Recipe 2.9 Blocking Outgoing Access to All Web Servers on a Network

2.9.1 Problem

You want to prevent outgoing access to a network, e.g., all web servers at yahoo.com.

2.9.2 Solution

Figure out how to specify the yahoo.com network, e.g., 64.58.76.0/24, and reject web access:

For iptables:

# iptables -A OUTPUT -p tcp -d 64.58.76.0/24 --dport www -j REJECT

For ipchains:

# ipchains -A output -p tcp -d 64.58.76.0/24 --dport www -j REJECT

2.9.3 Discussion

Here the network is specified using Classless InterDomain Routing (CIDR) mask format, a.b.c.d/N, where N is the number of bits in the netmask. In this case, N=24, so the first 24 bits are the network portion of the address.

2.9.4 See Also

iptables(8), ipchains(8).

You can supply hostnames instead of IP addresses in your firewall rules. If DNS reports multiple IP addresses for that hostname, a separate rule will be created for each IP address. For example, www.yahoo.com has (at this writing) 11 IP addresses: $ host www.yahoo.com www.yahoo.com is an alias for www.yahoo.akadns.net. www.yahoo.akadns.net has address 216.109.125.68 www.yahoo.akadns.net has address 64.58.76.227 ... So you could block access to Yahoo, for example, and view the results by: iptables: # iptables -A OUTPUT -d www.yahoo.com -j REJECT # iptables -L OUTPUT ipchains: # ipchains -A output -d www.yahoo.com -j REJECT # ipchains -L output Security experts recommend that you use only IP addresses in your rules, not hostnames, since an attacker could poison your DNS and circumvent rules defined for hostnames. However, the hostnames are relevant only at the moment you run iptables or ipchains to define a rule, as the program looks up the underlying IP addresses immediately and stores them in the rule. So you could conceivably use hostnames for convenience when defining your rules, then check the results (via the output of iptables-save or ipchains-save [Recipe 2.19]) to confirm the IP addresses.