I have been seeing a lot of weird/bogus DNS traffic (thousands of queries a second) hitting our servers lately and I decided to try and block it. Specifically I saw tons of requests coming in for proxypipe.net with a bunch of random hosts prepended. Things like: 6Gdb1QlP.f.proxypipe.net., mhl00ULG.e.proxypipe.net., clacqxlG.f.proxypipe.net., etc. I decided I would block all DNS requests that contained the "proxypipe.net" anywhere in the packet.

The easiest way is to use iptables to block packets that contain a specific string. The problem with this approach is that DNS packets do not contain the actual string. Instead they are encoded in this manner: X domain Y TLD

Where X is the number of bytes in the domain portion, and Y is the number bytes of characters in the TLD portion. This makes your iptables rules look like this:

iptables -A INPUT -i eth0 -p udp --dport 53 -m string --hex-string "|09|proxypipe|03|net" --algo bm -j DROP
iptables -A INPUT -i eth0 -p udp --dport 53 -m string --hex-string "|06|kitten|02|ru" --algo bm -j DROP
iptables -A INPUT -i eth0 -p udp --dport 53 -m string --hex-string "|03|www|07|puppies|04|woof" --algo bm -j DROP

Advanced:

Technically the query looks like X domain Y TLD 0 where the zero indicates that there are no more parts of the domain. This is immediately followed by two bytes indicating the type of query.

This allows you to get fancy and only block specific types of queries for a domain while allowing others:

|Type | Code| |------------| |Any | 00ff| |A | 0011| |CNAME | 0005| |MX | 000f| |AAAA | 001c| |NS | 0002| |SOA | 0006|

If you wanted to block all MX requests for domain.com you would do a rule like this:

iptables -A INPUT -i eth0 -p udp --dport 53 -m string --hex-string "|06|domain|03|com|00000f|" --algo bm -j DROP

IPTables converts your string rules to hex, so it is helpful to add a comment so you can read them later using iptables -vnL. You can use the iptables comment module to document your rules.

iptables -A INPUT -i eth0 -p udp --dport 53 -m string --hex-string "|06|domain|03|net|00000f|" \
--algo bm -j DROP -m comment --comment 'Block domain.net MX'

Due to recent NTP reflection attacks I wanted to lock down my server. I want to rate limit incoming packets on port 123 (NTP) by source address. A single NTP source should not send more than 10 packets every 30 seconds. The following IPTables rule will track incoming NTP traffic and ensure no single IP is allowed to send beyond the threshold.

iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --set --name NTPTRAFFIC --rsource
iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --update --seconds 30 --hitcount 10 --name NTPTRAFFIC --rsource -j DROP
iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT # Just to view stats with "iptables -vnL"

The recent IPTables module has some limitations. By default it only tracks the most recent 100 IPs, and the last ten packets from each. If you have a large amount of source IPs hitting you, those limits may not be enough. You can get information about the module and what it can track with:

modinfo xt_recent

Then you can change the amount of packets tracked, and the amount of IPs to track:

echo 250 > /sys/module/xt_recent/parameters/ip_list_tot
echo 60 > /sys/module/xt_recent/parameters/ip_pkt_list_tot

The defaults are pretty good, unless you have a REALLY busy server.

I just wrote a quick tool to generate iptables rules so I won't have to read the man page every time.

I have a Linux box with two IP addresses on it (eth0 and eth0:0) which does NAT for the rest of my network. I want all the packets that NAT to go out with the source address of the eth0:0 IP address. This is done with the SNAT directive in your iptables statement. In fact you can tell it to NAT the packets with ANY IP address, including IPs not on the box. None of the packets will get back to you but it will let you configure it that way.

/sbin/iptables -t nat -A POSTROUTING --src 10.8.0.0/24 -o eth0 -j SNAT --to-source 55.66.77.88

This tells iptables to do (source) NAT for IPs on the 10.8.0.0/24 subnet, and to use the source address of 55.66.77.88. It should be noted that this is different than the MASQUERADE option which should be used for dynamic (DHCP/Dial-up) connections where the IP address changes.