

Say what it is you want to do!

I sense also a likely misunderstanding of the roles of the built-in 
chains. OUTPUT only affects traffic which originated on the machine 
itself. If you're wanting to block NAT'ed traffic, you need to do this 
in FORWARD. Please see "man iptables".

> starting rules for NATing
> iptables v1.2.11: host/network `www.microsoft.com' not found
> Try `iptables -h' or 'iptables --help' for more information.

The problem here is that at the time your script tries to run that 
iptables command, your rules do not yet allow DNS access to your 
nameserver[s].
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: FQDN filtering

[rb]

On Tue, 30 Aug 2005 05:58:09 -0700 (PDT)
rockey dada <rockeydada@yahoo.com> wrote:

> Is there any way one can use IPTABLES to filter traffic based on "Fully
> Qualified Domain Names".

not really. userspacetools can do dns-lookups when executed, but
the  rules inserted into the (kernelspace)  netfilter will NEVER do
any dns-lookups. (and i`m glad nobody even thought about implementing
this :) ).
so  /dev/rob0 is right: use proxys for this kind of  filtering.
even if  you rely on dns-lookups while creating the netfilter-rules
you cant be sure you got ALL entrys in  a rr-dns record AND  after
inserting the rules you  cant beu  sure the entrys  do not change.

virtual