Prev: Geting TOS from Received IP Packet
Next: simple usage of windows TAP-Win32 driver
From: Moe Trin on 15 Apr 2008 16:03
On Tue, 15 Apr 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <pan.2008.04.15.00.22.28(a)yahoo.com>, H.K. Kingston-Smith wrote:

>Chris Davies wrote:

>> H.K. Kingston-Smith <HKK-S(a)yahoo.com> wrote:

>>> Would it be possible to have an IP tables rule such that any packets
>>> from this domain [hinet.net], addressed to a given port, are rejected
>>> without further ado?

>> Not by (domain) name, no.

Simple reason - there are a number of domains in the world who are either
to st00pid to be able to configure a PTR record on their DNS, or who don't
feel it's needed (RFCs like 2050 and 2051 don't apply to them, or they
couldn't read them if they tried). This is usually the case with abusive
ISPs. Thus, depending on a domain name lookup is a waste of your time.

>> But if you can determine the set of IP address ranges that hinet.net
>> uses you can drop those quietly on the floor with iptables.

Problem: They are a major provider.

>> [Quick check with whois...]
>>
>> inetnum: 168.95.0.0 - 168.95.255.255 netname: Hinet
>> descr: CHTD, Chunghwa Telecom Co., Ltd. country: TW

It might be better to check with whois.twnic.net (the whois service for
Taiwan), but they have their own problems.

> The IP addresses in my logs seem to have been dynamically
>allocated, and they always start with either 122.116 or 118.169 - never
>168.95.

[compton ~]$ grep -i hinet IP_admin/address.blocks
59.112.0.0 - 59.123.255.255 HINET-NET Chunghwa Telecom Co., Ltd. hinet.net
61.220.0.0 - 61.227.255.255 Hinet Chunghwa Telecom Co., Ltd.
61.228.0.0 - 61.231.255.255 Hinet Chunghwa Telecom Co., Ltd.
118.160.0.0 - 118.167.255.255 Hinet Chunghwa Telecom Co., Ltd
118.169.0.0 - 118.171.255.255 Hinet Chunghwa Telecom Co., Ltd
122.116.0.0 - 122.117.255.255 hinet.net Chunghwa Telecom Co.,Ltd
168.95.0.0 - 168.95.255.255 Hinet Chunghwa Telecom Co., Ltd
202.39.0.0 - 202.39.95.255 Hinet Data Communication Business Group .tw
202.39.128.0 - 202.39.255.255 Hinet Data Communication Business Group .tw
211.23.0.0 - 211.23.255.255 Hinet Chunghwa Telecom Co.,Ltd.
218.160.0.0 - 218.175.255.255 Hinet Chunghwa Telecom Co.,Ltd.
220.128.0.0 - 220.143.255.255 Hinet Chunghwa Telecom Co.,Ltd.
[compton ~]$

but I suspect that list is far from complete.

>Is there a way to find out what IP blocks have been set aside for
>hinet.net?

Be careful, because there are two entities using the 'hinet' character
string - one is Chunghwa Telecom in Taiwan, the other is Hitachi Info
Systems in Japan - very different providers. Your best bet might be
to use your favorite search engine looking for block lists sorted
by companies. Taiwan has 396 IPv4 assignments/alocations, all from
APNIC, and the address ranges are not adjacent.

Old guy
From: D. Stussy on 15 Apr 2008 17:23
"H.K. Kingston-Smith" <HKK-S(a)yahoo.com> wrote in message
news:pan.2008.04.14.22.21.15(a)yahoo.com...
> I am getting a few attempts from the hinet.net domain to have
> email relayed through my email server. Since my email server requires
> authentication, such attempts never get anywhere. However, they do
> clutter my logs.
>
> Would it be possible to have an IP tables rule such that any
> packets from this domain, addressed to a given port, are rejected without
> further ado?

NO, but if you're using sendmail, you may kill the email there by domain.

To deny all their IP's, what you really need to do is find out what their
AS# is then use a BGP looking glass to see which IP ranges they route for.


From: Jurgen Haan on 16 Apr 2008 09:51
H.K. Kingston-Smith wrote:
> I am getting a few attempts from the hinet.net domain to have
> email relayed through my email server. Since my email server requires
> authentication, such attempts never get anywhere. However, they do
> clutter my logs.
>
> Would it be possible to have an IP tables rule such that any
> packets from this domain, addressed to a given port, are rejected without
> further ado?
>

Not really, but you can have iptables log them and have a custom cron
script dig through your logs to dynamically create rejection rules.
This works if you know beforehand which ip's belong to the domain. If
it's rather random, you can have iptables log all connections to a given
port (perhaps have a separate chain to exclude some IP's that are
definately allowed to access the port) and have the cron script sorting
out whether or not the logged ips are part of the domain through reverse
lookups and then create rejection rules.

Ofcourse this does not block traffic right away.

-R-
First  |  Prev  | 
Pages: 1 2
Prev: Geting TOS from Received IP Packet
Next: simple usage of windows TAP-Win32 driver