Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello, I've been wrestling with this problem for a while now.
I have a list of ~50 bad IPs that I want iptables to log if matched and then drop, in both INPUT AND FORWARD.
For example IPs like this:
Code:
-s 10.0.0.0/8 -j DROP
-s 172.16.0.0/12 -j DROP
-s 192.168.0.0/16 -j DROP
-s 169.254.0.0/16 -j DROP
-s 176.0.0.0/8 -j DROP
After some extensive google research I found two ways to log and drop packets that were matched against a rule.
Option a.) Adding a LOG and DROP rule, separately for each IP:
Example in my case:
Code:
-N droplist
-A INPUT -j droplist
-A FORWARD -j droplist
-A droplist -s 10.0.0.0/8 -j LOG --log-level 4
-A droplist -s 10.0.0.0/8 -j DROP
-A droplist -s 172.16.0.0/12 -j LOG --log-level 4
-A droplist -s 172.16.0.0/12 -j DROP
-A droplist -s 192.168.0.0/16 -j LOG --log-level 4
-A droplist -s 192.168.0.0/16 -j DROP
-A droplist -s 169.254.0.0/16 -j LOG --log-level 4
-A droplist -s 169.254.0.0/16 -j DROP
-A droplist -s 176.0.0.0/8 -j LOG --log-level 4
-A droplist -s 176.0.0.0/8 -j DROP
Option b.) Creating LOG chain that logs/drops and jumping there from each rule:
Code:
-N droplist
-N logging
-A INPUT -j droplist
-A FORWARD -j droplist
-A droplist -s 10.0.0.0/8 -j logging
-A droplist -s 172.16.0.0/12 -j logging
-A droplist -s 192.168.0.0/16 -j logging
-A droplist -s 169.254.0.0/16 -j logging
-A droplist -s 176.0.0.0/8 -j logging
-A logging -j LOG --log-level 4
-A logging -j DROP
Option b.) is apparently unsafe because the packets aren't dropped, immediately.
There MUST be a better and more elegant way to do this, right?
Last edited by amateur_intermediate; 01-07-2022 at 02:46 PM.
Yes. Development on IPTables has slowed or almost stopped.
Remove IPTables and install NFTables, and then give it a try with your task.
Hi Turbo, thanks for your reply!
So... while I do hate on iptables, I've spent a long time carefully reading all kinds of documentation and finally feel comfortable with it now. If possible I'd like to avoid having to learn something new lol.
Can you think of a better way to achieve my goal within iptables?
Sunk cost fallacy, it's also what keeps too many on M$ Windows ... but be that as it may, if you wish to throw good money^Wtime after bad, then take a look at this part of your script:
Code:
...
-A INPUT -j droplist
-A FORWARD -j droplist
...
The -A puts the test at the very end of everything else. That's almost certainly not what you want, since some other rule will probably let the packet through first. Instead the -I option can take a number as a parameter in order to place the new rule at a certain position among the existing rules.
That of course depends on what rules 1 and 2 are. You definitely want to give the highest priority to processing the loopback and established or related connections.
The details are determined by how the network will be used, what kind of system is this for? Desktop? Router? Server? Other?
Last edited by Turbocapitalist; 01-07-2022 at 12:14 PM.
Reason: swap sequence
...
-A INPUT -j droplist
-A FORWARD -j droplist
...
The -A puts the test at the very end of everything else. That's almost certainly not what you want, since some other rule will probably let the packet through first. Instead the -I option can take a number as a parameter in order to place the new rule at a certain position among the existing rules.
Sorry, I should've posted the entire table for clarity.
Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N droplist
-N logging
-A INPUT -j droplist
-A FORWARD -j droplist
-A droplist -s 10.0.0.0/8 -j logging
-A droplist -s 172.16.0.0/12 -j logging
-A droplist -s 192.168.0.0/16 -j logging
-A droplist -s 169.254.0.0/16 -j logging
-A droplist -s 176.0.0.0/8 -j logging
-A logging -j LOG --log-level 4
-A logging -j DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
So that's the actual begging - end.
As far as I understand, because
Code:
-A INPUT -j droplist
-A FORWARD -j droplist
are placed at the very beginning, before any other rules, both chains will immediately jump to droplist and traverse the rules in exactly that order and before anything else. If no rule in droplist matches, it will jump back to the beginning of INPUT or FORWARD chain. I got that from here: https://www.lammertbies.nl/nl/comm/info/iptables
I read in the docs that depending where you jump to a custom chain from one of the main chains, iptables will traverse the custom chain and if no rule matches, it jumps back to the original chain one rule below the jump. Is that incorrect? (getting really confused now)
Last edited by amateur_intermediate; 01-07-2022 at 12:32 PM.
I don't know if you are referring to this web page but building a script to load rules would be a more elegant way. In the end the rules will still be the same.
I don't know if you are referring to this web page but building a script to load rules would be a more elegant way. In the end the rules will still be the same.
1. All interfaces.
2. Yes --log-prefix "what ever"
Depending on distribution once the script is run there is iptables-save or similar command to save the rules so they are automatically loaded at boot up.
1. All interfaces.
2. Yes --log-prefix "what ever"
Awesome, thanks! Trying to find a +rep or thanks button.
One very last thing, sorry.
Would it be possible to include rules that don't use an IP in the list or script?
For example stuff like this:
Code:
-p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-p tcp --tcp-flags ALL ALL -j DROP
-p tcp --tcp-flags ALL NONE -j DROP
Last edited by amateur_intermediate; 01-07-2022 at 01:46 PM.
As you seem to be on the trail of a working solution provided by the useful posts of others I will not offer a complete alternate example as that might send you down another possibly unnecessary path.
But I will make a few suggestions for your future explorations:
* Although nftables is the new kid on the block, iptables is very mature and useful and is not going anywhere in a hurry! If you have invested time in learning iptables make use of it, there is no need to scrap what you know - use it!
* When you wish to perform actions on large sets of IP addresses consider use of ipsets: Add new addresses to the set from file, manually or dynamically with other iptables rules, then simply test membership in the set to perform the desired actions.
* When you really just want to block a set of IPs put that rule early in the path, such as in the raw table PREROUTING chain. And if all you really want is a count of attempts by IP, avoid the overhead of logging and just add a counter to the set.
* You may also want to learn to use tc which can also perform tests on set membership and drop packets before they are even presented to iptables for processing - very efficient combination!
* Consider changing the title of your threads here to something less perjorative: iptables is certainly not absolute trash and posturing your question under that title might result in some members with helpful knowledge bypassing the thread altogether.
Good luck with iptables and welcome to LQ!
Last edited by astrogeek; 01-07-2022 at 02:59 PM.
Reason: tpoys
* When you wish to perform actions on large sets of IP addresses consider use of ipsets: Add new addresses to the set from file, manually or dynamically with other iptables rules, then simply test membership in the set to perform the desired actions.
* When you really just want to block a set of IPs put that rule early in the path, such as in the raw table PREROUTING chain. And if all you really want is a count of attempts by IP, avoid the overhead of logging and just add a counter to the set.
Hello and thanks for the warm welcome!
Also thank you for the awesome info, sorry I wrote the title when I was super mad.
I have heard of ipset yes very cool, but I couldn't find out how to LOG each matched rule with a specific prefix and then drop it.
So far the only way I can see that working is with this script and a simple if & grep to change the prefix string according to what was matched.
Code:
IPT=/sbin/iptables
$IPT -N droplist
egrep -v "^#|^$" x | while IFS= read -r ip
do
$IPT -A droplist -i eth1 -s $ip -j LOG --log-prefix " myBad IP BlockList "
$IPT -A droplist -i eth1 -s $ip -j DROP
done < "$_input"
# Drop it
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist
How do you add a counter? I thought you're just supposed to do this to see a counter?
Code:
iptables -v -L --line-numbers
I read filtering in PREROUTING is not recommended, because it might be ignored.
Last edited by amateur_intermediate; 01-07-2022 at 03:26 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.