June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
2.9. Blocking Outgoing Access to All Web Servers on a Network
Problem
You want to prevent outgoing access to a network, e.g., all web servers at yahoo.com.
Solution
Figure out how to specify the yahoo.com network, e.g., 64.58.76.0/24, and reject web access:
For
iptables
:
# iptables -A OUTPUT -p tcp -d 64.58.76.0/24 --dport www -j REJECT
For
ipchains
:
# ipchains -A output -p tcp -d 64.58.76.0/24 --dport www -j REJECT
Discussion
Here the network is specified using
Classless
InterDomain Routing (CIDR) mask format,
a.b.c.d/N, where
N is the number of bits in the netmask. In
this case, N=24, so the first 24 bits are the network portion of the
address.
See Also
iptables(8), ipchains(8).
Tip
You can supply hostnames instead of IP addresses in your firewall rules. If DNS reports multiple IP addresses for that hostname, a separate rule will be created for each IP address. For example, www.yahoo.com has (at this writing) 11 IP addresses:
$ host www.yahoo.com www.yahoo.com is an alias for www.yahoo.akadns.net. www.yahoo.akadns.net has address 216.109.125.68 www.yahoo.akadns.net has address 64.58.76.227 ...
So you could block access to Yahoo, for example, and view the results by:
iptables:
# iptables -A OUTPUT -d www.yahoo.com -j REJECT # iptables -L OUTPUT
ipchains:
# ipchains -A output -d www.yahoo.com -j REJECT # ipchains -L output
Security experts recommend that you use only IP addresses in your rules, not hostnames, since an attacker could poison your DNS and circumvent rules defined for hostnames. ...