eTutorials.org

Chapter: Recipe 2.9 Blocking Outgoing Access to All Web Servers on a Network

2.9.1 Problem

You want to prevent outgoing access to a network, e.g., all web servers at yahoo.com.

2.9.2 Solution

Figure out how to specify the yahoo.com network, e.g., 64.58.76.0/24, and reject web access:

For iptables:

# iptables -A OUTPUT -p tcp -d 64.58.76.0/24 --dport www -j REJECT

For ipchains:

# ipchains -A output -p tcp -d 64.58.76.0/24 --dport www -j REJECT

2.9.3 Discussion

Here the network is specified using Classless InterDomain Routing (CIDR) mask format, a.b.c.d/N, where N is the number of bits in the netmask. In this case, N=24, so the first 24 bits are the network portion of the address.

2.9.4 See Also

iptables(8), ipchains(8).

You can supply hostnames instead of IP addresses in your firewall rules. If DNS reports multiple IP addresses for that hostname, a separate rule will be created for each IP address. For example, www.yahoo.com has (at this writing) 11 IP addresses:

$ host www.yahoo.com
www.yahoo.com is an alias for www.yahoo.akadns.net.
www.yahoo.akadns.net has address 216.109.125.68
www.yahoo.akadns.net has address 64.58.76.227
...

So you could block access to Yahoo, for example, and view the results by:

iptables:

# iptables -A OUTPUT -d www.yahoo.com -j REJECT
# iptables -L OUTPUT

ipchains:

# ipchains -A output -d www.yahoo.com -j REJECT
# ipchains -L output

Security experts recommend that you use only IP addresses in your rules, not hostnames, since an attacker could poison your DNS and circumvent rules defined for hostnames. However, the hostnames are relevant only at the moment you run iptables or ipchains to define a rule, as the program looks up the underlying IP addresses immediately and stores them in the rule. So you could conceivably use hostnames for convenience when defining your rules, then check the results (via the output of iptables-save or ipchains-save [Recipe 2.19]) to confirm the IP addresses.

    Top
    Linux security
    		Preface
    		Chapter 1. System Snapshots with Tripwire
    		Chapter 2. Firewalls with iptables and ipchains
    		Recipe 2.1 Enabling Source Address Verification
    		Recipe 2.2 Blocking Spoofed Addresses
    		Recipe 2.3 Blocking All Network Traffic
    		Recipe 2.4 Blocking Incoming Traffic
    		Recipe 2.5 Blocking Outgoing Traffic
    		Recipe 2.6 Blocking Incoming Service Requests
    		Recipe 2.7 Blocking Access from a Remote Host
    		Recipe 2.8 Blocking Access to a Remote Host
    		Recipe 2.9 Blocking Outgoing Access to All Web Servers on a Network
    		Recipe 2.10 Blocking Remote Access, but Permitting Local
    		Recipe 2.11 Controlling Access by MAC Address
    		Recipe 2.12 Permitting SSH Access Only
    		Recipe 2.13 Prohibiting Outgoing Telnet Connections
    		Recipe 2.14 Protecting a Dedicated Server
    		Recipe 2.15 Preventing pings
    		Recipe 2.16 Listing Your Firewall Rules
    		Recipe 2.17 Deleting Firewall Rules
    		Recipe 2.18 Inserting Firewall Rules
    		Recipe 2.19 Saving a Firewall Configuration
    		Recipe 2.20 Loading a Firewall Configuration
    		Recipe 2.21 Testing a Firewall Configuration
    		Recipe 2.22 Building Complex Rule Trees
    		Recipe 2.23 Logging Simplified
    		Chapter 3. Network Access Control
    		Chapter 4. Authentication Techniques and Infrastructures
    		Chapter 5. Authorization Controls
    		Chapter 6. Protecting Outgoing Network Connections
    		Chapter 7. Protecting Files
    		Chapter 8. Protecting Email
    		Chapter 9. Testing and Monitoring
    		Colophon

    Search the site