RE: Whitelist with domains that pulls stuff from other domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Without getting into great detail, I'm quite sure that the Linux kernel Netfilter code doesn't have any concept of DNS. When you specify a DNS hostname in your rules, it just does an A record lookup and stores the IP address in your rules.

If you want to employ an HTTP whitelist on Linux, I recommend using a Web Proxy server like squid. It will allow you to do application layer filtering which would be much easier to implement, and more likely to work.

Joel Gerber
Network Specialist
Network Operations
Eastlink
E: Joel.Gerber@xxxxxxxxxxxxxxxx T: 519.786.1241

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Martin Braun
Sent: April-21-14 12:54 AM
To: netfilter@xxxxxxxxxxxxxxx
Subject: Whitelist with domains that pulls stuff from other domains

Hi

I wanted to make a white list using the settings below.

<SNIP>
iptables -N wanout
iptables -I FORWARD -i `nvram get lan_ifname` -j wanout

iptables -I wanout -m mac --mac-source 01:26:f7:46:71:4b -j ACCEPT iptables -I wanout -m mac --mac-source d2:37:b5:f2:39:f3 -j ACCEPT

iptables -I wanout -d gamepedia.com -j ACCEPT iptables -I wanout -d toysrus.com -j ACCEPT

iptables -A wanout -j REJECT --reject-with icmp-proto-unreachable </SNIP>

So the boxes with the MACs specified are exempt from blocking. The domains "gamepedia.com" and "toysrus.com" are accesible to all.

But the problem is that those domains pulls stuff in from other domains using <iframe> or something, which makes the IPTable block the loading of the website to complete.

How do I deal with that in the best way? I don't want to look up everything they pull in and white list that as well. Also it might change.

Isn't there a way to say "accept all from this domain, even unrelated stuff"?

Kind regards.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux