	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.3

Using an effective iptables blacklist

Asked by forrie in IP Tables/IP Chains, Unix Networking

Tags: iptables linux security firewall

I've migrated my mail and web services from a FreeBSD/PF environment to Linux/iptables (CentOS 5.3).

Being relatively new to iptables, I sought a pre-configured setup to facilitate a quicker rollout - I found a script called "ipkungfu" (which is no longer being developed). This post is not about that script, so much as it is a question about how to utilize iptables effectively.

Along with my configuration I have a few tables of IPs (mostly /24's) from my PF configuration, tables of: abuse, spammers and geoip. The abuse table are IPs that I never, ever want touching any services on my system. Spammers, blocked from port 25. Geoip, is generally no access as well.

Iptables has three basic initial chains:

INPUT
FORWARD
OUTPUT

I set up a custom script that would do a for-next loop through the IPs and do something like this:

$iptables -I abuse -s $i -j DROP

I found this isn't working. I also found that loading large IP lists into iptables is painfully slow (it was lightning fast under FreeBSD/PF).

One particularly annoying host from netsync.net had been slamming my system repeatedly. The IP was in the DROP directive, but it was getting through anyway. This, I thought, was due to the fact that some of my services are FORWARDed to an internal host and thus perhaps bypassing something. I was able to block this host by issuing this command:

# iptables -A FORWARD -s 208.20.34.161 -j DROP
# iptables -A FORWARD -s 208.20.34.150 -j DROP

So my predicament is in correctly understanding how to effectively block these large lists of IPs. Some of them are BOTNETs some of them are /24's that are dynamic that have shown other patterns of abuse. Because my server is private, I don't need to be concerned about inadvertently blocking someone.

First, is there a more effective way to block these lists in iptables? Is there a more efficient way to load these large lists of IPs into the chain(s)? At this point, it actually causes my system boot time to lag significantly.

Where is the best place to block these IPs in the chains and why doesn't just blocking it in the INPUT chain work. Or did I configure the DROP incorrectly?

Thanks!

View the Solution FREE for 30 Days

         
             iptables -N abuse
 
        for i in `cat $dir/abuse | egrep -hv "^#|$^"`
        do
                $iptables -I abuse -s $i -j DROP
        done

20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625

Hall of Fame

1. Blaz59,989
2. noci15,836
3. KeremE9,750
4. JFrederic...7,300
5. fosiul016,950
6. ahoffmann6,500
7. Qlemo6,475
8. stephenh...5,940
9. RBEIMS5,700
10. Nopius5,650
11. giltjr5,400
12. MiLLeNNiuM4,000
12. mrcustard4,000
14. arnold3,900
15. lrmoore3,625
16. ravenpl3,375
17. aamodt3,300
18. RobWill3,200
19. Multipath3,000
20. kyleb842,600
21. garycase2,500
22. amitnepal2,300
23. mwecom...2,075
24. Gns2,000
24. JDettman2,000
24. mikecr2,000
24. jar38172,000
24. elf_bin2,000
24. awking002,000
24. lherrou2,000
24. dons67182,000
24. workga2,000
24. pmessana2,000
24. asdlkf2,000
24. jfrady2,000
24. memo_tnt2,000
24. RPPreacher2,000
24. peterelvidge2,000
24. dpk_wal2,000
24. _jesper_2,000
24. michaelgo...2,000
24. colinvann2,000
24. mrjoltcola2,000
24. atlas_sh...2,000
24. CCI_IT2,000
24. niko862,000
24. alienvoice2,000
24. packetguy2,000
24. ai_ja_nai2,000
24. dainok2,000
24. techzter2,000
24. hathehariken2,000
24. SergKz2,000
24. drewha1...2,000
24. ludo_friend2,000
24. Goldsim2,000
24. martinew...2,000
24. Neilsr2,000
24. eoke2,000
24. koffu2,000
24. Armengar2,000
24. millscl2,000

1. Blaz67,389
2. ravenpl16,375
3. noci15,836
4. fosiul0112,450
5. KeremE10,750
6. Nopius8,400
7. JFrederic...7,300
8. ahoffmann6,500
9. Qlemo6,475
10. stephenh...5,940
11. arnold5,900
12. RBEIMS5,700
13. lrmoore5,625
14. giltjr5,400
15. shakoush...4,400
16. MiLLeNNiuM4,000
16. mrcustard4,000
18. aamodt3,300
19. RobWill3,200
20. Redimido3,000
20. Multipath3,000
22. kyleb842,600
23. garycase2,500
23. niko862,500
25. amitnepal2,300

Using an effective iptables blacklist

Asked by forrie in IP Tables/IP Chains, Unix Networking

Tags: iptables linux security firewall

About this solution