You don't need iptables to do this. Just run a BIND 9 server on whatever interface(s) you want control over. You can tell your BIND server it is authoritative for certain domains, and give it the ip address of that domain. Then when the users access www.yourdomainhere.com, or *.yourdomainhere.com, they'll just go to the ip address you specified, which could easily be an Apache server with a page saying 'Access to this domain has been denied blah blah blah'.
Whatever filtering/natting/etc. you do in addition to that is entirely separate, though you ought to block port 53 (DNS) in your firewall so they can't use another DNS server. Regards, Ted Fines --On Thursday, March 07, 2002 11:20 PM +0100 Markus Schaber <[EMAIL PROTECTED]> wrote: > Hi, > > Sebastian Wolfgarten wrote: > >> I have a question about (dns) wildcards in iptables: >> >> Are there plans (or still implemented?) to support >> wildcards in iptables? For instance I would like to >> disable network access to a whole domain like >> www.microsoft.com by a rule like "*.microsoft.com", >> is it possible yet? I mean of course I could ban >> their whole network but they seem to use akamai >> (or however they are called) and I've got so many >> ip addresses of them that I think that would be too >> much. Even a ban of microsoft.* would be great? >> This is not implementated yet, or? Any other ways? > > I personally think this is rather difficult, as it would require a > reverse DNS mapping in real-time. > > Currently, the name->IP address resolution is done in user-space, AFAIK, > whereas your solution would require either an IP->name resolution in > kernel-space, or a zone transfer for microsoft.com in user space (and I > doubt MS allows public zone transfers). > > Markus > > -- > "Ihre Meinung ist mir zwar widerlich, aber ich werde mich dafuer > totschlagen lassen, dass sie sie sagen duerfen." - Voltaire >
