Use ipset and iptables to block traffic

Here’s how you can block traffic coming from an IP address, list of IP addresses, full networks or even entire country blocks. I’m working on Debian 7 x86 server so adapt the commands to your distro of choice.

1 – Install ipset, for command references check http://ipset.netfilter.org

2 – Setup your sets! Sets are basically lists, you can single IP addresses or you can add blocks of IP addresses to these lists, in this case I’m creating a list to support entire blocks (x.x.x.x/yy form). If you need to create a set to support individual IPs use the hash:ip option.

(I have to clarify, I have nothing against China as a country, but I’m using this block mainly because my IDS logs show a great deal of traffic coming from Chinese networks)

3 – Setup the rules in iptables. This is basically how I do it, I create a new chain called blocked_traffic, I add a single rule to DROP everything on that chain (so everything that ends up in that chain will get dropped) then I add some JUMP rules to the INPUT chain so everything that match my sets (created by ipset) will automatically JUMP to the chain blocked_traffic and disappear inside the iptables black hole.

the reason I send them to another chain and then I drop them is because you may want to do something latter with that traffic, perhaps move that traffic to another interface, redirect them to another server, or whatever you’d like to do. If you just want that traffic to go away and you’re not interested in doing anything to it you could just do iptables -A INPUT -m est –match-set chine src -j DROP but I like using extra chains as I may find a good use for that traffic at some point, maybe redirect them to a honeypot? who knows.

4 – Right now nothing is being blocked as nothing match the ipset rules, of course we haven’t put any network addresses  or IP addresses there! let’s add some spammers or port scanners to those lists…

5 – Saving the config. As of now you’re blocking the traffic with those lists and everything works perfectly fine but if you decide to reboot your server all those rules will be gone! ipset doesn’t save the config automatically  so you have to restore it (much like iptables-restore). Another tricky part is that ipset needs to start and restore the config BEFORE iptables restores its own rules otherwise iptables will fail to restore its config as those rules (remember we added iptables rules dropping the sets) will not exist until ipset restore its config. Just add the restore command for ipset to whatever script you use to restore iptables BUT put that before iptables-restore.

 

We’re done! now you have multiple IP addresses and network traffic blocked on your server.

The only question left though is: how do you know which IP block belongs to which country? well, you can check that since it’s publicly available on the corresponding organization responsible for distributing those IP blocks, for example here at ftp://ftp.apnic.net/pub/stats/apnic/ you can find the ones on Asia-Pacific networks. Soon I’ll be writing another blog post on how to extract those addresses and how to use them on a script so stay tuned.

 

Was this useful for you? contactme (a t) dr0u .co m

#block#china#debian#ipset#iptables#linux