iptables block by domain name? - Security

This is a discussion on iptables block by domain name? - Security ; I'm using connlimit for iptables to not allow more then say 5 connections from one IP address or subnet. For example this (with a default block rule) will only allow 5 or less connections from a single IP address to ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: iptables block by domain name?

  1. iptables block by domain name?

    I'm using connlimit for iptables to not allow more then say 5
    connections from one IP address or subnet. For example this (with a
    default block rule) will only allow 5 or less connections from a single
    IP address to port 25:

    iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit !
    --connlimit-above 5 -j ACCEPT


    This is fine. But now I'm seeing sources (like frontbridge.com) coming
    from all over the place when they want to deliver something. I get like
    25 connections in a 30 second span which drags things down huge.

    Does anyone know how I can use connlimit (or whatever) to block/throttle
    by domain like *.frontbridge.com instead of address?

    I can't do it by address or subnet as shown below (because they're all
    over the place):

    6488 root \_ sendmail: kB4MwWlG006488
    outbound-dub.frontbridge.com [213.199.154.16]: DATA
    6489 root \_ sendmail: kB4MwWVb006489
    outbound-blu.frontbridge.com [65.55.251.16]: DATA
    6496 root \_ sendmail: kB4MwZ4U006496
    outbound-cpk.frontbridge.com [207.46.163.16]: DATA
    6500 root \_ sendmail: kB4MwcTI006500
    outbound-sin.frontbridge.com [207.46.51.80]: DATA
    6512 root \_ sendmail: kB4Mwdu8006512
    outbound-dub.frontbridge.com [213.199.154.16]: DATA
    6513 root \_ sendmail: kB4MwdUn006513
    outbound-dub.frontbridge.com [213.199.154.16]: DATA
    6520 root \_ sendmail: kB4Mwe73006520
    outbound-cpk.frontbridge.com [207.46.163.16]: DATA
    6524 root \_ sendmail: kB4Mwf2Y006524
    outbound-dub.frontbridge.com [213.199.154.16]: DATA
    6528 root \_ sendmail: kB4MwfJ0006528
    outbound-dub.frontbridge.com [213.199.154.16]: DATA
    6536 root \_ sendmail: kB4MwhDU006536
    outbound-blu.frontbridge.com [65.55.251.16]: DATA
    6540 root \_ sendmail: kB4MwhJ9006540
    outbound-sin.frontbridge.com [207.46.51.80]: DATA
    (many more...)


    thanks
    kenw232@yahoo.com

  2. Re: iptables block by domain name?

    [ crossposted to cms + Followup-To -> cms ; Seems much more about
    sendmail the Linux/security ]

    In comp.os.linux.security Ken Williams :
    > I'm using connlimit for iptables to not allow more then say 5
    > connections from one IP address or subnet. For example this (with a
    > default block rule) will only allow 5 or less connections from a single
    > IP address to port 25:


    > iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit !
    > --connlimit-above 5 -j ACCEPT


    > This is fine. But now I'm seeing sources (like frontbridge.com) coming
    > from all over the place when they want to deliver something. I get like
    > 25 connections in a 30 second span which drags things down huge.


    > 6512 root \_ sendmail: kB4Mwdu8006512
    > outbound-dub.frontbridge.com [213.199.154.16]: DATA
    > 6513 root \_ sendmail: kB4MwdUn006513
    > outbound-dub.frontbridge.com [213.199.154.16]: DATA
    > 6520 root \_ sendmail: kB4Mwe73006520
    > outbound-cpk.frontbridge.com [207.46.163.16]: DATA



    Recent sendmail versions have a connection rate control feature
    which might be useful to you? Though I am not sure if those
    system try delivering legitimate mail or just spam?

    It seems ratware tends to open more connections as soon as you
    start slowing them down. Allowing not more then one smtp
    connection per host, despite a few trusted hosts seems to help
    somehow.

    Quite some ratware seems of the same type, trying to open 3-4
    more connections immediately, though there is some (very seldom)
    incredible broken stuff out trying to open >150 connections in 3
    seconds...

    Probably you can use some milter for the task?

    However 25 more or less connections shouldn't do much if anything
    to sendmail on a halfway reasonable sized box. A problem might be
    SA, which tends to use quite some RAM, did you check if you are
    running out of RAM? Starting to page constantly usually drops
    down performance tremendously on any *nix box.

    Good luck

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 306: CPU-angle has to be adjusted because of
    vibrations coming from the nearby road

  3. Re: iptables block by domain name?

    1. IPtables will resolve the DNS name before running the command. You
    will have to use an application proxy to block entire domains.

    2. If you want to totally block M$ you could pull the IPs from the log
    files using a scripting language (thinking sed/awk or perl) and
    dynamically throw these addresses into a file. Then have your IPtables
    script pull these addresses whenever the service is restarted.
    LinuxJournal had a good article about this earlier this year:
    http://www.linuxjournal.com/article/8706

    Ken Williams wrote:
    > I'm using connlimit for iptables to not allow more then say 5
    > connections from one IP address or subnet. For example this (with a
    > default block rule) will only allow 5 or less connections from a single
    > IP address to port 25:
    >
    > iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit !
    > --connlimit-above 5 -j ACCEPT
    >
    >
    > This is fine. But now I'm seeing sources (like frontbridge.com) coming
    > from all over the place when they want to deliver something. I get like
    > 25 connections in a 30 second span which drags things down huge.
    >
    > Does anyone know how I can use connlimit (or whatever) to block/throttle
    > by domain like *.frontbridge.com instead of address?
    >
    > I can't do it by address or subnet as shown below (because they're all
    > over the place):
    >
    > 6488 root \_ sendmail: kB4MwWlG006488 outbound-dub.frontbridge.com
    > [213.199.154.16]: DATA
    > 6489 root \_ sendmail: kB4MwWVb006489 outbound-blu.frontbridge.com
    > [65.55.251.16]: DATA
    > 6496 root \_ sendmail: kB4MwZ4U006496 outbound-cpk.frontbridge.com
    > [207.46.163.16]: DATA
    > 6500 root \_ sendmail: kB4MwcTI006500 outbound-sin.frontbridge.com
    > [207.46.51.80]: DATA
    > 6512 root \_ sendmail: kB4Mwdu8006512 outbound-dub.frontbridge.com
    > [213.199.154.16]: DATA
    > 6513 root \_ sendmail: kB4MwdUn006513 outbound-dub.frontbridge.com
    > [213.199.154.16]: DATA
    > 6520 root \_ sendmail: kB4Mwe73006520 outbound-cpk.frontbridge.com
    > [207.46.163.16]: DATA
    > 6524 root \_ sendmail: kB4Mwf2Y006524 outbound-dub.frontbridge.com
    > [213.199.154.16]: DATA
    > 6528 root \_ sendmail: kB4MwfJ0006528 outbound-dub.frontbridge.com
    > [213.199.154.16]: DATA
    > 6536 root \_ sendmail: kB4MwhDU006536 outbound-blu.frontbridge.com
    > [65.55.251.16]: DATA
    > 6540 root \_ sendmail: kB4MwhJ9006540 outbound-sin.frontbridge.com
    > [207.46.51.80]: DATA
    > (many more...)
    >
    >
    > thanks
    > kenw232@yahoo.com


  4. Re: iptables block by domain name?

    In news:jX1dh.1263$Qm2.309@read1.cgocable.net,
    Ken Williams wrote:

    > I'm using connlimit for iptables to not allow more then say 5
    > connections from one IP address or subnet. For example this (with a
    > default block rule) will only allow 5 or less connections from a
    > single IP address to port 25:
    >
    > iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit !
    > --connlimit-above 5 -j ACCEPT
    >
    >
    > This is fine. But now I'm seeing sources (like frontbridge.com)
    > coming from all over the place when they want to deliver something.
    > I get like 25 connections in a 30 second span which drags things down
    > huge.
    >
    > Does anyone know how I can use connlimit (or whatever) to
    > block/throttle by domain like *.frontbridge.com instead of address?
    >
    > I can't do it by address or subnet as shown below (because they're all
    > over the place):
    >
    > 6488 root \_ sendmail: kB4MwWlG006488
    > outbound-dub.frontbridge.com [213.199.154.16]: DATA
    > 6489 root \_ sendmail: kB4MwWVb006489
    > outbound-blu.frontbridge.com [65.55.251.16]: DATA
    > 6496 root \_ sendmail: kB4MwZ4U006496
    > outbound-cpk.frontbridge.com [207.46.163.16]: DATA
    > 6500 root \_ sendmail: kB4MwcTI006500

    ....

    Mssr. Heiming's suggestion of utilizing sendmail's ratecontrol and
    conncontrol (see the entires in the cf/README file in the source
    distribution including the "CONNECTION CONTROL" section) are the preferred
    method.

    You'll still have to utilize the cidr subnet notation in the access file and
    then the contrib/cidrexpand Perl script in the source distribution to create
    a working access file before makemap'ing the access.db.

    This means one has to know the cidr notations required, which can sometimes
    be a bit of a task ... frontbridge.com is an excellent example, and you're
    going to require this information whether you use the sendmail
    {rate,conn}control or your iptables connlimit solution.

    If you'll examine
    http://www.senderbase.org/search?sea...Order=ip%20asc
    you'll see the IP addresses listed in the left column. Clicking on any of
    those addresses will lead you to the cidr notations required, and it will
    require several to cover all the problem addresses in your OP and the left
    column. Or you might wish to just copy those first-column addresses and
    forget the remaining cidr addresses of which they're a part.

    Not a trivial task but certainly easily accomplished.


+ Reply to Thread