Rejecting packets from a given domain

I am getting a few attempts from the hinet.net domain to have
email relayed through my email server. Since my email server requires
authentication, such attempts never get anywhere. However, they do
clutter my logs.

Would it be possible to have an IP tables rule such that any
packets from this domain, addressed to a given port, are rejected without
further ado?



H.K. Kingston-Smith

H.K. Kingston-Smith <HKK-(E-Mail Removed)> wrote:
> Would it be possible to have an IP tables rule such that any packets
> from this domain [hinet.net], addressed to a given port, are rejected
> without further ado?

Not by (domain) name, no. But if you can determine the set of IP address
ranges that hinet.net uses you can drop those quietly on the floor
with iptables.

[Quick check with whois...]

inetnum: 168.95.0.0 - 168.95.255.255
netname: Hinet
descr: CHTD, Chunghwa Telecom Co., Ltd.
country: TW
...

So, provided that this is the only netblock allocated to hinet, something
like this should do the trick:

iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT

Chris

On Tue, 15 Apr 2008 00:22:31 +0100, Chris Davies wrote:

> H.K. Kingston-Smith <HKK-(E-Mail Removed)> wrote:
>> Would it be possible to have an IP tables rule such that any packets
>> from this domain [hinet.net], addressed to a given port, are rejected
>> without further ado?
>
> Not by (domain) name, no. But if you can determine the set of IP address
> ranges that hinet.net uses you can drop those quietly on the floor with
> iptables.
>
> [Quick check with whois...]
>
> inetnum: 168.95.0.0 - 168.95.255.255 netname: Hinet
> descr: CHTD, Chunghwa Telecom Co., Ltd. country: TW
> ...
>
> So, provided that this is the only netblock allocated to hinet,
> something like this should do the trick:
>
> iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT

The IP addresses in my logs seem to have been dynamically
allocated, and they always start with either 122.116 or 118.169 - never
168.95. Is there a way to find out what IP blocks have been set aside for
hinet.net?

H.K. Kingston-Smith wrote:
> On Tue, 15 Apr 2008 00:22:31 +0100, Chris Davies wrote:
>
>> H.K. Kingston-Smith <HKK-(E-Mail Removed)> wrote:
>>> Would it be possible to have an IP tables rule such that any packets
>>> from this domain [hinet.net], addressed to a given port, are rejected
>>> without further ado?
>> Not by (domain) name, no. But if you can determine the set of IP address
>> ranges that hinet.net uses you can drop those quietly on the floor with
>> iptables.
>>
>> [Quick check with whois...]
>>
>> inetnum: 168.95.0.0 - 168.95.255.255 netname: Hinet
>> descr: CHTD, Chunghwa Telecom Co., Ltd. country: TW
>> ...
>>
>> So, provided that this is the only netblock allocated to hinet,
>> something like this should do the trick:
>>
>> iptables -I INPUT --source 168.95.0.0/16 --dport 25 -j REJECT
>
> The IP addresses in my logs seem to have been dynamically
> allocated, and they always start with either 122.116 or 118.169 - never
> 168.95. Is there a way to find out what IP blocks have been set aside for
> hinet.net?
>
>

host -a hinet.net

> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51294
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 4
>
> ;; QUESTION SECTION:
> ;hinet.net. IN ANY
>
> ;; ANSWER SECTION:
> hinet.net. 13511 IN NS hntp1.hinet.net.
> hinet.net. 13511 IN NS hntp3.hinet.net.
> hinet.net. 13511 IN NS dns.hinet.net.
> hinet.net. 13558 IN MX 10 netnews.hinet.net.
>
> ;; AUTHORITY SECTION:
> hinet.net. 13511 IN NS hntp1.hinet.net.
> hinet.net. 13511 IN NS dns.hinet.net.
> hinet.net. 13511 IN NS hntp3.hinet.net.
>
> ;; ADDITIONAL SECTION:
> hntp1.hinet.net. 15718 IN A 168.95.192.1
> hntp3.hinet.net. 22467 IN A 168.95.192.2
> dns.hinet.net. 15718 IN A 168.95.1.1
> netnews.hinet.net. 13558 IN A 168.95.195.16

Looks like 168.95.something to me. The IP addresses you list belong to
apnic.net. Look up specific ones at

http://wq.apnic.net/apnic-bin/whois.pl

H.K. Kingston-Smith <HKK-(E-Mail Removed)> wrote:
> Is there a way to find out what IP blocks have been set aside for
> hinet.net?

This works for me:

whois -h whois.apnic.net hinet

Just be aware that entries for HINET may refer to (at least) two
independent entities. Your one is based in Taiwan; the other looks like
it's based in Japan.

Chris

On Tue, 15 Apr 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>, H.K. Kingston-Smith wrote:

>Chris Davies wrote:

>> H.K. Kingston-Smith <HKK-(E-Mail Removed)> wrote:

>>> Would it be possible to have an IP tables rule such that any packets
>>> from this domain [hinet.net], addressed to a given port, are rejected
>>> without further ado?

>> Not by (domain) name, no.

Simple reason - there are a number of domains in the world who are either
to st00pid to be able to configure a PTR record on their DNS, or who don't
feel it's needed (RFCs like 2050 and 2051 don't apply to them, or they
couldn't read them if they tried). This is usually the case with abusive
ISPs. Thus, depending on a domain name lookup is a waste of your time.

>> But if you can determine the set of IP address ranges that hinet.net
>> uses you can drop those quietly on the floor with iptables.

Problem: They are a major provider.

>> [Quick check with whois...]
>>
>> inetnum: 168.95.0.0 - 168.95.255.255 netname: Hinet
>> descr: CHTD, Chunghwa Telecom Co., Ltd. country: TW

It might be better to check with whois.twnic.net (the whois service for
Taiwan), but they have their own problems.

> The IP addresses in my logs seem to have been dynamically
>allocated, and they always start with either 122.116 or 118.169 - never
>168.95.

[compton ~]$ grep -i hinet IP_admin/address.blocks
59.112.0.0 - 59.123.255.255 HINET-NET Chunghwa Telecom Co., Ltd. hinet.net
61.220.0.0 - 61.227.255.255 Hinet Chunghwa Telecom Co., Ltd.
61.228.0.0 - 61.231.255.255 Hinet Chunghwa Telecom Co., Ltd.
118.160.0.0 - 118.167.255.255 Hinet Chunghwa Telecom Co., Ltd
118.169.0.0 - 118.171.255.255 Hinet Chunghwa Telecom Co., Ltd
122.116.0.0 - 122.117.255.255 hinet.net Chunghwa Telecom Co.,Ltd
168.95.0.0 - 168.95.255.255 Hinet Chunghwa Telecom Co., Ltd
202.39.0.0 - 202.39.95.255 Hinet Data Communication Business Group .tw
202.39.128.0 - 202.39.255.255 Hinet Data Communication Business Group .tw
211.23.0.0 - 211.23.255.255 Hinet Chunghwa Telecom Co.,Ltd.
218.160.0.0 - 218.175.255.255 Hinet Chunghwa Telecom Co.,Ltd.
220.128.0.0 - 220.143.255.255 Hinet Chunghwa Telecom Co.,Ltd.
[compton ~]$

but I suspect that list is far from complete.

>Is there a way to find out what IP blocks have been set aside for
>hinet.net?

Be careful, because there are two entities using the 'hinet' character
string - one is Chunghwa Telecom in Taiwan, the other is Hitachi Info
Systems in Japan - very different providers. Your best bet might be
to use your favorite search engine looking for block lists sorted
by companies. Taiwan has 396 IPv4 assignments/alocations, all from
APNIC, and the address ranges are not adjacent.

Old guy

"H.K. Kingston-Smith" <HKK-(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> I am getting a few attempts from the hinet.net domain to have
> email relayed through my email server. Since my email server requires
> authentication, such attempts never get anywhere. However, they do
> clutter my logs.
>
> Would it be possible to have an IP tables rule such that any
> packets from this domain, addressed to a given port, are rejected without
> further ado?

NO, but if you're using sendmail, you may kill the email there by domain.

To deny all their IP's, what you really need to do is find out what their
AS# is then use a BGP looking glass to see which IP ranges they route for.

H.K. Kingston-Smith wrote:
> I am getting a few attempts from the hinet.net domain to have
> email relayed through my email server. Since my email server requires
> authentication, such attempts never get anywhere. However, they do
> clutter my logs.
>
> Would it be possible to have an IP tables rule such that any
> packets from this domain, addressed to a given port, are rejected without
> further ado?
>

Not really, but you can have iptables log them and have a custom cron
script dig through your logs to dynamically create rejection rules.
This works if you know beforehand which ip's belong to the domain. If
it's rather random, you can have iptables log all connections to a given
port (perhaps have a separate chain to exclude some IP's that are
definately allowed to access the port) and have the cron script sorting
out whether or not the logged ips are part of the domain through reverse
lookups and then create rejection rules.

Ofcourse this does not block traffic right away.

-R-