How to mark packets depending on hostname?

Question

We can mark packets on the basis of IP addresses in the following way -

iptables -A FORWARD -t mangle -s 123.2.3.4 -j MARK --set-mark 1

How to mark packets depending on the hostname? I tried this -

iptables -A FORWARD -t mangle -s google.co.in -j MARK --set-mark 1

But the iptables utitlity gets the IP address of google.co.in from the DNS and adds the entry to the mangle table. How to mark all the packets from google.co.in, and not just from the single server of Google. As there are thousands of servers, manually adding all IP addresses is also not possible.

Is there any way to read the packet and get the hostname and mark it?

Thank you.

Answer 1

Firewall rules do not operate at the DNS level. In some cases iptables will do a DNS resolution for you, but the result will not be what you are looking for and will not follow and IP changes in the DNS name.

Instead you need a HTTP proxy such as Squid and its Outgoing Packet Mark (http://www.squid-cache.org/Doc/config/tcp_outgoing_mark/) feature to handle this kind of behavior.

For incoming traffic, if you are particularly interested in GoogleBot, you could look at the unofficial IP range lists such as https://evert.meulie.net/faqwd/googlebot-ip-ranges/ and set up your iptables for that.

Answer 2

" As there are thousands of servers, manually adding all IP addresses is also not possible. "

You can build and maintain a small list of all google AS, and then add firewall rules based on these network ranges.

Maybe you can even find all google AS on the internet.

(have a look at

• Need an IP Range for google's CDN to set up a firewall
• https://www.reddit.com/r/starcitizen/comments/3lce2k/list_of_google_cloud_ip_addresses_for_firewall/)