Most efficient way to block multiple IP addresses?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Most efficient way to block multiple IP addresses?
Hello,
I have a public server running Deb 7.4 amd64 multiarch where I host multiple public game servers. Current security includes iptables and fail2ban, among other things. Because this is a public server, I have to ban IP address for a variety of reasons including habitual break-in attempts and DoS or other types of server attacks. Most of the offending IPs are not from a contiguous range or from the same subnet, so they must be banned individually.
Because low latency is so very important for game servers I am always concerned about the server and network running as efficiently and as fast as possible. As such, I do not want to create any bottlenecks with excessive filtering of incoming or outgoing traffic.
Currently I block individual IPs using an iptables rule. However, the list of blocked IPs is getting rather long.
Q: Are individual "DROP" rules inserted into iptables the most efficient way to manage numerous IP bans or is there a better way?
Other measures include disabling SSH password authentication and root login in favor of RSA key pair authentication. Fail2ban is configured to permanently ban IPs that attempt brute-force SSH break-in. Is it possible to have SSH control (ssh restricted to a single ip only) handled by iptables and not use fail2ban? Alternatively, can IPs banned by fail2ban be automatically added to the ipset blacklist instead of staying with f2b?
Quote:
Originally Posted by unSpawn
Sure: use ipset, preferably in the mangle table. BTW I ran a little test a while ago.
I've not yet used the mangle table, so all of the rules I've created must be in the filter table.
This is a great article, especially for someone like me who is not familiar with ipset. So essentially, I can remove all of the individual IP DROP rules from iptables and move all of the "bad" source IPs to a black list in ipset, correct?
Public forums like LQ with helpful people are so valuable. From the replies to my first post on LQ, I've already learned a number of new and very useful techniques.
Having read the ipset article referenced by yzT!, I did a test install of ipset on my dev server, created the new set (ip_blacklist) and loaded several hundred "bad" ips with a quick for-loop. The article suggests this iptables rule to reference the new set:
Two points here: 1. since my server is not a web server I want all traffic from the blacklisted IPs stopped, not just tcp and not just to port 80. 2. Why use REJECT rather than DROP? I think the iptables rule I need is:
Code:
iptables -I INPUT -m set --match-set ip_blacklist src -j DROP
Is this the right rule to use?
Before moving this onto the production server I am also wondering if null routing the IPs at the kernel would be even more efficient than using ipset?
Is it possible to have SSH control (ssh restricted to a single ip only) handled by iptables and not use fail2ban?
Given you've followed the SSH Best practices and since SSH access is already restricted to one IP address only (a white listing scenario) there is absolutely no need to bother with blocking IP addresses trying to access TCP/22.
Quote:
Originally Posted by PGn
Alternatively, can IPs banned by fail2ban be automatically added to the ipset blacklist instead of staying with f2b?
Yes, fail2ban can use ipset for some time now.
Quote:
Originally Posted by PGn
Can you help me understand why the ipset should be in the mangle table?
The Frozentux Iptables-tutorial shows you table traversal, mangle comes before input, and since you want to just drop traffic and not do anything with it it's advised to drop that traffic as early on as possible. Also, since you'll be using the filter table for traffic that actually matters it keeps the rule set much cleaner which makes it easier to maintain.
Quote:
Originally Posted by PGn
So essentially, I can remove all of the individual IP DROP rules from iptables and move all of the "bad" source IPs to a black list in ipset, correct?
Correct.
Quote:
Originally Posted by PGn
since my server is not a web server I want all traffic from the blacklisted IPs stopped, not just tcp and not just to port 80.
Jst adjust the rule then.
Quote:
Originally Posted by PGn
Why use REJECT rather than DROP?
That's a matter of preference (or courtesy): as 'man iptables' tells you the REJECT target sends back an ICMP message while DROP just drops the packet in the bit bucket.
Quote:
Originally Posted by PGn
I think the iptables rule I need is:
Code:
iptables -I INPUT -m set --match-set ip_blacklist src -j DROP
Is this the right rule to use?
These commands makes it the first rule in the raw (disabling connection tracking) and mangle (drop) tables prerouting chains:
Code:
iptables -t raw -I PREROUTING 1 -m set --match-set ip_blacklist src -j CT --notrack;
iptables -t mangle -I PREROUTING 1 -m set --match-set ip_blacklist src -j DROP
Quote:
Originally Posted by PGn
Before moving this onto the production server I am also wondering if null routing the IPs at the kernel would be even more efficient than using ipset?
Where does that "even more" come from? What have you read that makes you say that? Null routing, just like iptables drop rules, denies any remote system to establish (SYN) a connection. The difference is that with null routing traffic is still(!) received: your system just can't send anything (SYN,ACK) back, while iptables is more fine grained and explicitly drops that traffic.
Given you've followed the SSH Best practices and since SSH access is already restricted to one IP address only (a white listing scenario) there is absolutely no need to bother with blocking IP addresses trying to access TCP/22.
Understood. However, the reason for asking is because the server has on multiple occasions been flooded with brute-force or other types of unauthorized break-in attempts to the point that I can't even login over SSH because the server is overloaded and unresponsive. Therefore I was looking for a way to block or drop all unauthorized connection requests before they have to be individually processed as invalid.
Quote:
Originally Posted by unSpawn
These commands makes it the first rule in the raw (disabling connection tracking) and mangle (drop) tables prerouting chains:
Code:
iptables -t raw -I PREROUTING 1 -m set --match-set ip_blacklist src -j CT --notrack;
iptables -t mangle -I PREROUTING 1 -m set --match-set ip_blacklist src -j DROP
Thank you! These are exactly what I needed and are very instructive too.
Quote:
Originally Posted by unSpawn
Where does that "even more" come from? What have you read that makes you say that? Null routing, just like iptables drop rules, denies any remote system to establish (SYN) a connection. The difference is that with null routing traffic is still(!) received: your system just can't send anything (SYN,ACK) back, while iptables is more fine grained and explicitly drops that traffic.
Thank you for the explanation. "even more" was just a question based on the desire to learn "best practices". Being relatively new to Linux administration there are still so many areas where I have only scratched the surface...
Understood. However, the reason for asking is because the server has on multiple occasions been flooded with brute-force or other types of unauthorized break-in attempts to the point that I can't even login over SSH because the server is overloaded and unresponsive. Therefore I was looking for a way to block or drop all unauthorized connection requests before they have to be individually processed as invalid.
Within a server all services use the same resource pool. So if for example your machine is being (ab)used to send spam because you forgot to update WordPress or one of its plugins that will affect the web server and consequently any other service vying for resources. Apart from using a cap on resources there's also iptables modules that limit the amount of connections a single IP address (or range!) is allowed to initiate. That's something you want to implement efficiently at the network layer and not higher up in the application layer.
Quote:
Originally Posted by PGn
Being relatively new to Linux administration there are still so many areas where I have only scratched the surface...
It's a good thing to know where you stand and as long as you show you've done some research, as long as you're willing to question responses (not all replies or web log posts are actually good answers), learn from others and practice yourself (doesn't make perfect but it does help ;-p) you can only grow.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.