Recipe 2.9 Blocking Outgoing Access to All Web Servers on a Network
2.9.1 Problem
You
want to prevent outgoing access to a
network, e.g., all web servers at
yahoo.com .
2.9.2 Solution
Figure out how to specify the
yahoo.com network, e.g., 64.58.76.0/24,
and reject web access:
For
iptables:
# iptables -A OUTPUT -p tcp -d 64.58.76.0/24 --dport www -j REJECT
For
ipchains:
# ipchains -A output -p tcp -d 64.58.76.0/24 --dport www -j REJECT
2.9.3 Discussion
Here the network is specified using
Classless
InterDomain Routing (CIDR) mask format,
a.b.c.d/N, where
N is the number of bits in the netmask. In
this case, N=24, so the first 24 bits are the network portion of the
address.
2.9.4 See Also
iptables(8), ipchains(8).
 |
You can supply
hostnames instead of
IP addresses in
your firewall rules. If DNS reports multiple IP addresses for that
hostname, a separate rule will be created for each IP address. For
example, www.yahoo.com has (at
this writing) 11 IP addresses: $ host www.yahoo.com
www.yahoo.com is an alias for www.yahoo.akadns.net.
www.yahoo.akadns.net has address 216.109.125.68
www.yahoo.akadns.net has address 64.58.76.227
...
So you could block access to Yahoo, for example, and view the results
by: iptables: # iptables -A OUTPUT -d www.yahoo.com -j REJECT
# iptables -L OUTPUT
ipchains: # ipchains -A output -d www.yahoo.com -j REJECT
# ipchains -L output
Security experts recommend that you use only IP addresses in your
rules, not hostnames, since an attacker could poison your DNS and
circumvent rules defined for hostnames. However, the hostnames are
relevant only at the moment you run iptables or
ipchains to define a rule, as the program looks up
the underlying IP addresses immediately and stores them in the rule.
So you could conceivably use hostnames for convenience when defining
your rules, then check the results (via the output of
iptables-save
or ipchains-save
[Recipe 2.19]) to confirm the IP addresses. |
|
لطفا منتظر باشید ...
