IPTABLES question

Michael P. Brininstool mikepb at hoplite.org
Fri Jul 28 23:08:48 UTC 2006


HA!  I TOP-POSTED!!!!  So SHOOT ME!

>>>> I know that the preferred way of controlling access is to use 
>>>> whitelists, but for my case I'd like to use IP blacklisting.

>>> At some point it affects performance. There are some workarounds.
>>> What problem are you trying to solve? What causes you to block an IP?

>I second the suggestion about running SSHD on a different port. It's
>removed all my script kiddie attacks.   See /etc/ssh/sshd_config to enable.

Moving ssh to a different port seems to be the easiest way, but eventually
the scripts find the new port and start whacking it instead -- iptables
blocking is IMNSHO, a "better way" -- in that they can be logged -- useful
when you call in the feds.  (Of course honeypots are even better....)

This is what I have done to block over 2400 ip blocks with no performance
hit measurable.  Of course, I whitelist some very common blocks first, so
they avoid any delays, and most everyone else SHOULD be blocked so a delay I
care not about.  Snippets only...

-A INPUT -i eth1 -d MY.EXTERNAL.IP -j ext_in

-A ext_in -p tcp -m tcp --dport 22 -j sshblock

-A sshblock -s G.0.0.D/I.P.BLCK.1 -j ACCEPT
-A sshblock -s G.0.0.D/I.P.BLCK.2 -j ACCEPT
-A sshblock -s 0.0.0.0/192.0.0.0 -j sshblock0
-A sshblock -s 64.0.0.0/192.0.0.0 -j sshblock64
-A sshblock -s 128.0.0.0/192.0.0.0 -j sshblock128
-A sshblock -s 192.0.0.0/224.0.0.0 -j sshblock192
-A sshblock -s 224.0.0.0/224.0.0.0 -j sshdrop
-A sshblock -j ACCEPT

sshblock0 gets addresses in 0.0.0.0 through 63.255.255.255
sshblock64 gets addresses in 64.0.0.0 through 127.255.255.255
sshblock128 gets addresses in 128.0.0.0 through 191.255.255.255
sshblock192 gets addresses in 192.0.0.0 through 223.255.255.255
224.0.0.0 through 255.255.255.255 goes to sshdrop (which logs as
"DROPPED_SSH_PACKET " and drops)

To help performance even further, the SYN flag can be added to the check for
port 22 above, provided a "RELATED,ESTABLISHED" line exists in the same
chain.

I forgot the URL, but there is a site that has a database of IP block
assignments.  I periodically go to that site and download the blocks for
countries I NEVER want to receive email or ssh connections from, like CN,
KR, MY, VN, FR, TW, BR, etc, and add them to the sshblock and smtpblock
lists.

--
Michael





More information about the users mailing list