[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New to iptables



Le 04/01/2017 à 18:20, Dan Ritter a écrit :
On Wed, Jan 04, 2017 at 10:54:53AM -0600, Richard Owlett wrote:

One of the links led to _Securing Debian Manual_ and in particular
"Appendix F - Security update protected by a firewall"
{https://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html}

I follow the description as far as it goes - i.e. access is limited to a
specific URL.
QUESTION 1
What happens if the URL is not "security.debian.org" but my bank.

What URL ? Why would you put your bank's URL in sources.list ?

they use a DNS name in a rule, but they
don't mention that it will be resolved precisely once, at the
time that the rule is entered, and will be replaced by the
single IP address that comes back.

Good point.

What happens if you use a DNS name that doesn't resolve?

Iptables fails to create the rule.

What happens if you use a DNS name that resolves to several IPs?

Iptables creates one rule for each IP address.
So the ruleset must be designed to handle properly this situation, particularly if the rule uses negation. For example, if you wanted to allow access to a any site but one, you could write :

iptables -A OUTPUT ! -d blacklisted.site -j ACCEPT

But this would be a mistake, because if the domain name resolves to multiple IP addresses, only the first one will be effectively blocked (ACCEPT accepts the packet and stops processing subsequent rules in the chain).

What happens if you use a DNS name that is dynamically resolved
to a new IP by a DNS load balancer?

That won't work well, because the rule will be created with one of the IP addresses but connections will be attempted with any of the IP addresses, so at best it will result in retries and delays.

and so on and so forth. These all cause unexpected situations.

Actually, they cause perfectly expected situations.

There will be a separate install of Debian that I will use for "everything
else". Can the iptables of that install be set to allow access to any domain
*EXCEPT* my bank's? The goal being minimization of "operator error".

If you want to filter URLs, you'd better use a filtering proxy. Iptables is just an IPv4 packet filter.


Reply to: