LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-16-2008, 03:04 AM   #1
extasic
LQ Newbie
 
Registered: Oct 2008
Posts: 7

Rep: Reputation: 0
Use GeoIP database file with iptables


Hi,

mail ssh server, mailserver, webserver and ftp server are being attacked from Vietnam, China, Russia and other countries just like them.

Because nobody should ever be allowed to log on from that location, I want to block those using iptables. First I only want to block the SSH port.

I got the following file that contains IP ranges of certain countries. I belive this really could work because all of the last attacking IPs were listed there.

I tried to use my rudimental Bash knowledge to create a shell script to parse that file, but my first problem is that the IP adresses are in decimal format, just like "1346801663". How do I convert this to a "regular" ip?

My second questions - what would you propose how do I get these values inside iptables? What command can I use best?

Thank you in advance!
 
Old 10-16-2008, 04:14 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Download this file.

It's a CSV file which gives you both Internet standard and network formats.

Extract the standard format ranges you want using something like:
Code:
zcat GeoIPCountryCSV.zip | grep 'Vietnam\|China\|Russia' | \
awk -F',' '{print $1 $2}' | awk -F'\"\"' '{print $1 "-" $2}' | awk -F'\"' '{print $2}' > bad_ips.txt
Now you've got a bad_ips.txt file with all the ranges you want to block in it (one range per line).

Now create an iptables chain to use it in:
Code:
iptables -N BAD_IPS
Now use a for loop to stick the rules in the chain:
Code:
for i in `cat bad_ips.txt`; do iptables -A BAD_IPS -m iprange --src-range $i -j DROP; done
That loop might take a while to complete depending on your CPU and how many ranges are in the bad_ips.txt file.

Now you can send packets into that chain from wherever you want. Make sure you don't send packets in states RELATED or ESTABLISHED into that chain, or else you might run into performance issues. In other words, I suggest something like this:
Code:
iptables -P INPUT DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -j BAD_IPS

iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT

PS: Yes, I know the range extraction script I put together is really ugly (I suck at scripting).

But I can assure it works because I tested it before posting.

Last edited by win32sux; 10-16-2008 at 04:50 AM.
 
Old 10-16-2008, 12:53 PM   #3
mlnutt
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 15
I've been working on a program to generate iptables scripts and/or startup files based on country and registry codes. The program works with cvs files from "maxmind" and "software77" (both of which are update monthly).

USAGE: ipfind (-r REGISTRY... | -c CODE... | -f DOTTED_QUAD...) [-m | -M] [-i] [-I[CHAIN_NAME]] [-pCHAIN_NAME ] [-nCHAIN_NAME] [-aACTION]] [-L] [-v]
-r, --registry filter using registry name
-c, --ctry filter using 2 character country codes
-f, --find find IP's range block
-m, --cidr print cidr instead of netmask (default)
-M, --netmask print netmask instead of cidr
-i, --iptables output iptables startup file format
-I, --iptables_cmd output iptables configuration script using CHAIN_NAME prefix
-p, --prior iptables configuration script prior chain name (default "INPUT")
-n, --next iptables configuration script next chain name (default "ACCEPT")
-a, --action iptables configuration script action (default "DROP")
-L, --nolog iptables configuration script no logging
--maxmind use the maxmind csv file (default)
--webnet77 use the webnet77 csv file
-v, --verbose display verbose output

EXAMPLE: ipfind -c CN TW KR -M
EXAMPLE: ipfind --webnet77 -r RIPE
EXAMPLE: ipfind -c US -IUSA
EXAMPLE: ipfind -f 207.69.188.171 -v
The script I currently use is:

#!/bin/bash

./ipfind -r AFRINIC LACNIC -c TW KR CN HK RU UA AE CZ JP LV PK PL ES PT -i -nMISC_CHAIN > iptables.startup
This script generates a file that only requires me to insert a few custom rules at the beginning and end (which I keep in a separate file for convenience).

The program is functional, though it is a work in progress at my leisure. There are features I still wish to implement and some of the code needs cleaning up. I use it monthly to regenerate my iptables script and am very happy with it. If there is some interest in this project I could post the code somewhere or deliver it to individuals. Note there are iptables' modules that you can compile into the kernel to do this very same task. I chose not to use them as I don't want to recompile the kernel for these module's updates. My iptables script contains about 23,500+ rules for dropping unwanted IPs. I don't notice any performance degradation.

The output is of this nature:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:AFRINIC_CHAIN - [0:0]
:AFRINIC_DROP - [0:0]
:LACNIC_CHAIN - [0:0]
:LACNIC_DROP - [0:0]
:TW_CHAIN - [0:0]
:TW_DROP - [0:0]
:KR_CHAIN - [0:0]
:KR_DROP - [0:0]
...snip...
-A AFRINIC_CHAIN -s 12.166.96.32/27 -j AFRINIC_DROP
-A AFRINIC_CHAIN -s 41.0.0.0/11 -j AFRINIC_DROP
-A AFRINIC_CHAIN -s 41.144.0.0/13 -j AFRINIC_DROP
...snip...
-A AFRINIC_CHAIN -j LACNIC_CHAIN
-A AFRINIC_DROP -j LOG --log-prefix "AFRINIC_DROP: " --log-level 3 --log-tcp-options --log-ip-options
-A AFRINIC_DROP -j DROP
-A LACNIC_CHAIN -s 4.18.32.72/29 -j LACNIC_DROP
-A LACNIC_CHAIN -s 4.18.66.0/23 -j LACNIC_DROP
...snip...
-A LACNIC_CHAIN -j TW_CHAIN
-A LACNIC_DROP -j LOG --log-prefix "LACNIC_DROP: " --log-level 3 --log-tcp-options --log-ip-options
-A LACNIC_DROP -j DROP
-A TW_CHAIN -s 58.86.0.0/16 -j TW_DROP
-A TW_CHAIN -s 58.99.0.0/17 -j TW_DROP
...snip...
-A TW_CHAIN -j KR_CHAIN
-A TW_DROP -j LOG --log-prefix "TW_DROP: " --log-level 3 --log-tcp-options --log-ip-options
-A TW_DROP -j DROP
-A KR_CHAIN -s 58.29.0.0/16 -j KR_DROP
-A KR_CHAIN -s 58.65.64.0/18 -j KR_DROP
...snip..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
GeoIP taz999 Linux - Software 2 02-06-2011 03:34 AM
LXer: Where are your site visitors? GeoIP knows LXer Syndicated Linux News 0 07-13-2007 04:31 PM
LQ ISO updated - now GeoIP aware jeremy LQ Suggestions & Feedback 2 03-28-2005 11:00 AM
problem with Mandrake 10.0 and GeoIP taz999 Linux - Newbie 2 01-13-2005 02:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration