Rejecting packets from a given domain

Rejecting packets from a given domain

Post by H.K. Kingston-Smit » Wed, 16 Apr 2008 07:21:15



        I am getting a few attempts from the hinet.net domain to have
email relayed through my email server. Since my email server requires
authentication, such attempts never get anywhere. However, they do
clutter my logs.

        Would it be possible to have an IP tables rule such that any
packets from this domain, addressed to a given port, are rejected without
further ado?

 
 
 

Rejecting packets from a given domain

Post by Chris Davie » Wed, 16 Apr 2008 08:22:31



> Would it be possible to have an IP tables rule such that any packets
> from this domain [hinet.net], addressed to a given port, are rejected
> without further ado?

Not by (domain) name, no. But if you can determine the set of IP address
ranges that hinet.net uses you can drop those quietly on the floor
with iptables.

[Quick check with whois...]

    inetnum:      168.95.0.0 - 168.95.255.255
    netname:      Hinet
    descr:        CHTD, Chunghwa Telecom Co., Ltd.
    country:      TW
    ...

So, provided that this is the only netblock allocated to hinet, something
like this should do the trick:

    iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT

Chris

 
 
 

Rejecting packets from a given domain

Post by H.K. Kingston-Smit » Wed, 16 Apr 2008 09:22:28




>> Would it be possible to have an IP tables rule such that any packets
>> from this domain [hinet.net], addressed to a given port, are rejected
>> without further ado?

> Not by (domain) name, no. But if you can determine the set of IP address
> ranges that hinet.net uses you can drop those quietly on the floor with
> iptables.

> [Quick check with whois...]

>     inetnum:      168.95.0.0 - 168.95.255.255 netname:      Hinet
>     descr:        CHTD, Chunghwa Telecom Co., Ltd. country:      TW
>     ...

> So, provided that this is the only netblock allocated to hinet,
> something like this should do the trick:

>     iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT

        The IP addresses in my logs seem to have been dynamically
allocated, and they always start with either 122.116 or 118.169 - never
168.95. Is there a way to find out what IP blocks have been set aside for
hinet.net?
 
 
 

Rejecting packets from a given domain

Post by Allen Kistle » Wed, 16 Apr 2008 11:09:14





>>> Would it be possible to have an IP tables rule such that any packets
>>> from this domain [hinet.net], addressed to a given port, are rejected
>>> without further ado?
>> Not by (domain) name, no. But if you can determine the set of IP address
>> ranges that hinet.net uses you can drop those quietly on the floor with
>> iptables.

>> [Quick check with whois...]

>>     inetnum:      168.95.0.0 - 168.95.255.255 netname:      Hinet
>>     descr:        CHTD, Chunghwa Telecom Co., Ltd. country:      TW
>>     ...

>> So, provided that this is the only netblock allocated to hinet,
>> something like this should do the trick:

>>     iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT

>    The IP addresses in my logs seem to have been dynamically
> allocated, and they always start with either 122.116 or 118.169 - never
> 168.95. Is there a way to find out what IP blocks have been set aside for
> hinet.net?

host -a hinet.net

- Show quoted text -

Quote:> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51294
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 4

> ;; QUESTION SECTION:
> ;hinet.net.                     IN      ANY

> ;; ANSWER SECTION:
> hinet.net.              13511   IN      NS      hntp1.hinet.net.
> hinet.net.              13511   IN      NS      hntp3.hinet.net.
> hinet.net.              13511   IN      NS      dns.hinet.net.
> hinet.net.              13558   IN      MX      10 netnews.hinet.net.

> ;; AUTHORITY SECTION:
> hinet.net.              13511   IN      NS      hntp1.hinet.net.
> hinet.net.              13511   IN      NS      dns.hinet.net.
> hinet.net.              13511   IN      NS      hntp3.hinet.net.

> ;; ADDITIONAL SECTION:
> hntp1.hinet.net.        15718   IN      A       168.95.192.1
> hntp3.hinet.net.        22467   IN      A       168.95.192.2
> dns.hinet.net.          15718   IN      A       168.95.1.1
> netnews.hinet.net.      13558   IN      A       168.95.195.16

Looks like 168.95.something to me.  The IP addresses you list belong to
apnic.net.  Look up specific ones at

http://wq.apnic.net/apnic-bin/whois.pl

 
 
 

Rejecting packets from a given domain

Post by Chris Davie » Wed, 16 Apr 2008 17:13:48



> Is there a way to find out what IP blocks have been set aside for
> hinet.net?

This works for me:

    whois -h whois.apnic.net hinet

Just be aware that entries for HINET may refer to (at least) two
independent entities. Your one is based in Taiwan; the other looks like
it's based in Japan.

Chris

 
 
 

Rejecting packets from a given domain

Post by Moe Tr » Thu, 17 Apr 2008 05:03:04


On Tue, 15 Apr 2008, in the Usenet newsgroup comp.os.linux.networking, in



>>> Would it be possible to have an IP tables rule such that any packets
>>> from this domain [hinet.net], addressed to a given port, are rejected
>>> without further ado?
>> Not by (domain) name, no.

Simple reason - there are a number of domains in the world who are either
to st00pid to be able to configure a PTR record on their DNS, or who don't
feel it's needed (RFCs like 2050 and 2051 don't apply to them, or they
couldn't read them if they tried). This is usually the case with abusive
ISPs. Thus, depending on a domain name lookup is a waste of your time.

Quote:>> But if you can determine the set of IP address ranges that hinet.net
>> uses you can drop those quietly on the floor with iptables.

Problem: They are a major provider.

Quote:>> [Quick check with whois...]

>>     inetnum:      168.95.0.0 - 168.95.255.255 netname:      Hinet
>>     descr:        CHTD, Chunghwa Telecom Co., Ltd. country:      TW

It might be better to check with whois.twnic.net (the whois service for
Taiwan), but they have their own problems.

Quote:>        The IP addresses in my logs seem to have been dynamically
>allocated, and they always start with either 122.116 or 118.169 - never
>168.95.

[compton ~]$ grep -i hinet IP_admin/address.blocks
59.112.0.0 - 59.123.255.255 HINET-NET Chunghwa Telecom Co., Ltd. hinet.net
61.220.0.0 - 61.227.255.255 Hinet Chunghwa Telecom Co., Ltd.
61.228.0.0 - 61.231.255.255 Hinet Chunghwa Telecom Co., Ltd.
118.160.0.0 - 118.167.255.255 Hinet Chunghwa Telecom Co., Ltd
118.169.0.0 - 118.171.255.255 Hinet Chunghwa Telecom Co., Ltd
122.116.0.0 - 122.117.255.255 hinet.net Chunghwa Telecom Co.,Ltd
168.95.0.0 - 168.95.255.255  Hinet Chunghwa Telecom Co., Ltd
202.39.0.0 - 202.39.95.255 Hinet Data Communication Business Group .tw
202.39.128.0 - 202.39.255.255 Hinet Data Communication Business Group .tw
211.23.0.0 - 211.23.255.255 Hinet Chunghwa Telecom Co.,Ltd.
218.160.0.0 - 218.175.255.255 Hinet Chunghwa Telecom Co.,Ltd.
220.128.0.0 - 220.143.255.255 Hinet Chunghwa Telecom Co.,Ltd.
[compton ~]$

but I suspect that list is far from complete.

Quote:>Is there a way to find out what IP blocks have been set aside for
>hinet.net?

Be careful, because there are two entities using the 'hinet' character
string - one is Chunghwa Telecom in Taiwan, the other is Hitachi Info
Systems in Japan - very different providers.  Your best bet might be
to use your favorite search engine looking for block lists sorted
by companies.   Taiwan has 396 IPv4 assignments/alocations, all from
APNIC, and the address ranges are not adjacent.

        Old guy

 
 
 

Rejecting packets from a given domain

Post by D. Stuss » Thu, 17 Apr 2008 06:23:17



Quote:> I am getting a few attempts from the hinet.net domain to have
> email relayed through my email server. Since my email server requires
> authentication, such attempts never get anywhere. However, they do
> clutter my logs.

> Would it be possible to have an IP tables rule such that any
> packets from this domain, addressed to a given port, are rejected without
> further ado?

NO, but if you're using sendmail, you may kill the email there by domain.

To deny all their IP's, what you really need to do is find out what their
AS# is then use a BGP looking glass to see which IP ranges they route for.

 
 
 

Rejecting packets from a given domain

Post by Jurgen Haa » Thu, 17 Apr 2008 22:51:04



>    I am getting a few attempts from the hinet.net domain to have
> email relayed through my email server. Since my email server requires
> authentication, such attempts never get anywhere. However, they do
> clutter my logs.

>    Would it be possible to have an IP tables rule such that any
> packets from this domain, addressed to a given port, are rejected without
> further ado?

Not really, but you can have iptables log them and have a custom cron
script dig through your logs to dynamically create rejection rules.
This works if you know beforehand which ip's belong to the domain. If
it's rather random, you can have iptables log all connections to a given
port (perhaps have a separate chain to exclude some IP's that are
definately allowed to access the port) and have the cron script sorting
out whether or not the logged ips are part of the domain through reverse
lookups and then create rejection rules.

Ofcourse this does not block traffic right away.

-R-