Dropping incoming connections from a given domain

I am looking for an iptables incantation that would allow all
connection attempts from IP addresses in a given domain. Is this possible?

Hello,

S.K.R. de Jong a écrit :
> I am looking for an iptables incantation that would allow all
> connection attempts from IP addresses in a given domain. Is this possible?

What do you mean by "IP addresses in a given domain" ?

If you mean the reverse DNS being in a given domain, not easily.
Iptables rules are run by the kernel and the kernel knows nothing about
DNS. You would need to QUEUE packets and do the reverse DNS resolution
in userland.

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
> S.K.R. de Jong a écrit :

> > I am looking for an iptables incantation that would allow
> > all connection attempts from IP addresses in a given domain. Is
> > this possible?

> What do you mean by "IP addresses in a given domain" ?

> If you mean the reverse DNS being in a given domain, not easily.
> Iptables rules are run by the kernel and the kernel knows nothing about
> DNS. You would need to QUEUE packets and do the reverse DNS resolution
> in userland.

And if the conversations in one of the DNS lists are indicative of the
future, it may be increasingly rare that there are PTR records in the
DNS in the first place - there seems to be resistance to adding them
for IPv6.

rick jones
--
The computing industry isn't as much a game of "Follow The Leader" as
it is one of "Ring Around the Rosy" or perhaps "Duck Duck Goose."
- Rick Jones
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

On Thu, 16 Jun 2011 22:25:38 +0200, Pascal Hambourg wrote:

> Hello,
>
> S.K.R. de Jong a écrit :
>> I am looking for an iptables incantation that would allow all
>> connection attempts from IP addresses in a given domain. Is this
>> possible?
>
> What do you mean by "IP addresses in a given domain" ?
>
> If you mean the reverse DNS being in a given domain, not easily.
> Iptables rules are run by the kernel and the kernel knows nothing about
> DNS. You would need to QUEUE packets and do the reverse DNS resolution
> in userland.

In that case, can it be done on the basis of matching IP
addresses? For instance, would it be possible to get iptables to discard
packets from, say, 192.168.xxx.yyy, where xxx and yyy are integers
between 0 and 255?

S.K.R. de Jong a écrit :
>
> In that case, can it be done on the basis of matching IP
> addresses? For instance, would it be possible to get iptables to discard
> packets from, say, 192.168.xxx.yyy, where xxx and yyy are integers
> between 0 and 255?

Of course. This is basic.
You can match a prefix :

iptables -A INPUT -s 192.168.0.0/16 -j DROP

or an arbitrary range :

iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 \
-j DROP