Server Fault Asked by light9876 on November 4, 2021
According to my information, it is better not to use the command:
iptables -A INPUT -s example.com -j DROP
Because example.com will be replaced in realtime with an ip address, which will not cover all possible ip addresses.
But if I use:
iptables -A INPUT -m string --string "example" --algo kmp -j DROP
Taken from this answer and I tested it myself, then I no longer need to worry about ip substitution, because "example" will match "example.com" and it will block it.
So if iptables only works with ip addresses, why does it work on names in the second case?
Because example.com have to be present in header of most request against server at example.com:
If you sent an email, you will put to: [email protected] in the mail header.
If you do some HTTP request against example.com, once DNS resolved, minimal request have to contain target host:
host example.com
example.com has address 123.45.78.89
DNS request is done on a DNS server, not necessarly at example.com. (if not cached!)
nc 123.45.67.89 80 <<eoRequest
GET /index.html HTTP/1.0
Host: example.com
eoRequest
Of course, your iptable rule will only drop header packet, but following packet won't be understood by server, so will be dropped by server himself. Server logs and client window may prompt something like 400 Bad Request
Answered by F. Hauri on November 4, 2021
If you use -m string --string example, it will match all IP packets where the payload contains the string example.
If you go to a page via HTTP and the page contains word example, the page is shown only partially, because your rule drops the packet that contains the word example.
The rule can also break many other protocols that use plain-text. It can also break encrypted connections if the encrypted payload would match to example.
You should use a filtering proxy to block your traffic, it is accurate and doesn't cause unwanted side-effects.
If you don't want to implement a filtering proxy, then a poor man's version is to block DNS queries for your target domain:
EDIT Removed .com due to the fact that DNS packets don't contain dots but length indicators.
iptables -I OUTPUT -p udp --dport 53 -m string --string example -j DROP
This will drop DNS queries for your target domain, effectively blocking the access to those domains. Clients will time out waiting for DNS reply, so the blocking is quite invasive.
Answered by Tero Kilkanen on November 4, 2021
You cannot search for example.com in the URL as most websites now work via HTTPS exclusively.
Yes, in your example iptables will resolve example.com on a first invocation and in case its IP address changes this rule will no longer work but you could solve it by running e.g. a cron script which resolves example.com and if there's a new IP address it then gets added to your iptables rules via -I or -A.
Answered by Artem S. Tashkinov on November 4, 2021
Because it is a pattern for strings. Yes, you got your aim. But! If you try to search anything ingluding "example" by google.com you cannt too. Be careful use this setting.
Answered by Paravozik on November 4, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP