> I would be interested to put something in place
> that rejects incoming packets that meet the following two
> 1) They must be coming from IP addresses that
> have no corresponding name. I.e. when one tries nslookup
> or dig on such IP addresses, only the numerical addresses
> themselves are returned.
> 2) They are to be rejected only when they are
> meant for specific services, like, say, ftp or telnet.
> Is this feasible? Maybe with iptables, or is
> iptables below the level I am interested in?
man 5 hosts_access
At least for daemons that use tcpwrappers.
Just let in what you specifically want to let in and deny everything else.
For example /etc/hosts.allow
in.ftpd: ALL EXCEPT UNKNOWN
sshd: ALL EXCEPT UNKNOWN
# some valid smtp servers do not resolve
# following only if all LAN users are trusted
# otherwise be more specific
ALL: LOCAL 192.168.
hosts.deny should have ALL: ALL
I use a hardware broadband gateway that just lets in uninitiated
connections for ssh, smtp and http (and triggers incoming ident port 113
for any outgoing smtp). Connections to sshd are restricted to specific
hosts or IP ranges by hosts.allow and sshd is configured to accept keys
only (not passwords). Sendmail was tested for anti-relaying. Apache is
configured with a default worm catching vhost that dead ends and logs
separately if the Host header does not match one of the other set vhosts
(apache does not use tcpwrappers).
David Efflandt - All spam ignored http://www.de-srv.com/