[svlug] Removing an entire subnet with iptables?

dfox dfox at m206-157.dsl.tsoft.com
Sat Nov 8 23:00:50 PST 2003


OK so I am a newbie at iptables and filtering :).

Recently this box is suffering from being the target of a large spam run, 
using an open proxy. I think that problem is solved now, and I've stopped 
Apache (had an rpm apache-mod-proxy in there which might have contributed 
to the problem.) I just reinstalled Postfix and upgraded to the new 
apache from Mandrake (2.0.48) and notice now there are still people 
trying to get in with POST to various port 25's, including mine :(. Also 
I note that there are several messages in /var/log/httpd/ suggesting 
there is no proxy available for said request. No stray mail is getting 
out, which is of course a good thing.

In the meantime, though, I've noticed a large number of requests from a 
domain called www.biztrees.com - which seem to be a chinese web site that 
just does a bunch of click throughs to spammer sites. From the relevant 
log files. Notice the same subnet (61.187.156.*)?

[Sun Nov 02 09:02:59 2003] [error] [client 61.187.156.253] proxy: Error 
reading 
from remote server returned by 
http://www.revenuepilot.com/jsp/index.jsp?keyword
=Online+Casino&id=7245&filter=off&x=21&y=7, referer: 
http://www.biztrees.com/
[Sun Nov 02 09:03:56 2003] [error] [client 61.187.156.253] proxy: error 
reading 
status line from remote server www.revenuepilot.com, referer: 
http://www.biztree
s.com/
[Sun Nov 02 09:03:56 2003] [error] [client 61.187.156.253] proxy: Error 
reading 
from remote server returned by 
http://www.revenuepilot.com/jsp/index.jsp?keyword
=Weight+Loss&id=7245&filter=off&x=15&y=6, referer: 
http://www.biztrees.com/
[Sun Nov 02 09:23:56 2003] [error] [client 61.187.156.242] proxy: error 
reading 
status line from remote server www.revenuepilot.com, referer: 
http://www.webs-re
sources.com/
[Sun Nov 02 09:23:56 2003] [error] [client 61.187.156.242] proxy: Error 
reading 
from remote server returned by 
http://www.revenuepilot.com/jsp/index.jsp?id=5348
&filter=off&keyword=travel+planning, referer: 
http://www.webs-resources.com/
[Sun Nov 02 09:24:57 2003] [error] [client 61.187.156.242] proxy: error 
reading 
status line from remote server www.revenuepilot.com, referer: 
http://www.webs-re
sources.com/

Now, I'm trying to construct an ipchains rule to get rid of this site 
(figuratively speaking, of course, at least drop its packets on the 
floor). iptables -D INPUT -p tcp -s 61.187.156/32 -j DROP

Best I could come up with after reading the man pages was:

# iptables -A INPUT -p tcp -s 61.187.156/32 -j DROP

But that drops 61.187.0.156, not what I want.

I imagine I don't have to do one iptables for all 255 possible entries :(?

------------------------------------------------------------------------
David E. Fox                              Thanks for letting me
dfox at tsoft.com                            change magnetic patterns
dfox at m206-157.dsl.tsoft.com               on your hard disk.
-----------------------------------------------------------------------





More information about the svlug mailing list