LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   iptables drop or forward host (http://www.linuxquestions.org/questions/linux-newbie-8/iptables-drop-or-forward-host-805689/)

JOOKER 05-03-2010 02:54 PM

iptables drop or forward host
 
Hello all,

how can i drop or forward a incoming connection from a part of a host like *.alicedsl.de

for example:
the user is connection from *.alicedsl.de on port 12345
so how can i drop this connection or forward to google.com on port 80



Best regards,
Michael

P.S: sorry ma poor english

rweaver 05-03-2010 02:56 PM

Even if you use a hostname iptables resolves it at original execution time to a ip address... so this wouldn't work. You would need to be using squid or dnsguardian to achieve this functionality.

vikas027 05-03-2010 04:17 PM

Quote:

Originally Posted by rweaver (Post 3955957)
Even if you use a hostname iptables resolves it at original execution time to a ip address... so this wouldn't work. You would need to be using squid or dnsguardian to achieve this functionality.

Would adding the IP and domain in /etc/hosts help ?

If this works, Michael can use the below line to drop packet.
Code:

iptables -A INPUT -s X.X.X.X -p tcp --dport 12345 -j DROP
iptables -A INPUT -s X.X.X.X -p udp --dport 12345 -j DROP
service iptables save; service iptables restart


win32sux 05-03-2010 05:47 PM

Quote:

Originally Posted by JOOKER (Post 3955955)
Hello all,

how can i drop or forward a incoming connection from a part of a host like *.alicedsl.de

for example:
the user is connection from *.alicedsl.de on port 12345
so how can i drop this connection or forward to google.com on port 80



Best regards,
Michael

P.S: sorry ma poor english

If you know the IP(s) of the host(s) (and you're sure they won't change), use iptables. If, however, you need to stick to the address you posted, consider using the hosts.deny file. This would require that the service(s) you're trying to keep the host(s) away from has/have TCP Wrapper support of some kind.

JOOKER 05-03-2010 11:39 PM

thank you all for you great help,
after read your posts, i have googled "host.deny" and this was the perfect solution for my problem.

@win32sux: unfortunately i don't know the IPs its a german dialup dsl provider (alicedsl.de).. and i wannt to block whole provider by hostname..

...whatever it works with host.deny


Thanks again for you help guys!

---
Best regards,
Michael

rweaver 05-04-2010 06:03 PM

What you will want to do is find their netblock and use iptables to drop that entirely. Basically something like (although this may not be accurate mind)...
Code:

core:~# dig www.alicedsl.de

; <<>> DiG 9.5.1-P3 <<>> www.alicedsl.de
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28825
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.alicedsl.de.              IN      A

;; ANSWER SECTION:
www.alicedsl.de.        345460  IN      A      85.183.254.1

;; AUTHORITY SECTION:
alicedsl.de.            234509  IN      NS      ns2.hansenet.de.
alicedsl.de.            234509  IN      NS      ns1.hansenet.de.

;; ADDITIONAL SECTION:
ns1.hansenet.de.        83836  IN      A      213.191.73.65
ns2.hansenet.de.        85754  IN      A      213.191.74.20

;; Query time: 29 msec
;; SERVER: 74.200.192.133#53(74.200.192.133)
;; WHEN: Tue May  4 17:53:57 2010
;; MSG SIZE  rcvd: 126

core:~# whois -h whois.arin.net 85.183.254.1

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:      Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:  85.0.0.0 - 85.255.255.255
CIDR:      85.0.0.0/8
NetName:    85-RIPE
NetHandle:  NET-85-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2004-04-01
Updated:    2009-05-18

# ARIN WHOIS database, last updated 2010-05-03 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html


Found a referral to whois.ripe.net:43.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%      To receive output for a database update, use the "-B" flag.

% Information related to '85.176.0.0 - 85.183.255.255'

inetnum:        85.176.0.0 - 85.183.255.255
org:            ORG-HTG2-RIPE
netname:        DE-HANSENET-20041029
descr:          PROVIDER Local Registry
descr:          HanseNet Telekommunikation GmbH
country:        DE
admin-c:        DM3738-RIPE
tech-c:        SA1375-RIPE
tech-c:        TG819-RIPE
tech-c:        ASZ-RIPE
status:        ALLOCATED PA
mnt-by:        RIPE-NCC-HM-MNT
mnt-lower:      HANSENET-NOC
mnt-routes:    HANSENET-MNT
source:        RIPE # Filtered

organisation:  ORG-HTG2-RIPE
org-name:      HanseNet Telekommunikation GmbH
org-type:      LIR
address:        HanseNet Telekommunikation GmbH
                Danny Maack
                Ueberseering 33a
                22297 Hamburg
                GERMANY
phone:          +49 40 23726 0
fax-no:        +49 40 23726 193996
admin-c:        DM3738-RIPE
mnt-ref:        HANSENET-NOC
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:        RIPE-NCC-HM-MNT
source:        RIPE # Filtered

person:        Danny Maack
address:        HanseNet Telekommunikation GmbH
address:        Ueberseering 33 A
address:        D-22297 Hamburg
address:        GERMANY
phone:          +49 40 237 26 0
fax-no:        +49 40 237 26 3996
abuse-mailbox:  abuse@hansenet.com
nic-hdl:        DM3738-RIPE
mnt-by:        HANSENET-MNT
source:        RIPE # Filtered

person:        Andreas Schwarz
address:        HanseNet Telekommunikation GmbH
address:        Ueberseering 33a
address:        22297 Hamburg
address:        Germany
phone:          +49 40 23726 0
fax-no:        +49 40 23726 3772
remarks:        PGP/GPG Key ID 0x3C40103A
nic-hdl:        ASZ-RIPE
mnt-by:        ASZ-MNT
source:        RIPE # Filtered

person:        Thomas Graumann
address:        HanseNet Telekommunikation GmbH
address:        Ueberseering 33 A
address:        22297 Hamburg
address:        Germany
address:        DE
phone:          +49 40 23726 3294
fax-no:        +49 4023726 3772
abuse-mailbox:  abuse@hansenet.com
nic-hdl:        TG819-RIPE
mnt-by:        HANSENET-MNT
source:        RIPE # Filtered

person:        Svend Andersen
address:        HanseNet Telekommunikation GmbH
address:        Ueberseering 33 A
address:        D-22297 Hamburg
address:        GERMANY
phone:          +49 40 237 26 3235
fax-no:        +49 40 237 26 3772
abuse-mailbox:  abuse@hansenet.com
nic-hdl:        SA1375-RIPE
mnt-by:        HANSENET-NOC
source:        RIPE # Filtered

% Information related to '85.176.0.0/13AS13184'

route:        85.176.0.0/13
descr:        HANSENET
origin:      AS13184
mnt-by:      HANSENET-MNT
source:      RIPE # Filtered

Which tells you basically that their ip range is 85.176.0.0 - 85.183.255.255 or 85.176.0.0/21 (8 class c blocks)... so you can block them by using an iptables rule like the following which will prevent all traffic to and from them:

Code:

iptables -A INPUT -s 85.176.0.0/21 -j DROP
iptables -A OUTPUT -d 85.176.0.0/21 -j DROP

ymmv, if you want to ditch all of europe you could drop ripe's ip ranges... which if memory serves me are 62/8, 77-91/8, 193-195/8, and a few others I can't remember... you can search for it if you want the information.

Edit: just as a clarification, alicedsl.de doesn't seem to have their own netblock so you're blocking their provider. If you have the addresses connecting to you verify those addresses are in the netblock you want to block.


All times are GMT -5. The time now is 06:06 PM.