[CentOS] IPTABLES and Hi-Risk blocking

Fri Nov 27 19:00:40 UTC 2009
Ryan Lynch <ryan.b.lynch at gmail.com>

On Fri, Nov 27, 2009 at 12:32, Eero Volotinen <eero.volotinen at iki.fi> wrote:
>
>>
>> Without debating the merits of such claims, how would one proceed to
>> block internal network access to specific domain names using CentOS?
>
> Using transparent proxy server is best way to block this kind of
> services. You can use squid package to setup transparent proxy server.


I agree with the parent poster. Squid (or any other advanced proxy
server) is probably the best way to deal with this. But for the sake
of argument--say, in case you can't use a proxy for some reason,
IPTables has some *limited* application, here.

IPTables will accept a DNS host/domain name in place of an IP address
in an 'iptables' command. But the rule it creates doesn't actually use
the DNS name--it just performs a lookup when you add the rule, and
then adds a rule for whatever IP address it found.

If Facebook only operated a single web server, and if the DNS hostname
'www.facebook.com' always resolved to that particular IP address, this
would work OK. You could either specifiy 'www.facebook.com' in your
IPTables blocking rule, or look up the IP address manually and specify
it directly in your rule.

The unfortunate reality is that FB operates dozens (maybe hundreds) of
web servers, and any given browser's HTTP request to
'www.facebook.com' might be answered by any one of those web servers.
And they don't use a straightforward, static DNS mechanism. The
'facebook.com' DNS servers will respond differently depending on where
the request originates and (I presume) on the current load status of
their global web server pool. So, under normal conditions, clients
will usually be directed to the closest (lowest-latency) web server.
And if your closest web server's load rises high enough, you be
instead directed to a further-away, less busy server.

I just took a few samples from a collection of servers I operate that
are scattered throughout the continental US, over the course of
several minutes. I see very little stability in the DNS responses, but
it appears that the pool is pretty small.

You could write a short script that runs from 'cron' every few minutes
and performs a DNS lookup for 'www.facebook.com', and adds the result
to a running list of FB IP addresses, and then adds another IPTables
blocking rule anytime it finds a new IP. This is similar to how some
popular anti-SSH-dictionary-attack-bot scripts operate. It's not
perfect, but it would be pretty effective, and it doesn't require much
effort.

Honestly, though, you're probably better off using Squid. If I had the
option, that's what I would do.

Good luck.

-Ryan