LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-10-2004, 11:49 PM   #1
lucktsm
Member
 
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155

Rep: Reputation: 30
IPtables firewall causing network slowdown


Hi all,

I have been using snort in conjunction with a firewall that I will list below. This little script takes a whitelist and blacklist and creates my firewall.

The problem is my blacklist has grown to several thousand IP address and ranges. Is there a way to speed things up? Attached is the firewall and I will also list the blacklist. I use the SANS storm watch to add to the block list as well as my own snort logs.



#!/bin/sh
#
#
WHITELIST=whitelist.txt
BLACKLIST=blacklist.txt
ALLOWED="22 25 80"
#
#
# Drop existing rules
iptables -F

# Go through $WHITELIST, accepting all traffic from the hosts and networks
# contained on that list
#
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
iptables -A INPUT -t filter -s $x -j ACCEPT
done


# Go through $BLACKLIST, blocking all traffice from these hosts and networks
for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
echo "Blocking $x..."
iptables -A INPUT -t filter -s $x -j DROP
done

# Netx the ports will we will accept from non-black list addresses
for port in $ALLOWED; do
echo "Accepting port $port..."
iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done

# Drop anything else not contained in the white list or the ports defined above
iptables -A INPUT -t filter -p tcp --syn -j DROP

-----------------------------------------------------------------------------------------------
Blacklist:

115.253.182.180
12.148.209.196
12.169.0.142
12.175.0.35
129.241.0.0/255.255.255.0
15.240.221.55
152.30.11.183
161.139.184.3
161.24.236.11
163.180.117.43
163.180.17.227
168.160.230.200
169.254.1.132
170.127.110.172
172.158.114.171
172.161.250.88
172.184.148.94
172.202.38.232
172.208.108.56
185.219.40.0
194.0.0.0/255.0.0.0
195.223.9.91
195.87.101.68
198.165.205.139
198.176.208.75
198.180.134.254
200.0.0.0/255.0.0.0
202.0.0.0/255.0.0.0
203.0.0.0/255.0.0.0
204.97.182.22
205.179.53.54
64.246.165.210
207.137.1.38
207.25.95.6
207.38.0.0/255.255.0.0
207.38.0.68
208.0.0.0/255.0.0.0
209.182.97.185
209.194.231.67
209.237.238.172
209.237.238.174
211.0.0.0/255.0.0.0
212.0.0.0/255.0.0.0
213.0.0.0/255.0.0.0
216.151.126.98
216.175.225.200
216.201.108.30
216.205.0.0/255.255.0.0
216.244.103.29
216.36.0.0/255.255.0.0
216.39.50.104
216.39.50.24
216.74.14.2
216.95.225.162
217.225.232.214
218.0.0.0/255.0.0.0
219.156.235.131
220.0.0.0/255.0.0.0
68.44.0.0/255.255.0.0
68.161.22.199
68.225.233.174
68.13.134.251
68.107.184.14
68.73.92.105
222.0.0.0/255.0.0.0
223.0.0.0/255.0.0.0
24.217.52.226
24.43.203.105
24.5.184.171
24.57.243.20
43.0.0.0/255.0.0.0
45.0.0.0/255.0.0.0
61.0.0.0/255.0.0.0
62.245.208.74
62.59.35.178
62.94.18.69
63.139.54.192
63.148.99.0/255.255.255.0
63.166.2.183
63.173.139.7
63.231.41.57
64.108.210.220
64.12.96.71
64.12.96.77
64.140.49.66
64.241.177.25
64.246.161.42
64.246.165.180
64.246.165.200
64.66.220.26
66.20.234.14
64.68.0.0/255.255.0.0
66.228.133.172
66.229.0.0/255.255.0.0
66.229.36.203
66.23.201.161
66.23.209.2
66.25.0.0/255.255.0.0
66.25.11.148
66.30.0.0/255.255.0.0
66.41.0.0/255.255.0.0
66.49.57.198
66.50.21.135
66.54.171.162
66.61.120.0/255.255.255.0
66.68.209.14
66.69.237.89
66.80.243.74
66.93.108.186
67.127.4.101
67.217.27.19
67.36.13.26
67.72.101.6
67.95.21.142
67.97.95.68
68.117.198.188
68.118.44.151
68.121.16.193
68.122.184.110
68.123.123.179
68.124.152.42
68.124.223.233
68.126.2.73
68.147.215.94
68.15.32.205
68.153.46.66
68.173.227.249
68.173.229.239
68.174.37.76
68.184.59.39
68.200.0.0/255.255.0.0
68.201.178.42
68.201.222.55
68.201.228.81
68.202.237.176
68.202.27.150
68.21.172.32
68.21.4.61
68.249.105.188
68.252.0.0/255.255.0.0
68.252.16.29
68.252.18.195
68.252.201.158
68.252.24.34
68.32.21.17
68.33.21.5
68.34.41.78
68.35.245.41
68.36.117.248
68.36.129.20
68.38.70.107
68.39.83.106
68.41.33.65
68.41.39.75
68.42.201.56
68.42.247.251
68.43.135.99
68.45.117.67
68.45.91.19
68.46.50.226
68.47.0.0/255.255.0.0
68.47.235.31
68.47.84.98
68.48.86.0/255.255.255.0
68.49.179.74
68.49.96.248
68.50.47.224
68.50.53.4
68.50.6.230
68.52.0.0/255.255.0.0
68.52.11.226
68.52.63.47
68.53.241.40
68.56.76.151
68.57.121.156
68.58.203.180
68.59.96.74
68.60.223.90
68.61.113.116
68.62.17.26
68.62.229.102
68.63.118.242
68.65.80.130
68.71.181.88
68.72.134.123
68.73.126.39
68.76.7.197
68.77.160.232
68.79.101.13
68.79.76.104
68.80.25.124
68.81.222.156
68.82.125.7
68.82.139.76
68.82.168.4
68.83.208.40
68.83.210.216
68.84.244.104
68.84.32.215
68.85.123.191
68.86.87.252
68.92.74.51
68.86.17.147
80.131.0.0/255.255.0.0
80.131.221.26
80.139.77.187
80.140.0.0/255.255.0.0
80.143.170.220
80.145.0.0/255.255.0.0
80.166.170.92
80.184.141.242
81.240.142.141
81.51.71.38
82.34.107.21
96.100.101.124
84.0.0.0/255.0.0.0
146.82.220.225
68.48.115.190
198.81.0.0/255.255.0.0
12.96.160.0/255.255.255.0
62.242.0.0/255.255.0.0
80.199.176.0/255.255.255.0
68.73.85.83
200.55.43.123
66.201.192.0/255.255.255.0
68.83.212.172
68.204.239.13
68.35.145.215
68.162.121.232
68.191.98.59
64.246.165.150
64.237.36.0/255.255.0.0
62.34.0.0/255.255.0.0 # France
68.229.128.0/255.255.255.0
68.120.0.0/13
64.246.160.0/19
68.249.245.64
68.86.180.198
208.184.0.0/255.255.0.0
208.185.0.0/255.255.0.0
206.141.193.0/255.255.255.0 # akamai search bots
216.75.160.0/19
########################
# Internet Storm Block #
########################
217.158.66.0/24
66.50.23.0/24
62.167.201.0/24
194.100.87.0/24
63.202.22.0/24
80.202.186.0/24
172.150.176.0/24
169.207.179.0/24
216.70.31.0/24
195.92.43.0/24
216.99.209.0/24
83.76.68.0/24
80.182.38.0/24
212.46.37.0/24
217.97.81.0/24
80.139.38.0/24
61.231.24.0/24
217.140.218.0/24
24.188.69.0/24
203.65.247.0/24
66.196.0.0/255.255.0.0 # BOTS BOTS BOTS!
68.55.71.12
68.115.0.0/255.255.0.0
206.136.0.0/14
172.143.116.176
67.42.48.246
68.186.0.0/255.255.0.0
68.79.92.222
 
Old 05-11-2004, 04:40 PM   #2
rossd
LQ Newbie
 
Registered: May 2004
Distribution: Slackware
Posts: 4

Rep: Reputation: 0
One thing that will greatly increase efficiency is to add in connection state tracking:

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Stick that in before your first 'for' loop. By adding this, only the 'first' packet of every connection will be checked against your entire list. With out it, every single packet you receive will have to traverse your entire chain.

Also - I notice that you seem to want to drop anything not on the 'whitelist' If this is so - why check against your "blacklist" at all?
 
Old 05-11-2004, 04:54 PM   #3
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Rep: Reputation: 16
In addition to using connection tracking, you might be able to speed it up by minimizing the number of rules a packet has to be checked against. Here's what I would try - its a lot more maintenance, though:

# create a new chain for every "class A" network on the blacklist
iptables -N TEST_63
iptables -N TEST_64

# if its a new connection, jump for each network
iptables -A INPUT -s 63.0.0.0/8 -m state --state NEW -j TEST_63
iptables -A INPUT -s 64.0.0.0/8 -m state --state NEW -j TEST_64

iptables -A TEST_63 -s 63.139.54.192 -j DROP
iptables -A TEST_63 -s 63.148.99.0/255.255.255.0 -j DROP
iptables -A TEST_64 -s 63.166.2.183 -j DROP
# returns to the next line in the INPUT chain

That way if you have 10 "class A" networks on the black list, each with 10 hosts/subnetworks, rather than parse 100 rules, it would parse the first ten rules, and if it matches, only ten more rules, so a max of 20 rules rather than 100.
 
Old 05-11-2004, 11:37 PM   #4
lucktsm
Member
 
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155

Original Poster
Rep: Reputation: 30
Guys,

Thanks for all the good info. I am going to start working on my script asap. It makes good sense. I love iptables! I also have a netscreen 5fg sitting here, but it won't work with my DSL provider. I use both for an effective DMZ setup.

Anyway thanks for the great info.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Intense network slowdown mdarby Slackware 2 04-23-2005 09:32 PM
Upgrade causing internet slowdown Neruocomp Slackware 2 04-06-2005 12:05 PM
iptables[firewall] cups[network print] problems ciberrust Linux - Networking 0 11-25-2004 06:15 PM
network slowdown from 2.2 to 2.4 ccap Linux - Networking 3 02-13-2004 12:35 PM
Major network slowdown. BrianG Linux - Networking 4 01-18-2002 02:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration