Re: IPtables rules to block by symbolic host name, not IP ?

From: Somebody (dontspamme@midori.onlineloop.nu)
Date: 04/17/03 

From: Somebody <dontspamme@midori.onlineloop.nu>
Date: Thu, 17 Apr 2003 13:45:06 +0200

Rather than trying to individually block IP addresses as they attack your
machine (you will spend the rest of your life doing this), use the string
matching capability in iptables. Simply, if you get something on port 80 that
matches, such as a code red, nimda, or similar, iptables will deal with the
packet regardless of from where it originated. The only disadvantage of this
method is that when you are attacked, you will get an entry in your web server
log that looks something like
195.107.47.197 - - [16/Apr/2003:20:26:03 +0200] "-" 408 -
but its better than having your logs filled up with crap.

The following lines kill off the various windows attacks that I know of:
iptables -A INPUT -m string --string 'default.ida' -p tcp --dport 80 -j DROP
iptables -A INPUT -m string --string 'winnt' -p tcp --dport 80 -j DROP
iptables -A INPUT -m string --string 'root.exe' -p tcp --dport 80 -j DROP
iptables -A INPUT -m string --string 'vti_inf' -p tcp --dport 80 -j DROP

Generally speaking, look at the entries in your web server logs and put in the
matching strings into the iptables rules.

Hope this is the kind of answer you were looking for.
Ian
ian (found at) midori (dot) shacknet (dot) nu

"Spam Me!" wrote:

> Hi All,
>
> Is it possible to create firewall rules, that work based on
> the symbolic host name, not the actual IP address of the origin
> of the packet. On the cable network I'm on, there are lots of
> infected windows machines sending attacks and various packets
> to my web server. I do not want to block all IPs, because there
> are 'clean' ones, and due to DHCP it is changing which ones
> are OK, and which ones should be blocked. That's why I'd like
> to block the offending machines based on host name, not IP.
>
> How could I do that ?
>
> Thanks,
> Zsolt

Relevant Pages
Loading