Thread: iptables block by domain name?
View Single Post

  #4 (permalink)  
Old 12-06-2006
ynotssor
 
Posts: n/a
Default Re: iptables block by domain name?
In news:jX1dh.1263$Qm2.309@read1.cgocable.net,
Ken Williams <kenw232@yahoo.com> wrote:

> I'm using connlimit for iptables to not allow more then say 5
> connections from one IP address or subnet. For example this (with a
> default block rule) will only allow 5 or less connections from a
> single IP address to port 25:
>
> iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit !
> --connlimit-above 5 -j ACCEPT
>
>
> This is fine. But now I'm seeing sources (like frontbridge.com)
> coming from all over the place when they want to deliver something.
> I get like 25 connections in a 30 second span which drags things down
> huge.
>
> Does anyone know how I can use connlimit (or whatever) to
> block/throttle by domain like *.frontbridge.com instead of address?
>
> I can't do it by address or subnet as shown below (because they're all
> over the place):
>
> 6488 root \_ sendmail: kB4MwWlG006488
> outbound-dub.frontbridge.com [213.199.154.16]: DATA
> 6489 root \_ sendmail: kB4MwWVb006489
> outbound-blu.frontbridge.com [65.55.251.16]: DATA
> 6496 root \_ sendmail: kB4MwZ4U006496
> outbound-cpk.frontbridge.com [207.46.163.16]: DATA
> 6500 root \_ sendmail: kB4MwcTI006500
....

Mssr. Heiming's suggestion of utilizing sendmail's ratecontrol and
conncontrol (see the entires in the cf/README file in the source
distribution including the "CONNECTION CONTROL" section) are the preferred
method.

You'll still have to utilize the cidr subnet notation in the access file and
then the contrib/cidrexpand Perl script in the source distribution to create
a working access file before makemap'ing the access.db.

This means one has to know the cidr notations required, which can sometimes
be a bit of a task ... frontbridge.com is an excellent example, and you're
going to require this information whether you use the sendmail
{rate,conn}control or your iptables connlimit solution.

If you'll examine
http://www.senderbase.org/search?sea...Order=ip%20asc
you'll see the IP addresses listed in the left column. Clicking on any of
those addresses will lead you to the cidr notations required, and it will
require several to cover all the problem addresses in your OP and the left
column. Or you might wish to just copy those first-column addresses and
forget the remaining cidr addresses of which they're a part.

Not a trivial task but certainly easily accomplished.

Reply With Quote