Rejecting packets from a given domain - Networking

This is a discussion on Rejecting packets from a given domain - Networking ; I am getting a few attempts from the hinet.net domain to have email relayed through my email server. Since my email server requires authentication, such attempts never get anywhere. However, they do clutter my logs. Would it be possible to ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Rejecting packets from a given domain

  1. Rejecting packets from a given domain

    I am getting a few attempts from the hinet.net domain to have
    email relayed through my email server. Since my email server requires
    authentication, such attempts never get anywhere. However, they do
    clutter my logs.

    Would it be possible to have an IP tables rule such that any
    packets from this domain, addressed to a given port, are rejected without
    further ado?


  2. Re: Rejecting packets from a given domain

    H.K. Kingston-Smith wrote:
    > Would it be possible to have an IP tables rule such that any packets
    > from this domain [hinet.net], addressed to a given port, are rejected
    > without further ado?


    Not by (domain) name, no. But if you can determine the set of IP address
    ranges that hinet.net uses you can drop those quietly on the floor
    with iptables.

    [Quick check with whois...]

    inetnum: 168.95.0.0 - 168.95.255.255
    netname: Hinet
    descr: CHTD, Chunghwa Telecom Co., Ltd.
    country: TW
    ...

    So, provided that this is the only netblock allocated to hinet, something
    like this should do the trick:

    iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT

    Chris

  3. Re: Rejecting packets from a given domain

    On Tue, 15 Apr 2008 00:22:31 +0100, Chris Davies wrote:

    > H.K. Kingston-Smith wrote:
    >> Would it be possible to have an IP tables rule such that any packets
    >> from this domain [hinet.net], addressed to a given port, are rejected
    >> without further ado?

    >
    > Not by (domain) name, no. But if you can determine the set of IP address
    > ranges that hinet.net uses you can drop those quietly on the floor with
    > iptables.
    >
    > [Quick check with whois...]
    >
    > inetnum: 168.95.0.0 - 168.95.255.255 netname: Hinet
    > descr: CHTD, Chunghwa Telecom Co., Ltd. country: TW
    > ...
    >
    > So, provided that this is the only netblock allocated to hinet,
    > something like this should do the trick:
    >
    > iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT


    The IP addresses in my logs seem to have been dynamically
    allocated, and they always start with either 122.116 or 118.169 - never
    168.95. Is there a way to find out what IP blocks have been set aside for
    hinet.net?



  4. Re: Rejecting packets from a given domain

    H.K. Kingston-Smith wrote:
    > On Tue, 15 Apr 2008 00:22:31 +0100, Chris Davies wrote:
    >
    >> H.K. Kingston-Smith wrote:
    >>> Would it be possible to have an IP tables rule such that any packets
    >>> from this domain [hinet.net], addressed to a given port, are rejected
    >>> without further ado?

    >> Not by (domain) name, no. But if you can determine the set of IP address
    >> ranges that hinet.net uses you can drop those quietly on the floor with
    >> iptables.
    >>
    >> [Quick check with whois...]
    >>
    >> inetnum: 168.95.0.0 - 168.95.255.255 netname: Hinet
    >> descr: CHTD, Chunghwa Telecom Co., Ltd. country: TW
    >> ...
    >>
    >> So, provided that this is the only netblock allocated to hinet,
    >> something like this should do the trick:
    >>
    >> iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT

    >
    > The IP addresses in my logs seem to have been dynamically
    > allocated, and they always start with either 122.116 or 118.169 - never
    > 168.95. Is there a way to find out what IP blocks have been set aside for
    > hinet.net?
    >
    >


    host -a hinet.net

    > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51294
    > ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 4
    >
    > ;; QUESTION SECTION:
    > ;hinet.net. IN ANY
    >
    > ;; ANSWER SECTION:
    > hinet.net. 13511 IN NS hntp1.hinet.net.
    > hinet.net. 13511 IN NS hntp3.hinet.net.
    > hinet.net. 13511 IN NS dns.hinet.net.
    > hinet.net. 13558 IN MX 10 netnews.hinet.net.
    >
    > ;; AUTHORITY SECTION:
    > hinet.net. 13511 IN NS hntp1.hinet.net.
    > hinet.net. 13511 IN NS dns.hinet.net.
    > hinet.net. 13511 IN NS hntp3.hinet.net.
    >
    > ;; ADDITIONAL SECTION:
    > hntp1.hinet.net. 15718 IN A 168.95.192.1
    > hntp3.hinet.net. 22467 IN A 168.95.192.2
    > dns.hinet.net. 15718 IN A 168.95.1.1
    > netnews.hinet.net. 13558 IN A 168.95.195.16


    Looks like 168.95.something to me. The IP addresses you list belong to
    apnic.net. Look up specific ones at

    http://wq.apnic.net/apnic-bin/whois.pl

  5. Re: Rejecting packets from a given domain

    H.K. Kingston-Smith wrote:
    > Is there a way to find out what IP blocks have been set aside for
    > hinet.net?


    This works for me:

    whois -h whois.apnic.net hinet

    Just be aware that entries for HINET may refer to (at least) two
    independent entities. Your one is based in Taiwan; the other looks like
    it's based in Japan.

    Chris

  6. Re: Rejecting packets from a given domain

    On Tue, 15 Apr 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article , H.K. Kingston-Smith wrote:

    >Chris Davies wrote:


    >> H.K. Kingston-Smith wrote:


    >>> Would it be possible to have an IP tables rule such that any packets
    >>> from this domain [hinet.net], addressed to a given port, are rejected
    >>> without further ado?


    >> Not by (domain) name, no.


    Simple reason - there are a number of domains in the world who are either
    to st00pid to be able to configure a PTR record on their DNS, or who don't
    feel it's needed (RFCs like 2050 and 2051 don't apply to them, or they
    couldn't read them if they tried). This is usually the case with abusive
    ISPs. Thus, depending on a domain name lookup is a waste of your time.

    >> But if you can determine the set of IP address ranges that hinet.net
    >> uses you can drop those quietly on the floor with iptables.


    Problem: They are a major provider.

    >> [Quick check with whois...]
    >>
    >> inetnum: 168.95.0.0 - 168.95.255.255 netname: Hinet
    >> descr: CHTD, Chunghwa Telecom Co., Ltd. country: TW


    It might be better to check with whois.twnic.net (the whois service for
    Taiwan), but they have their own problems.

    > The IP addresses in my logs seem to have been dynamically
    >allocated, and they always start with either 122.116 or 118.169 - never
    >168.95.


    [compton ~]$ grep -i hinet IP_admin/address.blocks
    59.112.0.0 - 59.123.255.255 HINET-NET Chunghwa Telecom Co., Ltd. hinet.net
    61.220.0.0 - 61.227.255.255 Hinet Chunghwa Telecom Co., Ltd.
    61.228.0.0 - 61.231.255.255 Hinet Chunghwa Telecom Co., Ltd.
    118.160.0.0 - 118.167.255.255 Hinet Chunghwa Telecom Co., Ltd
    118.169.0.0 - 118.171.255.255 Hinet Chunghwa Telecom Co., Ltd
    122.116.0.0 - 122.117.255.255 hinet.net Chunghwa Telecom Co.,Ltd
    168.95.0.0 - 168.95.255.255 Hinet Chunghwa Telecom Co., Ltd
    202.39.0.0 - 202.39.95.255 Hinet Data Communication Business Group .tw
    202.39.128.0 - 202.39.255.255 Hinet Data Communication Business Group .tw
    211.23.0.0 - 211.23.255.255 Hinet Chunghwa Telecom Co.,Ltd.
    218.160.0.0 - 218.175.255.255 Hinet Chunghwa Telecom Co.,Ltd.
    220.128.0.0 - 220.143.255.255 Hinet Chunghwa Telecom Co.,Ltd.
    [compton ~]$

    but I suspect that list is far from complete.

    >Is there a way to find out what IP blocks have been set aside for
    >hinet.net?


    Be careful, because there are two entities using the 'hinet' character
    string - one is Chunghwa Telecom in Taiwan, the other is Hitachi Info
    Systems in Japan - very different providers. Your best bet might be
    to use your favorite search engine looking for block lists sorted
    by companies. Taiwan has 396 IPv4 assignments/alocations, all from
    APNIC, and the address ranges are not adjacent.

    Old guy

  7. Re: Rejecting packets from a given domain

    "H.K. Kingston-Smith" wrote in message
    newsan.2008.04.14.22.21.15@yahoo.com...
    > I am getting a few attempts from the hinet.net domain to have
    > email relayed through my email server. Since my email server requires
    > authentication, such attempts never get anywhere. However, they do
    > clutter my logs.
    >
    > Would it be possible to have an IP tables rule such that any
    > packets from this domain, addressed to a given port, are rejected without
    > further ado?


    NO, but if you're using sendmail, you may kill the email there by domain.

    To deny all their IP's, what you really need to do is find out what their
    AS# is then use a BGP looking glass to see which IP ranges they route for.



  8. Re: Rejecting packets from a given domain

    H.K. Kingston-Smith wrote:
    > I am getting a few attempts from the hinet.net domain to have
    > email relayed through my email server. Since my email server requires
    > authentication, such attempts never get anywhere. However, they do
    > clutter my logs.
    >
    > Would it be possible to have an IP tables rule such that any
    > packets from this domain, addressed to a given port, are rejected without
    > further ado?
    >


    Not really, but you can have iptables log them and have a custom cron
    script dig through your logs to dynamically create rejection rules.
    This works if you know beforehand which ip's belong to the domain. If
    it's rather random, you can have iptables log all connections to a given
    port (perhaps have a separate chain to exclude some IP's that are
    definately allowed to access the port) and have the cron script sorting
    out whether or not the logged ips are part of the domain through reverse
    lookups and then create rejection rules.

    Ofcourse this does not block traffic right away.

    -R-

+ Reply to Thread