LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 05-03-2010, 01:54 PM   #1
JOOKER
LQ Newbie
 
Registered: May 2010
Posts: 2

Rep: Reputation: 0
Question iptables drop or forward host


Hello all,

how can i drop or forward a incoming connection from a part of a host like *.alicedsl.de

for example:
the user is connection from *.alicedsl.de on port 12345
so how can i drop this connection or forward to google.com on port 80



Best regards,
Michael

P.S: sorry ma poor english
 
Old 05-03-2010, 01:56 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Even if you use a hostname iptables resolves it at original execution time to a ip address... so this wouldn't work. You would need to be using squid or dnsguardian to achieve this functionality.
 
Old 05-03-2010, 03:17 PM   #3
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Debian, OS X
Posts: 1,267

Rep: Reputation: 99
Quote:
Originally Posted by rweaver View Post
Even if you use a hostname iptables resolves it at original execution time to a ip address... so this wouldn't work. You would need to be using squid or dnsguardian to achieve this functionality.
Would adding the IP and domain in /etc/hosts help ?

If this works, Michael can use the below line to drop packet.
Code:
iptables -A INPUT -s X.X.X.X -p tcp --dport 12345 -j DROP
iptables -A INPUT -s X.X.X.X -p udp --dport 12345 -j DROP
service iptables save; service iptables restart
 
Old 05-03-2010, 04:47 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by JOOKER View Post
Hello all,

how can i drop or forward a incoming connection from a part of a host like *.alicedsl.de

for example:
the user is connection from *.alicedsl.de on port 12345
so how can i drop this connection or forward to google.com on port 80



Best regards,
Michael

P.S: sorry ma poor english
If you know the IP(s) of the host(s) (and you're sure they won't change), use iptables. If, however, you need to stick to the address you posted, consider using the hosts.deny file. This would require that the service(s) you're trying to keep the host(s) away from has/have TCP Wrapper support of some kind.

Last edited by win32sux; 05-03-2010 at 04:49 PM.
 
Old 05-03-2010, 10:39 PM   #5
JOOKER
LQ Newbie
 
Registered: May 2010
Posts: 2

Original Poster
Rep: Reputation: 0
Thumbs up

thank you all for you great help,
after read your posts, i have googled "host.deny" and this was the perfect solution for my problem.

@win32sux: unfortunately i don't know the IPs its a german dialup dsl provider (alicedsl.de).. and i wannt to block whole provider by hostname..

...whatever it works with host.deny


Thanks again for you help guys!

---
Best regards,
Michael
 
Old 05-04-2010, 05:03 PM   #6
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
What you will want to do is find their netblock and use iptables to drop that entirely. Basically something like (although this may not be accurate mind)...
Code:
core:~# dig www.alicedsl.de

; <<>> DiG 9.5.1-P3 <<>> www.alicedsl.de
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28825
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.alicedsl.de.               IN      A

;; ANSWER SECTION:
www.alicedsl.de.        345460  IN      A       85.183.254.1

;; AUTHORITY SECTION:
alicedsl.de.            234509  IN      NS      ns2.hansenet.de.
alicedsl.de.            234509  IN      NS      ns1.hansenet.de.

;; ADDITIONAL SECTION:
ns1.hansenet.de.        83836   IN      A       213.191.73.65
ns2.hansenet.de.        85754   IN      A       213.191.74.20

;; Query time: 29 msec
;; SERVER: 74.200.192.133#53(74.200.192.133)
;; WHEN: Tue May  4 17:53:57 2010
;; MSG SIZE  rcvd: 126

core:~# whois -h whois.arin.net 85.183.254.1

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   85.0.0.0 - 85.255.255.255
CIDR:       85.0.0.0/8
NetName:    85-RIPE
NetHandle:  NET-85-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2004-04-01
Updated:    2009-05-18

# ARIN WHOIS database, last updated 2010-05-03 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html


Found a referral to whois.ripe.net:43.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '85.176.0.0 - 85.183.255.255'

inetnum:        85.176.0.0 - 85.183.255.255
org:            ORG-HTG2-RIPE
netname:        DE-HANSENET-20041029
descr:          PROVIDER Local Registry
descr:          HanseNet Telekommunikation GmbH
country:        DE
admin-c:        DM3738-RIPE
tech-c:         SA1375-RIPE
tech-c:         TG819-RIPE
tech-c:         ASZ-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      HANSENET-NOC
mnt-routes:     HANSENET-MNT
source:         RIPE # Filtered

organisation:   ORG-HTG2-RIPE
org-name:       HanseNet Telekommunikation GmbH
org-type:       LIR
address:        HanseNet Telekommunikation GmbH
                Danny Maack
                Ueberseering 33a
                22297 Hamburg
                GERMANY
phone:          +49 40 23726 0
fax-no:         +49 40 23726 193996
admin-c:        DM3738-RIPE
mnt-ref:        HANSENET-NOC
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

person:         Danny Maack
address:        HanseNet Telekommunikation GmbH
address:        Ueberseering 33 A
address:        D-22297 Hamburg
address:        GERMANY
phone:          +49 40 237 26 0
fax-no:         +49 40 237 26 3996
abuse-mailbox:  abuse@hansenet.com
nic-hdl:        DM3738-RIPE
mnt-by:         HANSENET-MNT
source:         RIPE # Filtered

person:         Andreas Schwarz
address:        HanseNet Telekommunikation GmbH
address:        Ueberseering 33a
address:        22297 Hamburg
address:        Germany
phone:          +49 40 23726 0
fax-no:         +49 40 23726 3772
remarks:        PGP/GPG Key ID 0x3C40103A
nic-hdl:        ASZ-RIPE
mnt-by:         ASZ-MNT
source:         RIPE # Filtered

person:         Thomas Graumann
address:        HanseNet Telekommunikation GmbH
address:        Ueberseering 33 A
address:        22297 Hamburg
address:        Germany
address:        DE
phone:          +49 40 23726 3294
fax-no:         +49 4023726 3772
abuse-mailbox:  abuse@hansenet.com
nic-hdl:        TG819-RIPE
mnt-by:         HANSENET-MNT
source:         RIPE # Filtered

person:         Svend Andersen
address:        HanseNet Telekommunikation GmbH
address:        Ueberseering 33 A
address:        D-22297 Hamburg
address:        GERMANY
phone:          +49 40 237 26 3235
fax-no:         +49 40 237 26 3772
abuse-mailbox:  abuse@hansenet.com
nic-hdl:        SA1375-RIPE
mnt-by:         HANSENET-NOC
source:         RIPE # Filtered

% Information related to '85.176.0.0/13AS13184'

route:        85.176.0.0/13
descr:        HANSENET
origin:       AS13184
mnt-by:       HANSENET-MNT
source:       RIPE # Filtered
Which tells you basically that their ip range is 85.176.0.0 - 85.183.255.255 or 85.176.0.0/21 (8 class c blocks)... so you can block them by using an iptables rule like the following which will prevent all traffic to and from them:

Code:
iptables -A INPUT -s 85.176.0.0/21 -j DROP
iptables -A OUTPUT -d 85.176.0.0/21 -j DROP
ymmv, if you want to ditch all of europe you could drop ripe's ip ranges... which if memory serves me are 62/8, 77-91/8, 193-195/8, and a few others I can't remember... you can search for it if you want the information.

Edit: just as a clarification, alicedsl.de doesn't seem to have their own netblock so you're blocking their provider. If you have the addresses connecting to you verify those addresses are in the netblock you want to block.

Last edited by rweaver; 05-04-2010 at 05:05 PM.
 
  


Reply

Tags
drop, forward, host, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables to forward connections from a host alpha_hack Linux - Networking 1 10-05-2009 09:25 PM
How can I forward ports with IPtables? I want to forward 80 to 8080 abefroman Linux - Networking 3 05-23-2008 10:05 AM
Nat server with iptables -P FORWARD set to DROP problem Ronin_tekorei Linux - Server 1 05-22-2008 07:22 PM
mysql drop revoke user from specific host ? RedHat123 Programming 0 04-21-2005 02:54 PM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM


All times are GMT -5. The time now is 07:21 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration