RE: FW: Can IPTables check for a valid IP address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks!

I will certainly investigate this option.

Regards!

-----Oorspronkelijk bericht-----
Van: Noel Kuntze [mailto:noel@xxxxxxxxxxxxxxxxx] 
Verzonden: Thursday, September 18, 2014 6:30 PM
Aan: Lars Dam; netfilter@xxxxxxxxxxxxxxx
Onderwerp: Re: FW: Can IPTables check for a valid IP address


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

If with "invalid", you mean addresses of a certain type (multicast, anycast, broadcast, reserved address space, etc), look at the addrtype module.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 18.09.2014 um 17:53 schrieb Lars Dam:
> Thanks. I know what to do.
>
> Regards,
>
> Lars Da,
>
> -----Oorspronkelijk bericht-----
> Van: netfilter-owner@xxxxxxxxxxxxxxx 
> [mailto:netfilter-owner@xxxxxxxxxxxxxxx] Namens Michael Schwartzkopff
> Verzonden: Thursday, September 18, 2014 5:31 PM
> Aan: netfilter@xxxxxxxxxxxxxxx
> Onderwerp: Re: Can IPTables check for a valid IP address
>
> Am Donnerstag, 18. September 2014, 17:11:36 schrieb R. Sterenborg:
>> On 09/18/2014 03:50 PM, Lars Dam wrote:
>>> We suffer from DNS lookups with a response IP address which is not 
>>> existing.
>>>
>>> Can Iptables check on this?
>>
>> What is it you actually want iptables to do? Do you want it to check 
>> if the IP address that the DNS server responds with exists and is in use?
>> Or..? Maybe the DNS server should be fixed instead of trying to go this way.
>>
>> Iptables (well, Netfilter) is a packet filter. You can filter packets 
>> that match a rule that you define. It can't validate your DNS 
>> server's output
>
> iptables cannot help you since the source IP address presumably varies. If the source address does not vary than iptables can help you.
>
> Just google "iptables rate limit"
>
>
> Anyway, it seems that you operate a open resolver on your server. Please google, why this is not a good idea. But if you really want to run a open resolver, than read the docs of your DNS server how to limit the request rates. For bind, see:
>
> http://ss.vix.su/~vjs/rl-arm.html
>  .
>
>
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 
> Franziskanerstraße 15, 81669 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUGwiHAAoJEDg5KY9j7GZYeDYP/2hf9l/2ByZx1IzMHZfnHE/J
bmQYnip8bgRQc51Lcl4K3l06AMlBai947dDHvhFWbYRdJaMIPTLJ6v6Hudh/asSt
Tfa2Fdu2cIiSAWWBCcyRW0GqsJdXNrffwAWwWz5w0xv9TvX02Frd0FFyB9RJtmXL
yPioe+jLQS8677f/bM4Sy+zRDirGbPsCdBOlb0ysqKFOCue+Xipel640oPsp+HIt
C0GudjUMFKdQX66Vo/p69fWdpOEJeqnhpQ375fH89Y8dqjCpTRiOSUng3J/NNrCc
ylzfBZV6GRoPca535eXm2OhGcXbkdJkNyK6jJMpoQMjZ6pMiWD7rBzPr4ShVcCA7
2fYOTk68PJRwKp3UJFPP+oIdg1mo8ajc/w8idP72kabEG7i+psaVUxyr3Hw5+Lay
2LgFWiODWc9I3KDD6/pqaT7BvbC9Uvk0lLxx2LoWwrwoc+QO+sW39P4NkBvWUtrt
jP4aCAKWqcsh/FHhoI22D7GRurRa7cdDJIlZMa+E+5Zg6o2n0FTnQ2/UG8uSk0EA
6cevkcuEZtJ2sjozvYjfpz0jx0bF+jvl0nivDqLc/wUwLf1WKt7msniy8451seeT
eqq9cC2Ythsoi5i+gsRxC9S6pzz+s5icdqeP4tmF144TyljMfewNx0TjhDe3Auy0
I/t9vYIlgFlIo08Eapr1
=UFIr
-----END PGP SIGNATURE-----

��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux