0

To block personal emails on a corporate network, I've blocked FORWARD to mail.google.com and mail.live.com. The following is how iptables resolved those addresses:

$  sudo iptables -L

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Mail-Forward-Block  all  --  anywhere             anywhere         

Chain Mail-Forward-Block (2 references)
target     prot opt source               destination            
REJECT     all  --  anywhere             lhr14s24-in-f5.1e100.net  reject-with icmp-port-unreachable
REJECT     all  --  anywhere             lhr08s07-in-f5.1e100.net  reject-with icmp-port-unreachable
REJECT     all  --  anywhere             origin.du113w.dub113.mail.live.com  reject-with icmp-port-unreachable
REJECT     all  --  anywhere             origin.du114w.dub114.mail.live.com  reject-with icmp-port-unreachable

nslookup for comparison (192.168.0.10 is Samba running it's internal DNS and forwards lookups to 8.8.8.8):

$ nslookup mail.google.com
Server:     192.168.0.10
Address:    192.168.0.10#53

Non-authoritative answer:
mail.google.com canonical name = googlemail.l.google.com.
Name:   googlemail.l.google.com
Address: 216.58.208.69

$ nslookup mail.live.com
Server:     192.168.0.10
Address:    192.168.0.10#53

Non-authoritative answer:
mail.live.com   canonical name = dispatch.kahuna.glbdns2.microsoft.com.
Name:   dispatch.kahuna.glbdns2.microsoft.com
Address: 157.56.195.156
Name:   dispatch.kahuna.glbdns2.microsoft.com
Address: 157.55.235.51

Obviously, that did not block anything. Re-adding the same rules somehow made the iptable's addresses on par with nslookup. But why the difference at all? Can't we make iptable do reverse DNS lookup and check if it matches with those domains?

Improve this question

1 Answer 1

Reset to default
2

Short answer: No. iptables rules affect IP addresses, not domain names. That's why it's called iptables.

At the network layer where iptables operates, domain names are essentially irrelevant. When you use a domain name with an iptables rule, a DNS lookup is performed and the domain name is resolved to an IP address, and the IP address at that particular moment in time is used in the rule. If the domain is updated and the A record points to a different IP, iptables will know nothing about the change.

What you want to do (block certain web sites like gmail) is probably better done with a web proxy like squid. This will allow you to log and monitor web usage, and there are add-ons like squidguard to help manage allow/deny lists.

If you want to block access to external smtp, then block the relevant ports (e.g. 25, 465, 587) to force local machines on the network to use your local smtp gateway - where you can control mail.

Improve this answer
1
  • I've settled for using --string mail.google.com for the moment. But why does the rules show CNAMEs? Commented Oct 8, 2015 at 11:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.