On Fri, Oct 23, 2009 at 06:07:01PM -0400, Dan Ritter wrote:
> On Fri, Oct 23, 2009 at 01:13:01PM -0700, Dave Peters wrote:
> > Is there anyway to use iptables blocking domain name not IP address?
> > 
> > Example to block hotmail.com.
> > 
> > I tried this iptables -A FORWARD -d hotmail.com -j REJECT and it won't work.
> 
> Right. You need to use a DNS lookup utility (say, dig) to turn
> domain names into lists of IPs. 

Even this probably won't work the way you expect, and may actually
cause more problems than it fixes.  Why?  Simple: hosting.  A lot of,
ah, let's call them "internet entities" are hosting a variety of
services on someone else's equipment.  For example, if you're trying
to block all traffic from a prominent ad server, you may find that
blocking the IPs that resolve to their servers also results in
blocking a TON of other sites, because they're in fact all served from
the same machines, provided by the same hosting service.  Web traffic
is the most obvious widely hosted service, but it's far from the only
one.

There are other problems too.  If -- for example -- you're trying to
block all e-mail from some web mail site, you may find that the
incoming traffic comes from servers (their outgoing mail relays) which
are not advertised as being systems in that domain, nor are they on IP
address space registered to that company.  Identifying the correct IP
ranges to block may be a real challenge.

Unless the site you're trying to block is very small, or the traffic
you are trying to block is very targeted (which seems opposite the
intent here), it may well be that there is no practical way to do
this, and trying will only cause you pain.  But, as the man said, it
really depends on what you're trying to do.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.