Discussion:
Can IPTables check for a valid IP address
Lars Dam
2014-09-18 13:50:08 UTC
Permalink
We suffer from DNS lookups with a response IP address which is not existing.

Can Iptables check on this?

Regards,

Lars Dam
Manager ICT services
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
R. Sterenborg (lists)
2014-09-18 15:11:36 UTC
Permalink
Post by Lars Dam
We suffer from DNS lookups with a response IP address which is not existing.
Can Iptables check on this?
What is it you actually want iptables to do? Do you want it to check if
the IP address that the DNS server responds with exists and is in use?
Or..? Maybe the DNS server should be fixed instead of trying to go this way.

Iptables (well, Netfilter) is a packet filter. You can filter packets
that match a rule that you define. It can't validate your DNS server's
output.


--
Rob
Post by Lars Dam
Regards,
Lars Dam
Manager ICT services
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Lars Dam
2014-09-18 15:19:37 UTC
Permalink
Hi Rob,

Sure thing! I was just looking for a workaround.

I was looking for a way iptables might check if it's a valid (in function) IP address, before a DNS server is handling the request.
Regards

-----Oorspronkelijk bericht-----
Van: R. Sterenborg (lists) [mailto:***@sterenborg.org]
Verzonden: Thursday, September 18, 2014 5:12 PM
Aan: Lars Dam; '***@vger.kernel.org'
Onderwerp: Re: Can IPTables check for a valid IP address
Post by Lars Dam
We suffer from DNS lookups with a response IP address which is not existing.
Can Iptables check on this?
What is it you actually want iptables to do? Do you want it to check if the IP address that the DNS server responds with exists and is in use?
Or..? Maybe the DNS server should be fixed instead of trying to go this way.

Iptables (well, Netfilter) is a packet filter. You can filter packets that match a rule that you define. It can't validate your DNS server's output.


--
Rob
Post by Lars Dam
Regards,
Lars Dam
Manager ICT services
--
To unsubscribe from this list: send the line "unsubscribe netfilter"
info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Michael Schwartzkopff
2014-09-18 15:31:16 UTC
Permalink
Post by R. Sterenborg (lists)
Post by Lars Dam
We suffer from DNS lookups with a response IP address which is not existing.
Can Iptables check on this?
What is it you actually want iptables to do? Do you want it to check if
the IP address that the DNS server responds with exists and is in use?
Or..? Maybe the DNS server should be fixed instead of trying to go this way.
Iptables (well, Netfilter) is a packet filter. You can filter packets
that match a rule that you define. It can't validate your DNS server's
output
iptables cannot help you since the source IP address presumably varies. If the
source address does not vary than iptables can help you.

Just google "iptables rate limit"


Anyway, it seems that you operate a open resolver on your server. Please
google, why this is not a good idea. But if you really want to run a open
resolver, than read the docs of your DNS server how to limit the request
rates. For bind, see:

http://ss.vix.su/~vjs/rl-arm.html
.



Mit freundlichen Grüßen,

Michael Schwartzkopff
--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Lars Dam
2014-09-18 15:53:45 UTC
Permalink
Thanks. I know what to do.

Regards,

Lars Da,

-----Oorspronkelijk bericht-----
Van: netfilter-***@vger.kernel.org [mailto:netfilter-***@vger.kernel.org] Namens Michael Schwartzkopff
Verzonden: Thursday, September 18, 2014 5:31 PM
Aan: ***@vger.kernel.org
Onderwerp: Re: Can IPTables check for a valid IP address
Post by R. Sterenborg (lists)
Post by Lars Dam
We suffer from DNS lookups with a response IP address which is not existing.
Can Iptables check on this?
What is it you actually want iptables to do? Do you want it to check
if the IP address that the DNS server responds with exists and is in use?
Or..? Maybe the DNS server should be fixed instead of trying to go this way.
Iptables (well, Netfilter) is a packet filter. You can filter packets
that match a rule that you define. It can't validate your DNS server's
output
iptables cannot help you since the source IP address presumably varies. If the source address does not vary than iptables can help you.

Just google "iptables rate limit"


Anyway, it seems that you operate a open resolver on your server. Please google, why this is not a good idea. But if you really want to run a open resolver, than read the docs of your DNS server how to limit the request rates. For bind, see:

http://ss.vix.su/~vjs/rl-arm.html
.



Mit freundlichen Grüßen,

Michael Schwartzkopff

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Noel Kuntze
2014-09-18 16:29:59 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

If with "invalid", you mean addresses of a certain type
(multicast, anycast, broadcast, reserved address space, etc), look at t=
he addrtype module.

Mit freundlichen Gr=C3=BC=C3=9Fen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
=46ingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Lars Dam
Thanks. I know what to do.
Regards,
Lars Da,
-----Oorspronkelijk bericht-----
nel.org] Namens Michael Schwartzkopff
Post by Lars Dam
Verzonden: Thursday, September 18, 2014 5:31 PM
Onderwerp: Re: Can IPTables check for a valid IP address
Post by R. Sterenborg (lists)
Post by Lars Dam
We suffer from DNS lookups with a response IP address which is not existing.
Can Iptables check on this?
What is it you actually want iptables to do? Do you want it to check
if the IP address that the DNS server responds with exists and is in=
use?
Post by Lars Dam
Post by R. Sterenborg (lists)
Or..? Maybe the DNS server should be fixed instead of trying to go t=
his way.
Post by Lars Dam
Post by R. Sterenborg (lists)
Iptables (well, Netfilter) is a packet filter. You can filter packet=
s
Post by Lars Dam
Post by R. Sterenborg (lists)
that match a rule that you define. It can't validate your DNS server=
's
Post by Lars Dam
Post by R. Sterenborg (lists)
output
iptables cannot help you since the source IP address presumably varie=
s. If the source address does not vary than iptables can help you.
Post by Lars Dam
Just google "iptables rate limit"
Anyway, it seems that you operate a open resolver on your server. Ple=
ase google, why this is not a good idea. But if you really want to run =
a open resolver, than read the docs of your DNS server how to limit the=
Post by Lars Dam
http://ss.vix.su/~vjs/rl-arm.html
.
Mit freundlichen Gr=C3=BC=C3=9Fen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskaner=
stra=C3=9Fe 15, 81669 M=C3=BCnchen
Post by Lars Dam
Sitz der Gesellschaft: M=C3=BCnchen, Amtsgericht M=C3=BCnchen: HRB 19=
9263
Post by Lars Dam
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUGwiHAAoJEDg5KY9j7GZYeDYP/2hf9l/2ByZx1IzMHZfnHE/J
bmQYnip8bgRQc51Lcl4K3l06AMlBai947dDHvhFWbYRdJaMIPTLJ6v6Hudh/asSt
Tfa2Fdu2cIiSAWWBCcyRW0GqsJdXNrffwAWwWz5w0xv9TvX02Frd0FFyB9RJtmXL
yPioe+jLQS8677f/bM4Sy+zRDirGbPsCdBOlb0ysqKFOCue+Xipel640oPsp+HIt
C0GudjUMFKdQX66Vo/p69fWdpOEJeqnhpQ375fH89Y8dqjCpTRiOSUng3J/NNrCc
ylzfBZV6GRoPca535eXm2OhGcXbkdJkNyK6jJMpoQMjZ6pMiWD7rBzPr4ShVcCA7
2fYOTk68PJRwKp3UJFPP+oIdg1mo8ajc/w8idP72kabEG7i+psaVUxyr3Hw5+Lay
2LgFWiODWc9I3KDD6/pqaT7BvbC9Uvk0lLxx2LoWwrwoc+QO+sW39P4NkBvWUtrt
jP4aCAKWqcsh/FHhoI22D7GRurRa7cdDJIlZMa+E+5Zg6o2n0FTnQ2/UG8uSk0EA
6cevkcuEZtJ2sjozvYjfpz0jx0bF+jvl0nivDqLc/wUwLf1WKt7msniy8451seeT
eqq9cC2Ythsoi5i+gsRxC9S6pzz+s5icdqeP4tmF144TyljMfewNx0TjhDe3Auy0
I/t9vYIlgFlIo08Eapr1
=3DUFIr
-----END PGP SIGNATURE-----

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Lars Dam
2014-09-18 17:48:20 UTC
Permalink
Thanks!

I will certainly investigate this option.

Regards!

-----Oorspronkelijk bericht-----
Van: Noel Kuntze [mailto:***@familie-kuntze.de]
Verzonden: Thursday, September 18, 2014 6:30 PM
Aan: Lars Dam; ***@vger.kernel.org
Onderwerp: Re: FW: Can IPTables check for a valid IP address


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

If with "invalid", you mean addresses of a certain type (multicast, anycast, broadcast, reserved address space, etc), look at the addrtype module.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Post by Lars Dam
Thanks. I know what to do.
Regards,
Lars Da,
-----Oorspronkelijk bericht-----
Verzonden: Thursday, September 18, 2014 5:31 PM
Onderwerp: Re: Can IPTables check for a valid IP address
Post by R. Sterenborg (lists)
Post by Lars Dam
We suffer from DNS lookups with a response IP address which is not existing.
Can Iptables check on this?
What is it you actually want iptables to do? Do you want it to check
if the IP address that the DNS server responds with exists and is in use?
Or..? Maybe the DNS server should be fixed instead of trying to go this way.
Iptables (well, Netfilter) is a packet filter. You can filter packets
that match a rule that you define. It can't validate your DNS
server's output
iptables cannot help you since the source IP address presumably varies. If the source address does not vary than iptables can help you.
Just google "iptables rate limit"
http://ss.vix.su/~vjs/rl-arm.html
.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUGwiHAAoJEDg5KY9j7GZYeDYP/2hf9l/2ByZx1IzMHZfnHE/J
bmQYnip8bgRQc51Lcl4K3l06AMlBai947dDHvhFWbYRdJaMIPTLJ6v6Hudh/asSt
Tfa2Fdu2cIiSAWWBCcyRW0GqsJdXNrffwAWwWz5w0xv9TvX02Frd0FFyB9RJtmXL
yPioe+jLQS8677f/bM4Sy+zRDirGbPsCdBOlb0ysqKFOCue+Xipel640oPsp+HIt
C0GudjUMFKdQX66Vo/p69fWdpOEJeqnhpQ375fH89Y8dqjCpTRiOSUng3J/NNrCc
ylzfBZV6GRoPca535eXm2OhGcXbkdJkNyK6jJMpoQMjZ6pMiWD7rBzPr4ShVcCA7
2fYOTk68PJRwKp3UJFPP+oIdg1mo8ajc/w8idP72kabEG7i+psaVUxyr3Hw5+Lay
2LgFWiODWc9I3KDD6/pqaT7BvbC9Uvk0lLxx2LoWwrwoc+QO+sW39P4NkBvWUtrt
jP4aCAKWqcsh/FHhoI22D7GRurRa7cdDJIlZMa+E+5Zg6o2n0FTnQ2/UG8uSk0EA
6cevkcuEZtJ2sjozvYjfpz0jx0bF+jvl0nivDqLc/wUwLf1WKt7msniy8451seeT
eqq9cC2Ythsoi5i+gsRxC9S6pzz+s5icdqeP4tmF144TyljMfewNx0TjhDe3Auy0
I/t9vYIlgFlIo08Eapr1
=UFIr
-----END PGP SIGNATURE-----

��칻�&�~�&���+-��ݶ��w��˛���m�޵�������^n�r���z���h�����&���G���h�
Loading...