Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-13-2007, 02:41 PM
|
#1
|
Member
Registered: May 2006
Posts: 34
Rep:
|
iptables: how to block IPs by country or registry
I'm currently working on a program to read a file containing the IP ranges allocated by the various registries for each country. The file can be parsed by registry (ARIN, RIPE, etc) or by country code (USA, CHN, etc). The output is IP/CIDR or IP/NETMASK for the matching registries or countries. Output can be formated as a script file to create the chains for iptables or formated for inclusion in the iptables startup file or just raw.
If anybody is interested in this utility or has feature ideas please let me know and I'll see about posting it somewhere. It is almost done.
Here's the syntax:
USAGE: ipfilter (-r REGISTRY... | -c CODE... | -C CODE...) [-m | -M] [-i] [-I[CHAIN_NAME]] [-pCHAIN_NAME ] [-nCHAIN_NAME] [-aACTION] [-v]
-r, --registry : filter using registry name
-c, --cntry : filter using 3 character country codes
-C, --ctry : filter using 2 character country codes
-m, --cidr : print cidr instead of netmask (default)
-M, --netmask : print netmask instead of cidr
-i, --iptables : output iptables startup file format
-I, --iptables_cmd : output iptables configuration script using CHAIN_NAME prefix
-p, --prior : iptables configuration script prior chain name (default "INPUT")
-n, --next : iptables configuration script next chain name (default "ACCEPT")
-a, --action : iptables configuration script action (default "DROP")
-L, --nolog : iptables configuration script disable logging
-v, --verbose : display verbose output
EXAMPLE: ipfilter -c CHN TWN KOR -M
EXAMPLE: ipfilter -r RIPE
EXAMPLE: ipfilter -C US -IUSA
The first example will output all ranges for China, Taiwan and Korea (using a netmask).
The second will output all ranges for the RIPE registry.
The third will output all ranges for the US formated for an iptables script. Example output for this one follows.
#!/bin/bash
iptables -N USA_CHAIN
iptables -N USA_DROP
iptables -A USA_CHAIN -s 3.0.0.0/8 -j USA_DROP
iptables -A USA_CHAIN -s 4.0.0.0/8 -j USA_DROP
iptables -A USA_CHAIN -s 6.0.0.0/8 -j USA_DROP
iptables -A USA_CHAIN -s 7.0.0.0/8 -j USA_DROP
...
iptables -A USA_CHAIN -s 216.255.176.0/20 -j USA_DROP
iptables -A USA_CHAIN -s 216.255.192.0/19 -j USA_DROP
iptables -A USA_CHAIN -s 216.255.240.0/20 -j USA_DROP
iptables -A USA_CHAIN -j ACCEPT
iptables -A USA_DROP -j LOG --log-prefix "USA_CHAIN: " --log-level 3 --log-tcp-options --log-ip-options
iptables -A USA_DROP -j DROP
iptables -A INPUT -p tcp -m state --state NEW -j USA_CHAIN
|
|
|
09-13-2007, 03:36 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
It's an interesting exercise but 0) how is this Linux Security related or why would you want to do this, 1) you realise not all ranges are continuous and 2) what would be the performance drop for blocking say two continents of choice?
|
|
|
09-13-2007, 06:43 PM
|
#3
|
Member
Registered: May 2006
Posts: 34
Original Poster
Rep:
|
0) Blocking IPs via iptables is security related. One wants to do this to limit one's server's vulnerability to threats.
1) True. All ranges for a country or region are not contagious. However, all blocks of ranges assigned are.
2) There are too many variables to answer this. cpu speed, number of cpus, memory, as well as the number of iptables chain rules. However it is not impracticable to block say the range of blocks for LACNIC and AFRINIC or on the other hand all blocks from say China, Taiwan and Korea. I have been doing the latter for a couple of years now.
I run a personal server for mail, www, etc and I don't want to bother with worrying about all the probes spam and attacks from Russia, Africa, etc. I wrote this utility for myself but have seen lots of people asking how to do these things when I search the web.
|
|
|
09-13-2007, 07:53 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
What pros/cons are there to your method versus using the geoip match module?
|
|
|
09-14-2007, 12:22 PM
|
#5
|
Member
Registered: May 2006
Posts: 34
Original Poster
Rep:
|
I haven't used geoip. Hadn't heard of it until you mentioned it. It looks like it could be a superior solution though a little less robust (not being able match via a given registry, i.e., AFRINIC, etc.).
I haven't had a chance to look at the internal workings of geoip for iptables. It seems the most efficient way to do the work would be to have all the assigned ip blocks sorted (there are currently 94836 in GeoIPCountryWhois.csv) in a db and then use a binary search to find the block the target ip is in and see if the block's country code matches the code specified by the geoip/iptables rule. That would be very quick and slick compared to processing my long list of rules.
However, my method doesn't require patching the kernel (or iptables). Patching is something I am always hesitant to do, for obvious reasons. It would be great if iptables modules could be included in such a way that they could be loaded on demand. Perhaps they can; I don't know.
Have you had success with geoip/iptables? It looks like it is still a bit experimental.
|
|
|
All times are GMT -5. The time now is 09:33 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|