Debian Lenny - iptables+dnsbl/rbl check
 

Hello,

Is it possible to setup iptables so that I can add filters to specific ports so that iptables checks whether the connecting IP is on an rbl or dnsbl?
If it's not; allow the IP to connect, if it's on the list, block it and log the event.

Thank you for your help.

PS: I already tried http://headcandy.org/rojo/checkdnsbl but then I get the error "mysqld[3432]: warning: /etc/hosts.deny, line 20: open /usr/local/bin/checkdnsbl: Too many open files". Can I without causing problems raise the open files limit or is this dangerous?

As far as I know the DNS-bl is for ISP-only use and RBLs are usually associated with MTA-usage, not Netfilter. Checkdnsbl is a shell script (interpreted), doesn't use 'mktemp', works only if your `man 5 hosts_access` uses "aclexec" (not spawn) and caches queries by sleeping each for 5 minutes (default). So if you would deploy it for all services on a host that sees lots of connections you'll notice 'sleep' processes the amount of unique IP addresses it checks times the services that get hit. Not that I know of any alternative (the closest I've come to remote checks is http://people.netfilter.org/~peejix/...oip-HOWTO.html but that's not what you're looking for) and I've seen better methods to wreck performance :-] Why not just use RBLs with your MTA, block ingress and egress bogons, use iptables modules like "recent", deploy Snort with an access blocker, anything but this... makes me wonder (this being the Linux Security forum) what you would get out of it security-wise anyway?.. (and welcome to LQ BTW, hope you like it here)

packetbl does exactly what you're asking.

thanks for the help :-)