Find the answer to your Linux question:
Results 1 to 5 of 5
Hello all. When I use dig to resolve a hostname to IP (ex. www.hotmail.com ), I get a list of ips belonging to that domain. When I add the hostname ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2003
    Posts
    41

    IPTables and DNS don't match?


    Hello all.

    When I use dig to resolve a hostname to IP (ex. www.hotmail.com), I get a list of ips belonging to that domain. When I add the hostname to the firewall:

    iptables -A FORWARD -j DROP -d www.hotmail.com

    and look at the firewall list:

    target prot opt source destination
    DROP all -- 0.0.0.0/0 207.68.172.239
    DROP all -- 0.0.0.0/0 207.68.173.245
    DROP all -- 0.0.0.0/0 207.68.171.233

    I see the related IPs.
    Then when I go to test the connection on a client entering:

    http://www.hotmail.com

    I am still able to access the website. However, the IP used to access the site is different than the ones listed above.

    There are no proxy servers in my domain, nor is the client configured to use any proxy server.

    My logic is that if the DNS server lists the above IPs, and the firewall is blocking them, then the client should not be able to connect. How is this not so?

    - Throughly frustrated!

  2. #2
    Linux Engineer
    Join Date
    Sep 2003
    Location
    Knoxhell, TN
    Posts
    1,078
    why not just block the submask?
    Their code will be beautiful, even if their desks are buried in 3 feet of crap. - esr

  3. #3
    Just Joined!
    Join Date
    Dec 2003
    Posts
    41
    I'm trying to keep my firewall simple to admin. I would like to be able to add blocks using the hostname, rather than each IP.

    I ran into problems using the submask before. Used a rule something like ...

    iptables -A block_outgoing -j DROP -p all -d 207.68.0.0/16

    but I found that it closes access to websites that may be useful to the school I work at.

    Here's an instance of what I'm really trying to do ...

    iptables -A FORWARD -j DROP -d www.hotmail.com
    iptables -A FORWARD -j DROP -d hotmail.com
    iptables -A FORWARD -j DROP -d login.passport.com
    iptables -A FORWARD -j DROP -d passport.com

    So, when the rules are in place, and the "known" ips are blocked, I try www.hotmail.com on a client. I find that the client ends up using a different IP to connect to www.hotmail.com, specifically 207.68.173.246.

    What I don't get is how the client is able to reroute to the new IP if the known www.hotmail.com IPs are blocked.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    It's probably that the clients have cached the redirections. Try blocking the new IPs as well (for example, 207.68.173.246 resolves to cb.msn.com, so try blocking that as well).

  6. #5
    Just Joined!
    Join Date
    Dec 2003
    Posts
    41
    I'll give that a shot. Thanks for the info.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •