Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    IPTables and DNS don't match?

    Hello all.

    When I use dig to resolve a hostname to IP (ex., I get a list of ips belonging to that domain. When I add the hostname to the firewall:

    iptables -A FORWARD -j DROP -d

    and look at the firewall list:

    target prot opt source destination
    DROP all --
    DROP all --
    DROP all --

    I see the related IPs.
    Then when I go to test the connection on a client entering:

    I am still able to access the website. However, the IP used to access the site is different than the ones listed above.

    There are no proxy servers in my domain, nor is the client configured to use any proxy server.

    My logic is that if the DNS server lists the above IPs, and the firewall is blocking them, then the client should not be able to connect. How is this not so?

    - Throughly frustrated!

  2. #2
    Linux Engineer
    Join Date
    Sep 2003
    Knoxhell, TN
    why not just block the submask?
    Their code will be beautiful, even if their desks are buried in 3 feet of crap. - esr

  3. #3
    I'm trying to keep my firewall simple to admin. I would like to be able to add blocks using the hostname, rather than each IP.

    I ran into problems using the submask before. Used a rule something like ...

    iptables -A block_outgoing -j DROP -p all -d

    but I found that it closes access to websites that may be useful to the school I work at.

    Here's an instance of what I'm really trying to do ...

    iptables -A FORWARD -j DROP -d
    iptables -A FORWARD -j DROP -d
    iptables -A FORWARD -j DROP -d
    iptables -A FORWARD -j DROP -d

    So, when the rules are in place, and the "known" ips are blocked, I try on a client. I find that the client ends up using a different IP to connect to, specifically

    What I don't get is how the client is able to reroute to the new IP if the known IPs are blocked.

  4. $spacer_open
  5. #4
    Linux Guru
    Join Date
    Oct 2001
    Täby, Sweden
    It's probably that the clients have cached the redirections. Try blocking the new IPs as well (for example, resolves to, so try blocking that as well).

  6. #5
    I'll give that a shot. Thanks for the info.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts