I would like my web server to refuse to answer queries to a domain name. In Iptables I have added to my iptables file:
-A INPUT -p tcp --dport 80 -m string --string "Host: mydomain.example" --algo bm -j REJECT
However, no rejection packet is received. I get a timeout from the client side. I would like the other end to be aware that the web server blocks this domain.
on the client side, right now I get:
MacBook-Pro-de-nicolas:~ nicolasguerinet$ curl mydomain.example
curl: (56) Recv failure: Operation timed out
I would like a "connection refused" error.
Posting netfilter ("iptables") firewall rules in isolation makes it difficult to analyse problems since your firewall inspects traffic in the specific order the rules are listed and effective behaviour depends a lot that order.
I think I understand what you're trying to achieve and I also think you're approach is fundamentally flawed, sorry.
Most Linux firewall configurations are stateful and once a connection is allowed all subsequent traffic over that connection is also allowed without further inspection. Since the web browser will only send the HTTP protocol
Host:header once the TCP/IP connection has been established, then your rule will never be applicable.If you do succeed in blocking the TCP packet with the
Host:header, that is the only thing that happens. That is not quite enough for "the other end to be aware that the web server blocks this domain", only that the established connection has suddenly been terminated.A much better solution IMHO is to set up either a virtual host for the domain you wish to block (or set up a default virtual host that handles requests for any and all domain names that are NOT explicitly configured) and set up that virtual host to generate a HTTP error that web browsers will understand. This answer explains how to do that with Apache, but you can do similar in nginx or other web servers.