-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, If with "invalid", you mean addresses of a certain type (multicast, anycast, broadcast, reserved address space, etc), look at the addrtype module. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 18.09.2014 um 17:53 schrieb Lars Dam: > Thanks. I know what to do. > > Regards, > > Lars Da, > > -----Oorspronkelijk bericht----- > Van: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] Namens Michael Schwartzkopff > Verzonden: Thursday, September 18, 2014 5:31 PM > Aan: netfilter@xxxxxxxxxxxxxxx > Onderwerp: Re: Can IPTables check for a valid IP address > > Am Donnerstag, 18. September 2014, 17:11:36 schrieb R. Sterenborg: >> On 09/18/2014 03:50 PM, Lars Dam wrote: >>> We suffer from DNS lookups with a response IP address which is not >>> existing. >>> >>> Can Iptables check on this? >> >> What is it you actually want iptables to do? Do you want it to check >> if the IP address that the DNS server responds with exists and is in use? >> Or..? Maybe the DNS server should be fixed instead of trying to go this way. >> >> Iptables (well, Netfilter) is a packet filter. You can filter packets >> that match a rule that you define. It can't validate your DNS server's >> output > > iptables cannot help you since the source IP address presumably varies. If the source address does not vary than iptables can help you. > > Just google "iptables rate limit" > > > Anyway, it seems that you operate a open resolver on your server. Please google, why this is not a good idea. But if you really want to run a open resolver, than read the docs of your DNS server how to limit the request rates. For bind, see: > > http://ss.vix.su/~vjs/rl-arm.html > . > > > > Mit freundlichen Grüßen, > > Michael Schwartzkopff > > -- > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUGwiHAAoJEDg5KY9j7GZYeDYP/2hf9l/2ByZx1IzMHZfnHE/J bmQYnip8bgRQc51Lcl4K3l06AMlBai947dDHvhFWbYRdJaMIPTLJ6v6Hudh/asSt Tfa2Fdu2cIiSAWWBCcyRW0GqsJdXNrffwAWwWz5w0xv9TvX02Frd0FFyB9RJtmXL yPioe+jLQS8677f/bM4Sy+zRDirGbPsCdBOlb0ysqKFOCue+Xipel640oPsp+HIt C0GudjUMFKdQX66Vo/p69fWdpOEJeqnhpQ375fH89Y8dqjCpTRiOSUng3J/NNrCc ylzfBZV6GRoPca535eXm2OhGcXbkdJkNyK6jJMpoQMjZ6pMiWD7rBzPr4ShVcCA7 2fYOTk68PJRwKp3UJFPP+oIdg1mo8ajc/w8idP72kabEG7i+psaVUxyr3Hw5+Lay 2LgFWiODWc9I3KDD6/pqaT7BvbC9Uvk0lLxx2LoWwrwoc+QO+sW39P4NkBvWUtrt jP4aCAKWqcsh/FHhoI22D7GRurRa7cdDJIlZMa+E+5Zg6o2n0FTnQ2/UG8uSk0EA 6cevkcuEZtJ2sjozvYjfpz0jx0bF+jvl0nivDqLc/wUwLf1WKt7msniy8451seeT eqq9cC2Ythsoi5i+gsRxC9S6pzz+s5icdqeP4tmF144TyljMfewNx0TjhDe3Auy0 I/t9vYIlgFlIo08Eapr1 =UFIr -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
