1

Is there a way using IPTables to drop all requests coming to a particular domain name?

For instance, all requests coming in to www.a.com will be dropped. No replies, no error pages, just dropped.

If it's possible, how can it be done?

Btw, I know, it's probably not a good practice. But need to get it done now. Thanks!

  • 1
    From your comments below I don't think there's anything you can do here except tell the government censor that you don't control `www.a.com` -- There's not much you can do technically to stop someone from pointing a domain name at one of your IPs, and the type of block you're talking about here isn't really technically feasible. – voretaq7 Jul 02 '10 at 16:17

1 Answers1

1

I'm pretty certain IPTables only accepts IP addresses.

If you want to stick with domains, you can try using hosts.deny by adding this line:

ALL: www.a.com

This will prevent www.a.com to access any service on your machine.

Weboide
  • 3,345
  • 1
  • 25
  • 33
  • 2
    Well, never tried, but i read somewhere that it can accept a dns name, but it'll be reverted to ip address as soon as the rule is loaded by the kernel. Better use a proxy – PiL Jul 02 '10 at 11:10
  • That isn't what I need. What I need is, when a site accessed is www.a.com, drop the packet. The problem I'm facing is, I have a server in China and somehow a particular domain is in violation. The government censor will only accept a complete non-response. Problem is, the user is using a DNS server from elsewhere and directly pointing his IP at my server. –  Jul 02 '10 at 11:25
  • Is www.a.com a domain hosted in your server, then? – chmeee Jul 02 '10 at 11:38
  • Nope. That's the problem. He just pointed his domain's IP at my server. –  Jul 02 '10 at 13:05
  • 1
    +1 for the "only takes IPs bit" even though it's not a solution. iptables (any packet-filter really) can't do what you're asking: all they know is the source & destination IP and a few other bits of info. They would have to do deep packet inspection to determine what hostname the request was pointed at, and even then there would have to be something in the data that identified the hostname (e.g. a HTTP Host: header). – voretaq7 Jul 02 '10 at 16:14