Blocking hosts.
in [Linux Networking]
|
From: JeahJeah on 12 Jul 2010 04:38 Hi, I have a small home network of Windows machines with an Ubuntu machine acting as an ICS gateway, and firewall. I want to block the windows machines from accessing certain hosts. Trouble is, iptables blocks IPs, not hostnames. I think the best way to proceed would be to configure the firewall to block the DNS protocol, and add a DNS server, and then enable only traffic to that, while also black holing the offending hostname. Does that sound like the best way to do this?
From: jack on 12 Jul 2010 05:04 JeahJeah wrote: > Hi, > > I have a small home network of Windows machines with an Ubuntu machine > acting as an ICS gateway, and firewall. I want to block the windows > machines from accessing certain hosts. Trouble is, iptables blocks > IPs, not hostnames. > > I think the best way to proceed would be to configure the firewall to > block the DNS protocol, and add a DNS server, and then enable only > traffic to that, while also black holing the offending hostname. > > Does that sound like the best way to do this? It's possible, but I'd rather block direct port 80/443 access and install a squid proxy on the firewall. Then create an access list in /etc/squid.conf, or use something like squidGuard. -j
From: JeahJeah on 12 Jul 2010 14:36 On Jul 12, 10:04 am, jack <jcfmast...(a)yahoo.com> wrote: > JeahJeah wrote: > > Hi, > > > I have a small home network of Windows machines with an Ubuntu machine > > acting as an ICS gateway, and firewall. I want to block the windows > > machines from accessing certain hosts. Trouble is, iptables blocks > > IPs, not hostnames. > > > I think the best way to proceed would be to configure the firewall to > > block the DNS protocol, and add a DNS server, and then enable only > > traffic to that, while also black holing the offending hostname. > > > Does that sound like the best way to do this? > > It's possible, but I'd rather block direct port 80/443 access and > install a squid proxy on the firewall. Then create an access list in > /etc/squid.conf, or use something like squidGuard. > > -j That would only block web traffic though, right?
From: Enrico on 12 Jul 2010 14:49 Il Mon, 12 Jul 2010 11:36:48 -0700, JeahJeah ha scritto: > That would only block web traffic though, right? HTTP is the only one protocol that use "virtual-hosting". The others, IMHO, can be blocked by IP filtering. Enrico
From: jack on 12 Jul 2010 15:01 JeahJeah wrote: > On Jul 12, 10:04 am, jack <jcfmast...(a)yahoo.com> wrote: >> JeahJeah wrote: >>> Hi, >>> I have a small home network of Windows machines with an Ubuntu machine >>> acting as an ICS gateway, and firewall. I want to block the windows >>> machines from accessing certain hosts. Trouble is, iptables blocks >>> IPs, not hostnames. >>> I think the best way to proceed would be to configure the firewall to >>> block the DNS protocol, and add a DNS server, and then enable only >>> traffic to that, while also black holing the offending hostname. >>> Does that sound like the best way to do this? >> It's possible, but I'd rather block direct port 80/443 access and >> install a squid proxy on the firewall. Then create an access list in >> /etc/squid.conf, or use something like squidGuard. >> >> -j > > That would only block web traffic though, right? Yes. Best practice seems to be to set up the firewall to block everything unless specifically allowed, especially where Windows machines are involved. 'Holes' are opened for what is allowed through, like ssh, nntp, http/https and DNS. If you want to leave the machines free to open any outbound connection except for connections to certain hosts, black-holing the DNS is not really a solution - the machines can still open a connection using direct IP addresses. You can enter iptables rules using hostnames - with the provision that the hostnames will be resolved to an IP address at the time the rule is /loaded/. If the hosts use dynamic IPs, or if they move to another IP for whatever reason, that means re-loading the ruleset. -j
|
Pages: 1 Prev: Stupid question on wireless networking Next: Wireless and LAN |