Get SRC IP from IPTABLES logs and drop it

c00kie · 07-20-2007, 11:55 AM

I'm not to advanced in linux scripting.. so I need some help.

What I want is to blacklist some IP's. I know how to get the IP's using IPTABLES:

$IPTABLES -A INPUT -d XXX.XXX.XXX.XXX -p tcp --dport 80 --tcp-flags ALL PSH,ACK -m string --algo bm --string MyNick --to 100 -j LOG –log-level 4

So this writes something like:

Jul 20 12:49:24 MAIN kernel: IN=eth0 OUT= MAC=00:17:31:93:bc:39:00:01:03:12:f4:43:08:00 SRC=193.254.43.81 DST=XXX.XXX.XXX.XXX LEN=120 TOS=0x08 PREC=0x00 TTL=123 ID=19609 DF PROTO=TCP SPT=2316 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0

What I want is to get that SRC and drop it. (something simple like $IPTABLES -A INPUT -s 193.253.43.81 -j DROP)

How do I do it 1337s?

Thanks in advance mates.

acid_kewpie · 07-20-2007, 02:20 PM

i like these sorts of questions. i suck with iptables, but it's nice to have confidence that it's going to be a possible thing to do with a little research. as such i give you the "recent" module...

http://www.snowman.net/projects/ipt_recent/

essentially you've no need for the log data itself, just match the initial traffic as you are and presumably send it to a new table containing the recent rule which just drops everything that hits it with a recent tag added. then as in the examples above just drop every source IP in the recent list you created. no scripting, and all held completely inside iptables. it's a time based module, but just stick a big old time on it and i assume you'll be fine. it's presumably not like your list is going to be very long...

c00kie · 07-20-2007, 02:55 PM

Now I've got a bigger problem... it seems even if i drop ip's... the ddos ain't stopping...

unixfool · 07-20-2007, 03:10 PM

Quote:

Originally Posted by c00kie

Now I've got a bigger problem... it seems even if i drop ip's... the ddos ain't stopping...

You're not going to be able to stop a DDoS. You can block the traffic and hope it doesn't overwhelm your firewall in the process, but there's no real way to stop it.

You may be able to change your IP (if you're not using a static IP on your gateway)...the DDoS will still continue, but it will no longer affect you if you are no longer using the targeted IP address. Depending on who your ISP is, you may also be able to get them to null route the attack traffic, depending on what services the attacker is attacking (Verizon does this, since they've one of the largest backbones in the world). More than likely, you may just have to ride it out.