On Mon, 2004-04-26 at 21:25, DrWho? wrote:
My idea was to use a callback too hook port 80 and use a perl script to reverse lookup the ip address and look for .nz at the end and pass fail there after.
It's not production-ready since I just wrote it by hacking the example code that came with IPTables::IPv4::IPQueue apart, but here's the basics of how it's done. You'll need 'Userspace queueing via NETLINK' kernel module (ip_queue.ko) and the IPTables::IPv4::IPQueue and NetPacket::IP perl modules. First hook port 80 like this: iptables -A INPUT -p tcp --dst $me --dport 80 -j QUEUE And the perl script goes something like this: #! /usr/bin/perl use warnings; use strict; use IPTables::IPv4::IPQueue qw(:constants); use NetPacket::IP; use Socket; use constant TIMEOUT => 1_000_000 * 2; my ($queue, $msg, $ip, $host); $queue = new IPTables::IPv4::IPQueue(copy_mode => &IPQ_COPY_PACKET, copy_range => 2048) or die IPTables::IPv4::IPQueue->errstr; while (1) { $msg = $queue->get_message(TIMEOUT); if (!defined $msg) { next if IPTables::IPv4::IPQueue->errstr eq 'Timeout'; die IPTables::IPv4::IPQueue->errstr; } if ($msg->data_len()) { $ip = NetPacket::IP->decode($msg->payload()); $host = gethostbyaddr(inet_aton($ip->{src_ip}), AF_INET); #print "Packet from: ",$ip->{src_ip}," - $host ... "; if ($host =~ /\.nz$/) { #print "ACCEPT\n"; $queue->set_verdict($msg->packet_id, NF_ACCEPT); } else { #print "DROP\n"; $queue->set_verdict($msg->packet_id, NF_DROP); } } else { # no data? #print "Dropping empty packet: ",$msg->packet_id(),"\n"; $queue->set_verdict($msg->packet_id, NF_DROP); } } -- Colin Palmer <colinp(a)waikato.ac.nz> University of Waikato, ITS Division