LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-20-2007, 11:55 AM   #1
c00kie
Member
 
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34

Rep: Reputation: 15
Get SRC IP from IPTABLES logs and drop it


I'm not to advanced in linux scripting.. so I need some help.

What I want is to blacklist some IP's. I know how to get the IP's using IPTABLES:

$IPTABLES -A INPUT -d XXX.XXX.XXX.XXX -p tcp --dport 80 --tcp-flags ALL PSH,ACK -m string --algo bm --string MyNick --to 100 -j LOG –log-level 4

So this writes something like:

Jul 20 12:49:24 MAIN kernel: IN=eth0 OUT= MAC=00:17:31:93:bc:39:00:01:03:12:f4:43:08:00 SRC=193.254.43.81 DST=XXX.XXX.XXX.XXX LEN=120 TOS=0x08 PREC=0x00 TTL=123 ID=19609 DF PROTO=TCP SPT=2316 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0

What I want is to get that SRC and drop it. (something simple like $IPTABLES -A INPUT -s 193.253.43.81 -j DROP)

How do I do it 1337s?

Thanks in advance mates.

Last edited by c00kie; 07-20-2007 at 11:56 AM.
 
Old 07-20-2007, 02:20 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,406

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
i like these sorts of questions. i suck with iptables, but it's nice to have confidence that it's going to be a possible thing to do with a little research. as such i give you the "recent" module...

http://www.snowman.net/projects/ipt_recent/

essentially you've no need for the log data itself, just match the initial traffic as you are and presumably send it to a new table containing the recent rule which just drops everything that hits it with a recent tag added. then as in the examples above just drop every source IP in the recent list you created. no scripting, and all held completely inside iptables. it's a time based module, but just stick a big old time on it and i assume you'll be fine. it's presumably not like your list is going to be very long...
 
Old 07-20-2007, 02:55 PM   #3
c00kie
Member
 
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34

Original Poster
Rep: Reputation: 15
Now I've got a bigger problem... it seems even if i drop ip's... the ddos ain't stopping...
 
Old 07-20-2007, 03:10 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by c00kie
Now I've got a bigger problem... it seems even if i drop ip's... the ddos ain't stopping...
You're not going to be able to stop a DDoS. You can block the traffic and hope it doesn't overwhelm your firewall in the process, but there's no real way to stop it.

You may be able to change your IP (if you're not using a static IP on your gateway)...the DDoS will still continue, but it will no longer affect you if you are no longer using the targeted IP address. Depending on who your ISP is, you may also be able to get them to null route the attack traffic, depending on what services the attacker is attacking (Verizon does this, since they've one of the largest backbones in the world). More than likely, you may just have to ride it out.
 
  


Reply

Tags
iptables, log


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM
iptables how drop ip address issin Linux - Networking 4 09-02-2004 06:45 AM
how to do this.. IPTABLES IP Range DROP latino Linux - Security 1 01-02-2004 01:41 AM
iptables DROP command mm_jth Linux - Security 5 11-07-2003 11:22 AM
iptables -> DROP -> CLAGGS geoffj Linux - Networking 12 03-23-2003 05:26 AM


All times are GMT -5. The time now is 07:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration