"Sebastian Wolfgarten" <[EMAIL PROTECTED]> wrote: > Hi, > > I have a question about (dns) wildcards in iptables: > > Are there plans (or still implemented?) to support > wildcards in iptables? For instance I would like to > disable network access to a whole domain like > www.microsoft.com by a rule like "*.microsoft.com", > is it possible yet? I mean of course I could ban > their whole network but they seem to use akamai > (or however they are called) and I've got so many > ip addresses of them that I think that would be too > much. Even a ban of microsoft.* would be great? > This is not implementated yet, or? Any other ways?
I think that for this task a http ptoxy server (e.g. squid) would be a better solution for your wishes. If iptables should do the job, it would need an idea of what network addresses belong to *.microsoft.com. I think that this information is not publicly available. So you would need to perform a reverse lookup on all IPs that traverse the output or forward chain before allowing the connection. This would drop the performance to a crawl. Forget it. Use a proxy server instead. There the domain name is already available (due to the GET request) and can be blocked efficiently via a regexp. Cheers, Juri -- Juri Haberland <[EMAIL PROTECTED]>
