iptables block by domain name?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm using connlimit for iptables to not allow more then say 5
connections from one IP address or subnet. For example this (with a
default block rule) will only allow 5 or less connections from a single
IP address to port 25:

iptables -A INPUT -p tcp -i eth0 --dport 25 -m connlimit !
--connlimit-above 5 -j ACCEPT

This is fine.  But now I'm seeing sources (like frontbridge.com) coming
from all over the place when they want to deliver something.  I get like
25 connections in a 30 second span which drags things down huge.

Does anyone know how I can use connlimit (or whatever) to block/throttle
by domain like *.frontbridge.com instead of address?

I can't do it by address or subnet as shown below (because they're all
over the place):

  6488 root      \_ sendmail: kB4MwWlG006488
outbound-dub.frontbridge.com []: DATA
  6489 root      \_ sendmail: kB4MwWVb006489
outbound-blu.frontbridge.com []: DATA
  6496 root      \_ sendmail: kB4MwZ4U006496
outbound-cpk.frontbridge.com []: DATA
  6500 root      \_ sendmail: kB4MwcTI006500
outbound-sin.frontbridge.com []: DATA
  6512 root      \_ sendmail: kB4Mwdu8006512
outbound-dub.frontbridge.com []: DATA
  6513 root      \_ sendmail: kB4MwdUn006513
outbound-dub.frontbridge.com []: DATA
  6520 root      \_ sendmail: kB4Mwe73006520
outbound-cpk.frontbridge.com []: DATA
  6524 root      \_ sendmail: kB4Mwf2Y006524
outbound-dub.frontbridge.com []: DATA
  6528 root      \_ sendmail: kB4MwfJ0006528
outbound-dub.frontbridge.com []: DATA
  6536 root      \_ sendmail: kB4MwhDU006536
outbound-blu.frontbridge.com []: DATA
  6540 root      \_ sendmail: kB4MwhJ9006540
outbound-sin.frontbridge.com []: DATA
  (many more...)


Re: iptables block by domain name?

[ crossposted to cms + Followup-To -> cms ; Seems much more about
sendmail the Linux/security ]

Quoted text here. Click to load it

Recent sendmail versions have a connection rate control feature
which might be useful to you? Though I am not sure if those
system try delivering legitimate mail or just spam?

It seems ratware tends to open more connections as soon as you
start slowing them down. Allowing not more then one smtp
connection per host, despite a few trusted hosts seems to help

Quite some ratware seems of the same type, trying to open 3-4
more connections immediately, though there is some (very seldom)
incredible broken stuff out trying to open >150 connections in 3

Probably you can use some milter for the task?

However 25 more or less connections shouldn't do much if anything
to sendmail on a halfway reasonable sized box. A problem might be
SA, which tends to use quite some RAM, did you check if you are
running out of RAM? Starting to page constantly usually drops
down performance tremendously on any *nix box.

Good luck

Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 306: CPU-angle has to be adjusted because of
vibrations coming from the nearby road

Re: iptables block by domain name?

1. IPtables will resolve the DNS name before running the command.  You
will have to use an application proxy to block entire domains.

2. If you want to totally block M$ you could pull the IPs from the log
files using a scripting language (thinking sed/awk or perl) and
dynamically throw these addresses into a file.  Then have your IPtables
script pull these addresses whenever the service is restarted.
LinuxJournal had a good article about this earlier this year:

Ken Williams wrote:
Quoted text here. Click to load it

Re: iptables block by domain name?

Quoted text here. Click to load it

Mssr. Heiming's suggestion of utilizing sendmail's ratecontrol and
conncontrol (see the entires in the cf/README file in the source
distribution including the "CONNECTION CONTROL" section) are the preferred

You'll still have to utilize the cidr subnet notation in the access file and
then the contrib/cidrexpand Perl script in the source distribution to create
a working access file before makemap'ing the access.db.

This means one has to know the cidr notations required, which can sometimes
be a bit of a task ... frontbridge.com is an excellent example, and you're
going to require this information whether you use the sendmail
control or your iptables connlimit solution.

If you'll examine
you'll see the IP addresses listed in the left column. Clicking on any of
those addresses will lead you to the cidr notations required, and it will
require several to cover all the problem addresses in your OP and the left
column. Or you might wish to just copy those first-column addresses and
forget the remaining cidr addresses of which they're a part.

Not a trivial task but certainly easily accomplished.

Site Timeline