Comments on: Dropping spurious ./NS/IN recursive queries

By: Mickey Mouse

Mickey Mouse — Mon, 23 Feb 2009 22:35:45 +0000

Thanks so much. I don’t want to contribute either and I’m not any longer

By: chrome

chrome — Tue, 03 Feb 2009 23:05:37 +0000

Not here. May be something else going on? Run a packet capture?

By: sov

sov — Tue, 03 Feb 2009 14:00:44 +0000

Hi and thank you for this very usefull snippet :)
Since about one day now I’m using it, but I’ve noticed that my DNS server is now beeing flood by request for my reverse DNS (on wich I do not have control, that’s why i’ve noticed it).
It started just right after I started using the iptables snippet above.
Does anybody else noticed something like that on his server ?

By: Glen Combe

Glen Combe — Fri, 30 Jan 2009 17:39:51 +0000

Thanks for posting this.. been getting hammered with..just had re compile my kenrel with the u32 support! thnx!

By: Darryl

Darryl — Wed, 28 Jan 2009 14:22:35 +0000

When I paste the iptables command you have, I get:

iptables: Invalid argument

and in dmesg:

ip_tables: u32 match: invalid size 1984 != 2028

This is on a 2.6.23 debian machine. Any ideas?

By: Curtis Maurand

Curtis Maurand — Wed, 28 Jan 2009 13:49:00 +0000

modprobe xt_u32

should load it.

By: chrome

chrome — Sat, 24 Jan 2009 22:54:51 +0000

Debian lenny packages it with the kernel package:

linux-image-2.6.26-1-686: /lib/modules/2.6.26-1-686/kernel/net/netfilter/xt_u32.ko

You might have to build a custom kernel, or alternatively, build the kernel module separately.

By: Cezar RO

Cezar RO — Sat, 24 Jan 2009 19:55:49 +0000

Yes, maybe cool, maybe it’s work… Same problem to me … iptables v1.3.6: Couldn’t load match … bla bla bla …

Other idea?

By: Fredrick

Fredrick — Sat, 24 Jan 2009 12:34:25 +0000

OK, so I think, "Great, I'll just add the iptables rule and have blessed silence in the logs!"

Not so fast, "iptables v1.3.6: Couldn't load match `u32':/lib/iptables/libipt_u32.so: cannot open shared object file: No such file or directory."

Grrrr. OK, gonna have to do some work. What is u32, hmmm aahhhh does byte comparison on IP headers. Brilliant! OK, now how do I get it....Doh! Gotta patch the kernel and recompile! From a ease of maintenance and repository management perspective, I don't want to build a custom kernel.

Now what?!? My logs are filling with this crap. I guess I can just purge the logs, but would rather drop the DNS requests than handle them after the fact.

I'm running ubuntu Gutsy. How did you get u32 working?