Le 13/01/2017 à 11:52, André Paulsberg-Csibi (IBM Consultant) a écrit :
I have detected in my iptables that someone(s) are sending spoofed DNS request to various targets ( I assume DNS servers ), from this I have also counted that this accounts for approximately 25% of all log entries so it would helpful to just DROP these prior to the log rule for OUT-OF-STATE / INVALID packets sent to my FIREWALL .
(...)
Since this system runs named ( a linux based DNS resolver ) , filtering ICMP for all DNS could impact valid packets also ... ... but my conclusion is that making any filter after the RELATED rules and also limiting it to the very specific combo of only those with source port SPT=24116 ( and UDP 53 ) should virtually make it impossible to go wrong ( at least in theory ).
(...)
Now the problem is to create a rule that would perform this task , but looking at the module for string match and searching google has left me a bit unsure if I am going in the right direction ...
The u32 match may be more precise as it allows to match a pattern at a specific offset.
Since the IPTABLES normally can find this data in its RELATED function in the STATE-MODULE ,
Conntrack is independent of iptables. Conntrack sets the state, and iptables just checks it. But I'd like to ask why do you bother to log such packets ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
