Hi, On 29-Jul-01 Togan Muftuoglu wrote:
Hi,
I want to block all kinds of protocol requests coming from an isp's dialup users since I had enough Superscan pings, icmp +++ath0 attacks the nmap other sorts of tools to scan my ip and also not to forget to mention the back office and other trojan client to server, server to client traffic hitting my firewall. Although these requests are denied at the firewall is there a better way of stopping this. The ip block I want to filter is as follows
xxx.156.130.1 to xxx.156.191.255
you may want to use return-rst for this. return-rst needs netlink device support compiled into your kernel (say "Y" to CONFIG_NETLINK and CONFIG_IP_FIREWALL_NETLINK in your kernel config and create the device with mknod -m 600 /dev/netlink c 36 3 if it isn't already present). A specially designed ipchains line would then copy the first 128 bytes to the netlink device and from there to return-rst. A typical return-rst rule would look like this: ipchains -A input -p tcp -y -o 128 -j DENY -s <ip or ip-block of badhost> -d <ip of your server> Note the -o 128 which copies the first 128 bytes of the connection to the netlink device. Be sure to use DENY instead of REJECT, as REJECT sends its own ICMP error message. Thus, if you get portscanned or somebody tries to open a connection from a black-listed ip, your firewall will send back RSTs (resets) instead of sending ICMP error messages or dropping the packet. This, for any attacker or unauthorized client, looks like there are no ports open/services offered on your host, which greatly helps to reduce bandwith usage and to increase security. I used to block some Korean netblocks that way because of excessive cracker activity. You can get return-rst from http://net-security.org/cgi-bin/file.cgi?return-rst-1.1.tar.gz .
Togan Muftuoglu
---
Boris Lorenz