We help IT Professionals succeed at work.

How to use iptables to block certain HTTP request?

Is it possible to use iptables to block a certain HTTP request? There's an ongoing DDoS on my website, and the IPs keep changing every 20 minutes or so. All the bots seem to be making a similar HTTP request e.g       "GET /?lolsup HTTP/1.1" so would it be possible to use iptables to block all HTTP requests that have "?lolsup" in them?
Comment
Watch Question

I do not believe there is a way to do that.. However, one thing that you could do is limit the amount of connections per IP address (typically people only have 1 connection to your site).. Here is an article about it:

http://www.cyberciti.biz/faq/iptables-connection-limits-howto/

Author

Commented:
Yes, I've tried that, but I get errors such as "iptables: Unknown error 4294967295"

Author

Commented:
Thing is, the firewall works fine. Just not the commands on that page. Every other command I've entered works.
What version/distro are you running?

Author

Commented:
CENTOS 5.2 i686
That's very strange. I haven't used CentOS, but it should be the same as everything else. Perhaps another expert will be able to fill in here and answer why the iptables are returning that error.. However, the original question, if you can block HTTP requests for certain strings, it's not possible.

Sorry I couldn't be of more assistance with the iptables error.
Few days ago when trying to stop a spamming attack on port 25 of a mail server I ran accross the  connection limiting feature of Iptables,tested it on my server and voila! it worked. I than applied it to the mail server and "iptables: Unknown error 4294967295" error occured!Why?
The problem seems to be on the side of the vednor:my test server was Red Hat Enterprise Linux 6.0 Beta version (just released),and it worked fine,but my mail server is running 4.x RHEL that seems to have  a bug on this feature of iptables.
I googled:connlimit filter doesn't work in 1.3.5  and 1.3.4 versions of iptables,possibly some others too, and it is a bug.I checked on one of my machines,RHEL 5.3 which is roughly equivalent to CENTOS 5.2,and the version of iptables is 1.3.5.
Can you check your version with:
rpm -q iptables?
I think it should be the same,and the problem might lead to this.

Anyway,where do you get these "GET" requests logged,in access.log/error.log of your httpd log? Can you post few lines of log,it might be possible to parse the logs and change iptables in real time as to block the DOS address...the script could be run as cron every few minutes,and block the attacking IP as it appears...

Author

Commented:
I got the logs from the Apache Status page on my cPanel WHM. It's fairy easy to find which IPs are involved with the DDoSing, so I just go there and find the IPs and ban them with iptables.

Isolating the IPs isn't a problem, I already have a script in place that counts the number of website hits per IP and if it's over 350 (350+ is highly unusual for my website, because it's almost fully made it in ajax and javascript so there's no need to keep reloading the main website) then it adds it to a text file and htaccess bans it so it doesn't use up bandwidth.

How would I go about making a script that fetches the IPs from that text file and bans them? Would a perl script work?
Top Expert 2010

Commented:
Hi, you could stick the following in a httpd.conf or .htaccess file, to ban any non Error page request with a CGI parameter of ?lolsup:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^lolsup
RewriteRule !^[/]*error/ - [F]
Top Expert 2010
Commented:
Spotted your other question [Q_26255294.html], in which case you could combine the two e.g.

RewriteEngine On
RewriteCond %{QUERY_STRING} ^lolsup
RewriteRule .*  /ban_the_ip.php?IP=%{REMOTE_ADDR} [L]
Hi,I made this really simple script.Suppose you have extracted IPs to be banned in a file called addresses, one line per IP address.This file will add those to the INPUT chain to be dropped,I checked it and it works fine on my RHEL 5.3 distribution.All you have to do is to remove duplicate IP addresses from iptables,if they occur...but once you ban a specific IP address it will not show again in your logs.So this is the script:


#!/bin/bash
while read line
do
echo $line;
iptables -A INPUT -s $line -j DROP;
service iptables save;
done < "addresses"