IPTABLES question

Michael P. Brininstool mikepb at hoplite.org
Fri Jul 28 23:08:48 UTC 2006


>>>> I know that the preferred way of controlling access is to use 
>>>> whitelists, but for my case I'd like to use IP blacklisting.

>>> At some point it affects performance. There are some workarounds.
>>> What problem are you trying to solve? What causes you to block an IP?

>I second the suggestion about running SSHD on a different port. It's
>removed all my script kiddie attacks.   See /etc/ssh/sshd_config to enable.

Moving ssh to a different port seems to be the easiest way, but eventually
the scripts find the new port and start whacking it instead -- iptables
blocking is IMNSHO, a "better way" -- in that they can be logged -- useful
when you call in the feds.  (Of course honeypots are even better....)

This is what I have done to block over 2400 ip blocks with no performance
hit measurable.  Of course, I whitelist some very common blocks first, so
they avoid any delays, and most everyone else SHOULD be blocked so a delay I
care not about.  Snippets only...

-A INPUT -i eth1 -d MY.EXTERNAL.IP -j ext_in

-A ext_in -p tcp -m tcp --dport 22 -j sshblock

-A sshblock -s G.0.0.D/I.P.BLCK.1 -j ACCEPT
-A sshblock -s G.0.0.D/I.P.BLCK.2 -j ACCEPT
-A sshblock -s -j sshblock0
-A sshblock -s -j sshblock64
-A sshblock -s -j sshblock128
-A sshblock -s -j sshblock192
-A sshblock -s -j sshdrop
-A sshblock -j ACCEPT

sshblock0 gets addresses in through
sshblock64 gets addresses in through
sshblock128 gets addresses in through
sshblock192 gets addresses in through through goes to sshdrop (which logs as
"DROPPED_SSH_PACKET " and drops)

To help performance even further, the SYN flag can be added to the check for
port 22 above, provided a "RELATED,ESTABLISHED" line exists in the same

I forgot the URL, but there is a site that has a database of IP block
assignments.  I periodically go to that site and download the blocks for
countries I NEVER want to receive email or ssh connections from, like CN,
KR, MY, VN, FR, TW, BR, etc, and add them to the sshblock and smtpblock


More information about the users mailing list