0

Looking through the mail logs I've noticed a lot of these:

Apr  7 11:33:25 s123456 pop3d: IMAP connect from @ [::ffff:192.96.206.9]checkmailpasswd: FAILED: web14p3 - short names not allowed from @ [::ffff:192.96.206.9]ERR: LOGIN FAILED, ip=[::ffff:192.96.206.9]
Apr  7 11:33:26 s123456 pop3d: Connection, ip=[::ffff:192.96.206.9]

I'm using IPTables to block stuff but this one has me stumped. Is this an IPv6 address, or an IPv4 address and, with that, how do I block it using IPv4 IP tables or IPv6 IP tables? Or something totally different?

ScottMcGready
  • 119
  • 7
  • Not specifically answering your question, but a good read nonetheless: http://serverfault.com/questions/531941/i-am-under-ddos-what-can-i-do – i-CONICA Apr 07 '14 at 10:36

1 Answers1

0

Addresses from the ::ffff:0:0/96 range are used when the traffic on the network is IPv4 but the application is using an IPv6 API to communicate with the kernel.

If you want to apply firewall rules to such traffic, the rules need to be IPv4 because that is what the traffic is on the network.

kasperd
  • 29,894
  • 16
  • 72
  • 122
  • I've added a rule to block the 192.xx.xxx.x part, should my rule then be: `iptables -A INPUT -s ::ffff:192.xx.xxx.x -j DROP` instead then? – ScottMcGready Apr 07 '14 at 11:00
  • iptables need the addresses to be IPv4, so you need to remove the `::ffff:` part of the address. `-A INPUT -s 192.96.206.9 -j DROP` should work. But I would rather recommend `-A INPUT -s 192.96.206.9 -p tcp -j REJECT --reject-with tcp-reset` – kasperd Apr 07 '14 at 11:09
  • Hmm good call but that's not blocking it at all. Need a rethink on this I think. – ScottMcGready Apr 07 '14 at 12:25
  • Might you have an ACCEPT rule earlier in the chain? – kasperd Apr 07 '14 at 13:03
  • Oh more than likely, this isn't a server I manage full time - literally "had a look" at a request and kinda wish I hadn't! – ScottMcGready Apr 07 '14 at 13:08