iptables block by domain name?
This is a discussion on iptables block by domain name? within the Linux Security forums, part of the System Security and Security Related category; I'm using connlimit for iptables to not allow more then say 5 connections from one IP address or subnet. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-04-2006
|
|||
|
|||
iptables block by domain name?
I'm using connlimit for iptables to not allow more then say 5
connections from one IP address or subnet. For example this (with a default block rule) will only allow 5 or less connections from a single IP address to port 25: iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit ! --connlimit-above 5 -j ACCEPT This is fine. But now I'm seeing sources (like frontbridge.com) coming from all over the place when they want to deliver something. I get like 25 connections in a 30 second span which drags things down huge. Does anyone know how I can use connlimit (or whatever) to block/throttle by domain like *.frontbridge.com instead of address? I can't do it by address or subnet as shown below (because they're all over the place): 6488 root \_ sendmail: kB4MwWlG006488 outbound-dub.frontbridge.com [213.199.154.16]: DATA 6489 root \_ sendmail: kB4MwWVb006489 outbound-blu.frontbridge.com [65.55.251.16]: DATA 6496 root \_ sendmail: kB4MwZ4U006496 outbound-cpk.frontbridge.com [207.46.163.16]: DATA 6500 root \_ sendmail: kB4MwcTI006500 outbound-sin.frontbridge.com [207.46.51.80]: DATA 6512 root \_ sendmail: kB4Mwdu8006512 outbound-dub.frontbridge.com [213.199.154.16]: DATA 6513 root \_ sendmail: kB4MwdUn006513 outbound-dub.frontbridge.com [213.199.154.16]: DATA 6520 root \_ sendmail: kB4Mwe73006520 outbound-cpk.frontbridge.com [207.46.163.16]: DATA 6524 root \_ sendmail: kB4Mwf2Y006524 outbound-dub.frontbridge.com [213.199.154.16]: DATA 6528 root \_ sendmail: kB4MwfJ0006528 outbound-dub.frontbridge.com [213.199.154.16]: DATA 6536 root \_ sendmail: kB4MwhDU006536 outbound-blu.frontbridge.com [65.55.251.16]: DATA 6540 root \_ sendmail: kB4MwhJ9006540 outbound-sin.frontbridge.com [207.46.51.80]: DATA (many more...) thanks kenw232@yahoo.com 
|
|
12-05-2006
|
|||
|
|||
|
Re: iptables block by domain name?
[ crossposted to cms + Followup-To -> cms ; Seems much more about
sendmail the Linux/security ] In comp.os.linux.security Ken Williams <kenw232@yahoo.com>: > I'm using connlimit for iptables to not allow more then say 5 > connections from one IP address or subnet. For example this (with a > default block rule) will only allow 5 or less connections from a single > IP address to port 25: > iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit ! > --connlimit-above 5 -j ACCEPT > This is fine. But now I'm seeing sources (like frontbridge.com) coming > from all over the place when they want to deliver something. I get like > 25 connections in a 30 second span which drags things down huge. > 6512 root \_ sendmail: kB4Mwdu8006512 > outbound-dub.frontbridge.com [213.199.154.16]: DATA > 6513 root \_ sendmail: kB4MwdUn006513 > outbound-dub.frontbridge.com [213.199.154.16]: DATA > 6520 root \_ sendmail: kB4Mwe73006520 > outbound-cpk.frontbridge.com [207.46.163.16]: DATA Recent sendmail versions have a connection rate control feature which might be useful to you? Though I am not sure if those system try delivering legitimate mail or just spam? It seems ratware tends to open more connections as soon as you start slowing them down. Allowing not more then one smtp connection per host, despite a few trusted hosts seems to help somehow. Quite some ratware seems of the same type, trying to open 3-4 more connections immediately, though there is some (very seldom) incredible broken stuff out trying to open >150 connections in 3 seconds... Probably you can use some milter for the task? However 25 more or less connections shouldn't do much if anything to sendmail on a halfway reasonable sized box. A problem might be SA, which tends to use quite some RAM, did you check if you are running out of RAM? Starting to page constantly usually drops down performance tremendously on any *nix box. Good luck -- Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' #bofh excuse 306: CPU-angle has to be adjusted because of vibrations coming from the nearby road
|
|
12-05-2006
|
|||
|
|||
|
Re: iptables block by domain name?
1. IPtables will resolve the DNS name before running the command. You
will have to use an application proxy to block entire domains. 2. If you want to totally block M$ you could pull the IPs from the log files using a scripting language (thinking sed/awk or perl) and dynamically throw these addresses into a file. Then have your IPtables script pull these addresses whenever the service is restarted. LinuxJournal had a good article about this earlier this year: http://www.linuxjournal.com/article/8706 Ken Williams wrote: > I'm using connlimit for iptables to not allow more then say 5 > connections from one IP address or subnet. For example this (with a > default block rule) will only allow 5 or less connections from a single > IP address to port 25: > > iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit ! > --connlimit-above 5 -j ACCEPT > > > This is fine. But now I'm seeing sources (like frontbridge.com) coming > from all over the place when they want to deliver something. I get like > 25 connections in a 30 second span which drags things down huge. > > Does anyone know how I can use connlimit (or whatever) to block/throttle > by domain like *.frontbridge.com instead of address? > > I can't do it by address or subnet as shown below (because they're all > over the place): > > 6488 root \_ sendmail: kB4MwWlG006488 outbound-dub.frontbridge.com > [213.199.154.16]: DATA > 6489 root \_ sendmail: kB4MwWVb006489 outbound-blu.frontbridge.com > [65.55.251.16]: DATA > 6496 root \_ sendmail: kB4MwZ4U006496 outbound-cpk.frontbridge.com > [207.46.163.16]: DATA > 6500 root \_ sendmail: kB4MwcTI006500 outbound-sin.frontbridge.com > [207.46.51.80]: DATA > 6512 root \_ sendmail: kB4Mwdu8006512 outbound-dub.frontbridge.com > [213.199.154.16]: DATA > 6513 root \_ sendmail: kB4MwdUn006513 outbound-dub.frontbridge.com > [213.199.154.16]: DATA > 6520 root \_ sendmail: kB4Mwe73006520 outbound-cpk.frontbridge.com > [207.46.163.16]: DATA > 6524 root \_ sendmail: kB4Mwf2Y006524 outbound-dub.frontbridge.com > [213.199.154.16]: DATA > 6528 root \_ sendmail: kB4MwfJ0006528 outbound-dub.frontbridge.com > [213.199.154.16]: DATA > 6536 root \_ sendmail: kB4MwhDU006536 outbound-blu.frontbridge.com > [65.55.251.16]: DATA > 6540 root \_ sendmail: kB4MwhJ9006540 outbound-sin.frontbridge.com > [207.46.51.80]: DATA > (many more...) > > > thanks > kenw232@yahoo.com
|
|
12-06-2006
|
|||
|
|||
|
Re: iptables block by domain name?
In news:jX1dh.1263$Qm2.309@read1.cgocable.net,
Ken Williams <kenw232@yahoo.com> wrote: > I'm using connlimit for iptables to not allow more then say 5 > connections from one IP address or subnet. For example this (with a > default block rule) will only allow 5 or less connections from a > single IP address to port 25: > > iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit ! > --connlimit-above 5 -j ACCEPT > > > This is fine. But now I'm seeing sources (like frontbridge.com) > coming from all over the place when they want to deliver something. > I get like 25 connections in a 30 second span which drags things down > huge. > > Does anyone know how I can use connlimit (or whatever) to > block/throttle by domain like *.frontbridge.com instead of address? > > I can't do it by address or subnet as shown below (because they're all > over the place): > > 6488 root \_ sendmail: kB4MwWlG006488 > outbound-dub.frontbridge.com [213.199.154.16]: DATA > 6489 root \_ sendmail: kB4MwWVb006489 > outbound-blu.frontbridge.com [65.55.251.16]: DATA > 6496 root \_ sendmail: kB4MwZ4U006496 > outbound-cpk.frontbridge.com [207.46.163.16]: DATA > 6500 root \_ sendmail: kB4MwcTI006500 .... Mssr. Heiming's suggestion of utilizing sendmail's ratecontrol and conncontrol (see the entires in the cf/README file in the source distribution including the "CONNECTION CONTROL" section) are the preferred method. You'll still have to utilize the cidr subnet notation in the access file and then the contrib/cidrexpand Perl script in the source distribution to create a working access file before makemap'ing the access.db. This means one has to know the cidr notations required, which can sometimes be a bit of a task ... frontbridge.com is an excellent example, and you're going to require this information whether you use the sendmail {rate,conn}control or your iptables connlimit solution. If you'll examine http://www.senderbase.org/search?sea...Order=ip%20asc you'll see the IP addresses listed in the left column. Clicking on any of those addresses will lead you to the cidr notations required, and it will require several to cover all the problem addresses in your OP and the left column. Or you might wish to just copy those first-column addresses and forget the remaining cidr addresses of which they're a part. Not a trivial task but certainly easily accomplished.
|
Linear Mode
