2.9. Blocking Outgoing Access to All Web Servers on a Network
Problem
You want to prevent outgoing access to a network, e.g., all web servers at yahoo.com.
Solution
Figure out how to specify the yahoo.com network, e.g., 64.58.76.0/24, and reject web access:
For
iptables
:
# iptables -A OUTPUT -p tcp -d 64.58.76.0/24 --dport www -j REJECT
For
ipchains
:
# ipchains -A output -p tcp -d 64.58.76.0/24 --dport www -j REJECT
Discussion
Here the network is specified using
Classless
InterDomain Routing (CIDR) mask format,
a.b.c.d/N
, where
N
is the number of bits in the netmask. In
this case, N=24, so the first 24 bits are the network portion of the
address.
See Also
iptables(8), ipchains(8).
Tip
You can supply hostnames instead of IP addresses in your firewall rules. If DNS reports multiple IP addresses for that hostname, a separate rule will be created for each IP address. For example, www.yahoo.com has (at this writing) 11 IP addresses:
$ host www.yahoo.com www.yahoo.com is an alias for www.yahoo.akadns.net. www.yahoo.akadns.net has address 216.109.125.68 www.yahoo.akadns.net has address 64.58.76.227 ...
So you could block access to Yahoo, for example, and view the results by:
iptables
:
# iptables -A OUTPUT -d www.yahoo.com -j REJECT # iptables -L OUTPUT
ipchains
:
# ipchains -A output -d www.yahoo.com -j REJECT # ipchains -L output
Security experts recommend that you use only IP addresses in your rules, not hostnames, since an attacker could poison your DNS and circumvent rules defined for hostnames. ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.