Wenjian Bill Yang wrote:
I have the following rule in my iptables, and all chains are empty when the server is booted. -A INPUT -s yahoo.com -j DROP
If you're using iptables-restore[0] before the network comes up[1], then obviously only local resolution methods are available. This applies to protocols, hosts and services -- though nsswitch.conf is only configured for remote resolution of hosts (viz. DNS). Further, the names are resolved once, at ruleset load time. So the simple answer is to bake them into /etc/hosts, and to find a different way to manage access to hosts like "yahoo.com" -- e.g. an l7 proxy like squid. Because ruleset loading is atomic (per table), and resolution failures will abort the whole commit, I start my iptables-restore with a DENY ALL ruleset, so that if the "real" ruleset fails, the users will complain, and I'll investigate, and then I'll fix it. (If it failed to ALLOW ALL, I might not hear about it for a long time, which would be BAAAAD.) This also makes it easier to spot when you accidentally add a remote resolution -- because the ruleset will fail closed immediately, rather than the next time you reboot the router. I strongly recommend reading TPR: http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf Here are some examples I prepared earlier: http://www.cyber.com.au/~twb/doc/iptab http://www.cyber.com.au/~twb/doc/iptab.nat http://www.cyber.com.au/~twb/doc/iptab.ips [0] as you should, to avoid race conditions if the script runs more than once concurrently -- e.g. if you have a four-port ethernet card and you rerun your script when each of them come up. [1] as you should, to avoid a window when you are accepting traffic but have no firewall.