LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-13-2007, 02:41 PM   #1
mlnutt
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 15
iptables: how to block IPs by country or registry


I'm currently working on a program to read a file containing the IP ranges allocated by the various registries for each country. The file can be parsed by registry (ARIN, RIPE, etc) or by country code (USA, CHN, etc). The output is IP/CIDR or IP/NETMASK for the matching registries or countries. Output can be formated as a script file to create the chains for iptables or formated for inclusion in the iptables startup file or just raw.

If anybody is interested in this utility or has feature ideas please let me know and I'll see about posting it somewhere. It is almost done.

Here's the syntax:

USAGE: ipfilter (-r REGISTRY... | -c CODE... | -C CODE...) [-m | -M] [-i] [-I[CHAIN_NAME]] [-pCHAIN_NAME ] [-nCHAIN_NAME] [-aACTION] [-v]
-r, --registry : filter using registry name
-c, --cntry : filter using 3 character country codes
-C, --ctry : filter using 2 character country codes
-m, --cidr : print cidr instead of netmask (default)
-M, --netmask : print netmask instead of cidr
-i, --iptables : output iptables startup file format
-I, --iptables_cmd : output iptables configuration script using CHAIN_NAME prefix
-p, --prior : iptables configuration script prior chain name (default "INPUT")
-n, --next : iptables configuration script next chain name (default "ACCEPT")
-a, --action : iptables configuration script action (default "DROP")
-L, --nolog : iptables configuration script disable logging
-v, --verbose : display verbose output

EXAMPLE: ipfilter -c CHN TWN KOR -M
EXAMPLE: ipfilter -r RIPE
EXAMPLE: ipfilter -C US -IUSA

The first example will output all ranges for China, Taiwan and Korea (using a netmask).

The second will output all ranges for the RIPE registry.

The third will output all ranges for the US formated for an iptables script. Example output for this one follows.

#!/bin/bash

iptables -N USA_CHAIN
iptables -N USA_DROP

iptables -A USA_CHAIN -s 3.0.0.0/8 -j USA_DROP
iptables -A USA_CHAIN -s 4.0.0.0/8 -j USA_DROP
iptables -A USA_CHAIN -s 6.0.0.0/8 -j USA_DROP
iptables -A USA_CHAIN -s 7.0.0.0/8 -j USA_DROP
...
iptables -A USA_CHAIN -s 216.255.176.0/20 -j USA_DROP
iptables -A USA_CHAIN -s 216.255.192.0/19 -j USA_DROP
iptables -A USA_CHAIN -s 216.255.240.0/20 -j USA_DROP

iptables -A USA_CHAIN -j ACCEPT

iptables -A USA_DROP -j LOG --log-prefix "USA_CHAIN: " --log-level 3 --log-tcp-options --log-ip-options
iptables -A USA_DROP -j DROP

iptables -A INPUT -p tcp -m state --state NEW -j USA_CHAIN
 
Old 09-13-2007, 03:36 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
It's an interesting exercise but 0) how is this Linux Security related or why would you want to do this, 1) you realise not all ranges are continuous and 2) what would be the performance drop for blocking say two continents of choice?
 
Old 09-13-2007, 06:43 PM   #3
mlnutt
Member
 
Registered: May 2006
Posts: 34

Original Poster
Rep: Reputation: 15
0) Blocking IPs via iptables is security related. One wants to do this to limit one's server's vulnerability to threats.

1) True. All ranges for a country or region are not contagious. However, all blocks of ranges assigned are.

2) There are too many variables to answer this. cpu speed, number of cpus, memory, as well as the number of iptables chain rules. However it is not impracticable to block say the range of blocks for LACNIC and AFRINIC or on the other hand all blocks from say China, Taiwan and Korea. I have been doing the latter for a couple of years now.

I run a personal server for mail, www, etc and I don't want to bother with worrying about all the probes spam and attacks from Russia, Africa, etc. I wrote this utility for myself but have seen lots of people asking how to do these things when I search the web.
 
Old 09-13-2007, 07:53 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
What pros/cons are there to your method versus using the geoip match module?
 
Old 09-14-2007, 12:22 PM   #5
mlnutt
Member
 
Registered: May 2006
Posts: 34

Original Poster
Rep: Reputation: 15
I haven't used geoip. Hadn't heard of it until you mentioned it. It looks like it could be a superior solution though a little less robust (not being able match via a given registry, i.e., AFRINIC, etc.).

I haven't had a chance to look at the internal workings of geoip for iptables. It seems the most efficient way to do the work would be to have all the assigned ip blocks sorted (there are currently 94836 in GeoIPCountryWhois.csv) in a db and then use a binary search to find the block the target ip is in and see if the block's country code matches the code specified by the geoip/iptables rule. That would be very quick and slick compared to processing my long list of rules.

However, my method doesn't require patching the kernel (or iptables). Patching is something I am always hesitant to do, for obvious reasons. It would be great if iptables modules could be included in such a way that they could be loaded on demand. Perhaps they can; I don't know.

Have you had success with geoip/iptables? It looks like it is still a bit experimental.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
i want to block a range of ips using iptables... Vasili Linux - Security 18 09-19-2006 06:31 AM
want to block some prots on some IPs......? shahg_shahg Linux - Networking 1 07-01-2005 12:38 PM
How to block specific IPs? cranium2004 Linux - Networking 3 04-01-2005 09:02 AM
block all IPs except one how in my setup?? cranium2004 Linux - Networking 3 03-20-2005 03:24 PM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 10:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration