On 30/04/07, Mike Cardwell <exim-users@???> wrote:
> Marc Perkel wrote:
>
> > This might be slightly off topic but I have something kind of tricky and
> > interesting in mind. I've been using a dummy IP address as my lowest MX
> > record as a way of getting rid of bot spam. And it's worked fairly well
> > but I'm trying to make it more interesting.
> >
> > What I'm doing now is pointing the lowest MX to a second IP on my lowest
> > MX server and what I want to do is open it up to a selected list of IP
> > addresses. Every 5 minutes I'm going to query a MySQL database and
> > create a list of IPs that will be allowed to talk to this lowest MX. All
> > other IPs will be blocked and forced to retry the higher MX which talks
> > to everything.
> >
> > I am not good with IP tables but what I need to do is perhaps create a
> > new chain of some sort (?) that I can wipe out and reload with new
> > values. I'll read the list and accept every IP in the list and then drop
> > all other IPs.
> >
> > Of course if there's something that can do this reading data out of me
> > database that would be great. But that's probably too much to ask.
> >
> > So - anyone have any ides on how to do this?
> >
> > BTW, Can't do a 4xx error because qmail servers will never retry higher
> > MX records if the see a 421 error. So the port has to be actually closed.
>
> "man iptables" and look for QUEUE. Then go to cpan.org and look at
> IPTables::IPv4::IPQueue. This will allow you to knock up a user space
> perl script to decide what to do with packets by talking to your db in
> real time.
Ah, now I looked into this a while back when Marc first talked about
this technique. I investigated this method of controlling IPTables and
came to the conclusion that it wouldn't do the job - once a packet has
arrived in the userspace queue it's already been accepted - all you
can do with it is drop it or carry on processing it, you can't reject
it. You can't simulate 'nothing listening on this port'. So it's not
suitable for the application Marc wants it for.
At least, that's how I read the documentation. I have been known to be
wrong (yes, really...).
The only way I could think of doing this was a periodic rebuild of the
static IPTables rules - which isn't particulary hard, nor particularly
elegant. Have a look at Tom's 'timeban' script for inspiration - it's
designed to work the other way round (reject an IP if it's in the
database, else allow it), but that's easily fixed.
http://duncanthrax.net/timeban/timeban
Peter
--
Peter Bowyer
Email: peter@???