Filtering based on domains

Filtering based on domains

[Szabolcs Illes]

Hi,

I wonder If anyone knows any iptables extension which can be used to limit
access based on a domains.

I have a Darvin Streaming Server and I would like the restrict the streaming
to ac.uk domain.

Cheers,
Szabolcs


-- 
The University of Westminster is a charity and a company limited by
guarantee.  Registration number: 977818 England.  Registered Office:
309 Regent Street, London W1B 2UW, UK.

RE: Filtering based on domains

[info]

Have a look for gepip  which allows acces rules per country (it's in
pom-ng)

Cheers
Chirs 

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org 
> [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Szabolcs Illes
> Sent: Tuesday, September 25, 2007 4:42 PM
> To: netfilter@vger.kernel.org
> Subject: Filtering based on domains
> 
> Hi,
> 
> I wonder If anyone knows any iptables extension which can be 
> used to limit access based on a domains.
> 
> I have a Darvin Streaming Server and I would like the 
> restrict the streaming to ac.uk domain.
> 
> Cheers,
> Szabolcs
> 
> 
> --
> The University of Westminster is a charity and a company 
> limited by guarantee.  Registration number: 977818 England.  
> Registered Office:
> 309 Regent Street, London W1B 2UW, UK.
> -
> To unsubscribe from this list: send the line "unsubscribe 
> netfilter" in the body of a message to 
> majordomo@vger.kernel.org More majordomo info at  
> http://vger.kernel.org/majordomo-info.html
> 
> 

Re: Filtering based on domains

[Grant Taylor]

On 9/25/2007 4:26 PM, info wrote:
> Have a look for gepip  which allows acces rules per country (it's in 
> pom-ng)

I think you may mean geoip.



Grant. . . .

Re: Filtering based on domains

[G.W. Haywood]

Hi there,

On Tue, 25 Sep 2007, Grant Taylor wrote:

> On 9/25/2007 4:26 PM, info wrote:
> > Have a look for gepip  which allows acces rules per country (it's in
> > pom-ng)
>
> I think you may mean geoip.

Either way, I don't think it will do what the OP wants.

I think he'll have to do something in user space, or (probably better)
do it a different way.  Obviously the performance hit of a DNS lookup
for every connection could be serious.

--

73,
Ged.

Re: Filtering based on domains

[Grant Taylor]

On 09/26/07 00:30, G.W. Haywood wrote:
> Either way, I don't think it will do what the OP wants.

(with my head slanted sideways with a confused look on my face)
Hugh???

> I think he'll have to do something in user space, or (probably 
> better) do it a different way.  Obviously the performance hit of a 
> DNS lookup for every connection could be serious.

I have never used GeoIP my self so I can't say for sure, but it was my 
(mis)understanding that GeoIP was intended to associate IP ranges with 
specific countries.  Thus the OPs request may seems to be a perfect 
match for GeoIP.  But seeing as how I have never used it my self, I 
don't know how it is implemented.  I have not really given it any thought...

If you know any more about GeoIP please enlighten me.  TIA



Grant. . . .

Re: Filtering based on domains

[Grant Taylor]

On 09/26/07 09:05, Grant Taylor wrote:
> I have never used GeoIP my self so I can't say for sure, but it was my 
> (mis)understanding that GeoIP was intended to associate IP ranges with 
> specific countries.  Thus the OPs request may seems to be a perfect 
> match for GeoIP.  But seeing as how I have never used it my self, I 
> don't know how it is implemented.  I have not really given it any 
> thought...
> 
> If you know any more about GeoIP please enlighten me.  TIA

I just did some quick reading on GeoIP and found that it uses a local 
database rather than using DNS lookups.  So, this probably would be a 
viable solution for the OP.

Of course this presumes that the OP is wanting to restrict access to / 
from the source / destination IP address domain and not the domain of 
pages being served by the web server.  For this, the OP would need some 
sort of layer 7 filtering, say a filtering proxy server, ala Squid.

Again, if I'm wrong, or misunderstood something please let me know.



Grant. . . .

Re: Filtering based on domains

[G.W. Haywood]

Hi there,

On Wed, 26 Sep 2007, Grant Taylor wrote:

> > I have never used GeoIP my self so I can't say for sure, but it was my
> > (mis)understanding that GeoIP was intended to associate IP ranges with
> > specific countries.  Thus the OPs request may seems to be a perfect
> > match for GeoIP.

The OP didn't ask about countries, but about one particular domain,
ac.uk, (which is roughly what you'd call .edu over there in Columbia. :)

My own misunderstanding was that GeoIP doesn't have the facility to
split out the ac.uk domain but it turns out that I was wrong:

http://www.maxmind.com/app/products

at the bottom of the page it's now specifically mentioned.

Please accept my apologies for my mistake.

--

73,
Ged.

Re: Filtering based on domains

[Grant Taylor]

On 09/26/07 13:55, G.W. Haywood wrote:
> The OP didn't ask about countries, but about one particular domain, 
> ac.uk, (which is roughly what you'd call .edu over there in Columbia. 
> :)

Dough!  You are quite right.  I had mis-read the request and was 
thinking just the country.

> My own misunderstanding was that GeoIP doesn't have the facility to
> split out the ac.uk domain but it turns out that I was wrong:
> 
> http://www.maxmind.com/app/products
> 
> at the bottom of the page it's now specifically mentioned.

*nod*

> Please accept my apologies for my mistake.

No one has to be right or wrong.  That's one of the nice things about 
discussions on mailing lists where everyone behaves like the mature 
adults that they are.  We can all grow and learn from each others 
mistakes and experiences.  ;)



Grant. . . .