Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a nice huge list in CIDR notation that I would like to import into my firewall script. I have tried a few different things but the code below appears to be the most promising.
Code:
cat /root/cidr_block.log | while read address; do
/sbin/iptables -I INPUT -s "$address" -j DROP
done
but that does not do the trick...
Code:
' specified.4.2: invalid mask `22
here is the contents of the file (just for testing!)
Code:
4.2.153.32/22
now I can put a single ip or any other valid netblock and it still doesn't like it!
I have about 66,000 ranges I need to import so doing it by hand is not an option.
anyone seen this? My iptables works and I can manually add these 'non working' ranges to my script and it works. I get some interesting results when I try to echo...
66,000 rules seems like a lot of processing on every received packet. I would question whether performance will suffer significantly. Perhaps you could report back on that once you get it running.
66,000 rules seems like a lot of processing on every received packet. I would question whether performance will suffer significantly.
I would be seriously concerned about that many blacklist rules too. To avoid performance issues, I recommend a separate chain with the IPs, where only packets in state NEW get sent. Example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -j CHECK_IP
actually it is more like 240,000 rules and after dos2unix it appears there is a limitation because after testing a few lists, they all bork out on line 823.. some type of limitation I suppose.
Quote:
I would be seriously concerned about that many blacklist rules too. To avoid performance issues, I recommend a separate chain with the IPs, where only packets in state NEW get sent
That would be nice but some of these are advertising servers and that would allow the ads to trickle in. If I split up the lists, it makes more entries because some of them overlap. I simply need to block them totally.
actually it is more like 240,000 rules and after dos2unix it appears there is a limitation because after testing a few lists, they all bork out on line 823.. some type of limitation I suppose.
That seems weird. Can you post a link to this list so we can test it ourselves?
Quote:
That would be nice but some of these are advertising servers and that would allow the ads to trickle in.
Not sure I follow, as iptables won't care what kind of servers they are. When you stop connections from starting to/from an IP, the restriction applies to any IP-based traffic.
Quote:
If I split up the lists, it makes more entries because some of them overlap. I simply need to block them totally.
Once again, it would be great if you could post a link so we could try it and compare results.
Well I am currently importing the list within bash not from within my firewall script. I guess I start using iptables as service if this works. I guess it likes to bork in the script itself.
Just wondering what do most people use when they need to block this many addresses?
Okay, so I tried your data file, and stopped it after about 8000 entries (I added an echo line to the script so I could monitor the progress). It felt like the script was slowing down as it progressed. I didn't notice any slow-down of web browsing traffic, although admittedly, this is not a very scientific test. I had to leave my desk, and so I stopped the script. I may try letting it run much longer, and see what effect there is. At any rate, there was no evidence that it had crashed or hung up in any way. This was done on a Fedora-9 system, with a custom 2.6.27 kernel.
--- rod.
I haven't looked at your file (couldn't get it to download yesterday), but I generated my own list of 240,000 random subnets to test with. The rules loaded fine up until 119,219 (at that point, iptables ran into a memory allocation problem).
So how exactly would this work? I could use this for the larger set of rules. But again, I would like them to be dropped of course.
You just load the rules into the CHECK_IP chain, then send all packets in state NEW through it. If the connection is being initiated by a banned IP, it won't be allowed to proceed. If it isn't, the packet will continue downward, through whatever chain sent the packet to CHECK_IP originally. Packets which are part of a connection which has already been initiated won't get sent to CHECK_IP.
I recommend a separate chain with the IPs, where only packets in state NEW get sent. Example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -j CHECK_IP
This is what I do. You want your INPUT chain to be clear and easy to read / maintain.
If you are only blacklisting for certain services, and can add extra criteria to the -j CHECK_IP rule, all the better. For example, if you are only blacklisting those addresses to tcp port 22 (ssh), then add the appropriate criteria to the rule so that you're not traversing CHECK_IP for every single packet that enters the INPUT chain.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.