Search

Recent Posts

Tags


« | Main | »

Linux firewall – iptables 101c

By Dale Reagan | January 11, 2010

GEO Blocking network access – blocking specific IP blocks (GEO-blocking – do you really need those connections from Asia?)

CAVEAT: The flow of packets through your system is fairly complex – I am limiting this discussion and I encourage you to RTM as well as the tutorial referenced in below…

There are a number of approaches to your Internet connected server blocking network access by country and some of them are:

This post will focus on using iptables and touch on using a web application firewall (WAF) like mod_security for Apache.

NOTE: the approach taken in this post is to block ALL access – it is also possible block selected access as well as the inverse, i.e. only allow specific/selected access like http connections (port 80 is open.)

A few comments

In previous  days it was common for OS vendors to include network and server security features but to deliver new products with all network access OPEN; thankfully, most current OS distributions are delivered with network services locked down.  Sadly, the really bad news is that the level of knowledge and skill sets for managing servers and network services is being replaced with generic management tools so it is becoming more likely that programmers/designers/others without real experience in configuring and managing network services at the server level are bringing systems online; new systems are supposed to be ready to go. We may not know how the server was built, who built it, when it was built, what the patch-level is, but it has to be ok, right – since we can just download/install/use it?

As we move network services into the cloud and as virtual machines proliferate it becomes more likely that new levels of network/server/machine abuse will also proliferate.  Soooo, what can you do to reduce the chance of network/server abuse/hacking?  Blocking access from known bad guys might be one component of your overall security posture (you do have a security plan/strategy, right?)

Suggested Steps

  1. identify your tool of choice – iptables in this instance
  2. build your list of bad guys OR your list of IPs to block
  3. decide whether to LOG, DROP or LOG & DROP connections
  4. use a control file (list of IPs to block) and a script to add the rules
  5. review your logs

In this case I will build a new filter chain called Block_ALL.  I will append new IPs to the chain and the chain will be connected to input chain.   What about the output and forward chains? [The flow of packets through your system is fairly complex – I am limiting this discussion and I encourage you to RTM as well as the tutorial referenced  below…]

A sample script for blocking an entire sub-net:

#!/bin/bash
####
set -x
#### rule-set may vary if you have more than one NIC ###
ETH_WORLD=eth3  ### my NIC connected to 'the world'
### i.e. traffic to/from the Internet
###
###
### create a new chain called 'Block_ALL'
iptables -N Block_ALL
###
############
### Sample IP blocks from APNIC (Asia) IP space (2009)
#iptables -A Block_ALL -s 58.0.0.0/58.255.255.255 -j DROP
### The IP block above would DROP connections from: Afghanistan, Australia,
#- Bangladesh, China, Hong Kong, India, Indonesia, Japan,Malaysia,
#- New Zealand, Pakistan, Philippines, Republic of Korea, Singapore, Taiwan,
#- Thailand, and Vietnam (based on relatively current 2009 IP info...)
###
#iptables -A Block_ALL -s 221.166.0.0/221.166.255.255 -j DROP
### The IP block above affects connections from Hong Kong
############
### now we use '-A' to APPEND rules to the chain Block_ALL
### now two entries PER IP Range/Address to log & block
### the section below could be enhanced with a loop that sets
### the values of START & END blocks; of course you can also
### manually create a list as shown in the sample above
IP_START_BLOCK=58.0.0.0
IP_END_BLOCK=58.255.255.255
RANGE=${IP_START_BLOCK}/${IP_END_BLOCK}
iptables -A Block_ALL -s ${RANGE} -i ${ETH_WORLD} -j LOG
iptables -A Block_ALL -s ${RANGE} -i ${ETH_WORLD} -j DROP
###
iptables -A Block_ALL -j RETURN
###
##########
### Insert the rules above to INPUT chain
iptables -I INPUT -j Block_ALL

When I save the above as ‘block-all.txt’ I run it I see:

bash block-all.txt
+ ETH_WORLD=eth3
+ iptables -N Block_ALL
+ IP_START_BLOCK=58.0.0.0
+ IP_END_BLOCK=58.255.255.255
+ RANGE=58.0.0.0/58.255.255.255
+ iptables -A Block_ALL -s 58.0.0.0/58.255.255.255 -i eth3 -j LOG
+ iptables -A Block_ALL -s 58.0.0.0/58.255.255.255 -i eth3 -j DROP
+ iptables -A Block_ALL -j RETURN
+ iptables -I INPUT -j Block_ALL

Now if I review the new Block_ALL chain I see:

iptables -nL Block_ALL
##################################################################################################################
# Chain Block_ALL (1 references)                                                                                  #
#  pkts bytes target     prot opt in     out     source               destination                                 #
#     0     0 LOG        all  --  eth3   *       58.0.0.0/58.255.255.255  0.0.0.0/0           LOG flags 0 level 4 #
#     0     0 DROP       all  --  eth3   *       58.0.0.0/58.255.255.255  0.0.0.0/0                               #
#   437  131K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                   #
###################################################################################################################

You can build a list of IP addresses/Ranges to block based on:

  1. a review of public IP space information, i.e. from IANA.ORG
  2. a review of ‘bad activity‘ on your server (Apache or other logs)
  3. any other source – that you trust…

Do you have to block the entire IP Range?

No – you can block a sub-net (i.e. 221.123.22.0 – 221.123.22.255):

IP_START_BLOCK=221.123.22.0
IP_END_BLOCK=221.123.22.255

Or block a single IP address:

IP_START_BLOCK=221.123.22.123
IP_END_BLOCK=221.123.22.123

What about Mod_Security IP Blocking?

You create rules to block an IP or an IP Range – this requires editing configuration files unless you use custom or third party tools.  The rules are simple once you have configured mod_security behaviours (example for version 2.x of mod_security) – to block a singe IP:

SecRule REMOTE_ADDR xx\.xx\.xx\.xx

where you replace the ‘xx’ with IP numbers.  To block a range add a MASK to the rule:

SecRule REMOTE_ADDR xx\.xx\.xx\.0/24 
SecRule REMOTE_ADDR 221\.123\.22\.0/24

BTW: Another option for Apache traffic blocking is to mod_security AND use mod_geoip.  This may be somewhat simpler since it only involves installing the modules and making configuration changes in your Apache installation(s).  The latest version of mod_security also provides ‘hooks’ for using mod_geoip so you could build rules using country designations and not worry with IP addresses – as stated below, do your own research to confirm that the data you use is and remains accurate…

After a year of log reviews I only block ~20+ IP sub-nets (~6000 IPs) along with ~2500 uniq IPs.

Maintenance/Downsides to Geo-IP Blocking?


DISCLAIMER


Topics: Computer Technology, System and Network Security, Unix-Linux-Os | Comments Off on Linux firewall – iptables 101c

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________