iptables block host name instead of ip address

I would setup squid -

and configure your client computers to use it. Then you can easily control access to anything.

For example, to deny access to hotmail.com:

acl nohotmail1 dstdomain .hotmail.com http_access deny nohotmail1

acl nohotmail2 dstdomain .hotmail.com.nsatc.net http_access deny nohotmail2

There may be a way to do it using iptables, but this just seems easier.

The web is a wonderful resource often overlooked:-

Excerpt:- Specifying Source and Destination IP Addresses Source (`-s', `--source' or `--src') and destination (`-d', `--destination' or `--dst') IP addresses can be specified in four ways. The most common way is to use the full name, such as `localhost' or `'. The second way is to specify the IP address such as `127.0.0.1'.

Have you tried a rule specifying the hostname, rather than the IP? That worked with IPCHAINS though it wasn't very efficient.

Yeah, it's a CNAME which translates to a lot of different IPs.

A better solution is to run your own DNS server, and make it return a NXDOMAIN answer or have it return a specific IP like 1.2.3.4 and then reject that on the firewall. Of course, if they are smart, they can tell their own resolver to try other name servers, so you'd want to block (or redirect) DNS queries as well.

Have you also looked at using a proxy server, and blocking unwanted sites there?

I notice you also posted this separately to comp.os.linux.security, though it's not really on topic there, and comp.os.linux.networking.. Please don't multipost. If you feel that it's really appropriate to more than one news group, use 'Cross-posting' (where you list ALL of the newsgroups, comma separated, in one article's newsgroup header. Also be sure to include a "Followups-to:' header pointing to ONE group where you can see all the replies.

Old guy