Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
RE: [suse-security] best method to block ip block
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Mon, 30 Jul 2001 17:00:05 +0200 (MEST)
  • Message-id: <XFMail.010730170005.bolo@xxxxxxx>

On 29-Jul-01 Togan Muftuoglu wrote:
> Hi,
> I want to block all kinds of protocol requests coming from an isp's
> dialup users since I had enough Superscan pings, icmp +++ath0 attacks
> the nmap other sorts of tools to scan my ip and also not to forget
> to mention the back office and other trojan client to server, server
> to client traffic hitting my firewall. Although these requests are
> denied at the firewall is there a better way of stopping this. The ip
> block I want to filter is as follows
> xxx.156.130.1 to xxx.156.191.255

you may want to use return-rst for this. return-rst needs netlink device
support compiled into your kernel (say "Y" to CONFIG_NETLINK and
CONFIG_IP_FIREWALL_NETLINK in your kernel config and create the device with
mknod -m 600 /dev/netlink c 36 3 if it isn't already present). A specially
designed ipchains line would then copy the first 128 bytes to the netlink
device and from there to return-rst.

A typical return-rst rule would look like this:

ipchains -A input -p tcp -y -o 128 -j DENY -s <ip or ip-block of badhost> -d
<ip of your server>

Note the -o 128 which copies the first 128 bytes of the connection to the
netlink device. Be sure to use DENY instead of REJECT, as REJECT sends its own
ICMP error message.

Thus, if you get portscanned or somebody tries to open a connection from a
black-listed ip, your firewall will send back RSTs (resets) instead of sending
ICMP error messages or dropping the packet. This, for any attacker or
unauthorized client, looks like there are no ports open/services offered on
your host, which greatly helps to reduce bandwith usage and to increase
security. I used to block some Korean netblocks that way because of excessive
cracker activity.

You can get return-rst from .

> Togan Muftuoglu

Boris Lorenz <bolo@xxxxxxx>
System Security Admin *nix - *nux

< Previous Next >
Follow Ups