# iptables - filter connections not using a DNS lookup

## FishB8

Is there any way to create a match within iptables, to detect when a connection is being made with or without the help of a DNS server?

I want to cut down the number of script kiddies connecting to my server.  Most of them are just bots that scan through IP addresses and never actually use a dns lookup to obtain the IP address. I want to be able to filter new connections that are just connecting directly via IP address instead of using a URL.

I know that it's possible since when apache returns the SERVER_NAME used, it can be either a URL or IP address depending on which was used to make the connection. I just want to be able to set this up as an iptables rule before it ever reaches apache.

----------

## lagalopex

Thats not possible, apache knows it because a browser would send it in the http request.

On the iptables level there is nothing like hostnames.

You could of course set up a vhost for your homepage and let the default page (that would be served when accessed via ip) set to a blank page.

But never the less the web server is used...

----------

## FishB8

In that case, maybe I'll have it so that apache adds the connection to black list. I'm using rails, so maybe I'll redirect the default page to a rails method that adds the IP to a temporary iptables blacklist.

----------

## cach0rr0

 *lagalopex wrote:*   

> Thats not possible, apache knows it because a browser would send it in the http request.
> 
> On the iptables level there is nothing like hostnames.
> 
> You could of course set up a vhost for your homepage and let the default page (that would be served when accessed via ip) set to a blank page.
> ...

 

I don't know that that's entirely true

AFAIK iptables can see the HTTP request (GET/POST/HEAD/etc), or even the Host header, and parse it using --string

BUT

doing this in iptables is a bad idea from a performance perspective. 

I think the best way - as much as i hate mod_security - would be to use mod_security, scrap all of its existing rules, and write your own to reject if the request-URI or Host header contains an IP (simple regex like \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

----------

## FishB8

what I plan on doing is setting up a rewrite rule in apache like

```

RewriteCond %{SERVER_NAME} 123.123.123.123

RewriteRule ^.* /naughty_bot [PT,L]

```

that will redirect everything using the servers IP address directly to the /naughty_bot/index rail method where I can then have ruby call

```
ipset -A blacklist 789.789.789.789
```

with a rule in iptables to check that set for blacklisted ip addresses.

I may follow it up by an "at" command to remove it from the list after a couple hours so that the blacklist is not permanent.

My intention is to try to stop crap like that at the firewall before it even reaches the server. This is pretty close to that since supposedly only the first request ever makes it to the server. In reality probably several requests might make it through since the kiddie scripts generally send this crap pretty fast

I'll see how well it works.

----------

## FishB8

Finally got around to trying it. Works like a charm!

for anybody else trying to do the same, the rewrite rules are actually:

```

RewriteCond %{SERVER_NAME} 123.123.123.123

RewriteRule ^.*$ http://www.myserver.com/naughty [R]

```

----------

## FishB8

I felt I should add an update in case anybody else runs tries to do this them selves.

Several issues:

- Using redirection in the rewrite rule doesn't really work well because the little bots generally don't pay attention to redirection responses. Use the rewrite's proxy method instead.

- SERVER_NAME is often blank. Need to check HTTP_HOST as well.

- Instead of checking for the IP, check that it's NOT your DNS name

Here's what I ended up with that snags a lot more bots:

```

                ProxyRequests Off

                RewriteEngine On

                RewriteCond %{SERVER_NAME} !my.server.com

                RewriteCond %{SERVER_NAME} !192.168.0.1 #Server's LAN IP

                RewriteCond %{SERVER_NAME} !127.0.0.1

                RewriteRule ^.*$ http://127.0.0.1/naughty?ip=%{REMOTE_ADDR} [P]

                RewriteCond %{HTTP_HOST} !my.server.com

                RewriteCond %{HTTP_HOST} !192.168.0.1 #Server's LAN IP

                RewriteCond %{HTTP_HOST} !127.0.0.1

                RewriteRule ^.*$ http://127.0.0.1/naughty?ip=%{REMOTE_ADDR} [P]

```

----------

