[Dshield] Blocking Offending Countries

jayjwa jayjwa at atr2.ath.cx
Thu Jun 30 05:54:20 GMT 2005

On Wed, 29 Jun 2005, Chris Brenton wrote:

-> > plus all of the slots in my iptables 
-> > listing for which I see packet and byte counts.
-> Just to bring this conversation back to a technical spin, here's a
-> little trick I use with iptables that might make life a bit easier for
-> you. I don't use iptables-save & iptables-restore, but rather load the
-> rules from a custom script. Here is my IP block filtering section:
-> # Banned IP addresses. The file BANNED must be in the current
-> # directory and each line is a single IP or CIDR block to ban.
-> iptables -N EVILBLOCKS
-> while read BANNED ; do
-> iptables -A FORWARD -i eth0 -s $BANNED -j EVILBLOCKS
-> done < BANNED
-> iptables -A EVILBLOCKS -s 0/0 -j LOG --log-prefix " BADGUY  "
-> iptables -A EVILBLOCKS -s 0/0 -m limit --limit 3/m -j REJECT
-> --reject-with icmp-host-unreachable
-> As mentioned above, the file BANNED must exist in the same directory as
-> this script unless you change the above to include a full path name. The
-> file BANNED includes one IP address specification per line, like
-> ''.
-> So when you load your rulebase the chain EVILBLOCKS gets created. The
-> forward rule sends all IP's listed in BANNED to this chain. Their
-> traffic is then logged with the prefix BADGUY and the transmitting host
-> gets back an ICMP host unreachable (this makes it appear that you have
-> no firewall and the host is just off-line). Rate limiting is used to
-> minimize the amount of ICMP traffic.

This is similar to the setup I use now. After trying several pre-made 
iptables scripts while learning iptables, I decided to try my own because 
the one I was using blocked some stuff that was actually needed.

How I implemented it was to make a script and call it 'firewall', which 
can be called with a number of parameters: up | down, save | load, list, 
ban, and some short aliases for those commands. It's started with the 'up' 
command, and loads its default rules into the INPUT table, which are rules 
to protect certain ports, drop/no log traffic to heavily probed ports like 
139 and 443, start ip forwarding, call sysctl -w on a few network 
parameters, and then creates the INSPECT table. This is growing list of IP 
blocks that are banned, some with the -m comment match to describe the 
reason for the rule in the first place if it wasn't evident. I used to use 
a seperate file to load blacklisted hosts from, but now just add on to 
that one table in the firewall script. Other than this section, this table 
also puts some other rules in place to watch traffic such as the PSD 
netfilter match, watches for unclean or invalid packets, and also some 
special rules like tarpitting people who scan for SSH servers on port 22. 
After the script runs it exits. Throughout the day, if I quickly need to 
block a host I can call 'firewall ban <ip number or netblock>' and it's 
instantly blocked and logged as created by the script. When I'm done, the 
firewall can be shutdown totally, at which time when used again it will go 
back to its default rules, or, before closing it down, I can call 
'firewall save' which is actually a call to 'iptables-save'. This writes 
all the accumulated rules to a pre-set file for use next time, so I can 
keep running totals of block places, if need be. 'firewall load' simply 
calls 'iptables-restore' with the saving file as a parameter. One of the 
last rules in the INSPECT tables is a rule that looks at all traffic not 
yet established or related and logs it with appropriate rate limiting. The 
end result is that I can account for every packet that enters.

Confidentiality Notice: This email may contain confidential
and privileged information. If in the event that it does,
please send it back to me with a reply telling me how
stupid I am for sending confidential info to a public forum.

More information about the list mailing list