So far, I've found:
- http://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
- http://www.parkansky.com/china.htm
- http://www.webhostingtalk.com/showthread.php?t=1146401 (and http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/)
- I could possibly use tcpwrappers as well, but I'm not sure tcpwrappers can handle the amount of ranges I want to block.
Solution #1 seems a bit too hackish. As well, the server may take a performance hit if I decide to drop more than one region (China's netranges are broad enough as it is).
Solution #2 might not be so bad, as it leverages the htaccess function. I've no idea how performance-intensive this method is, but it may be worth looking into. A con is that I also run a mail server...this method won't work for mail.
Solution #3 looks good. This method uses iptables and ipset. Ipset lessens the performance hit when blocking thousands of IPs.
So, before hitting the bed, I decided to give solution #3 a shot. I immediately found that the tutorial is out-of-date (it caters to Ubuntu 10.04...I'm using 12.04). I'm attempting to work through it by leveraging the manual pages and 'ipset info', but I'm running into kernel errors such as:
root@li7-220:~# ipset create feckoff hash:ip
ipset v6.11: Kernel error received: Invalid argument
I do not have full control over my host (it is running on a linode, and the modules are locked down). I may not be able to use this, but I'll continue to investigate.
EDIT: Well, I'll be damned! I got the command to take. I had to select a more current kernel to boot up (I was using a depreciated Linode kernel). I guess I should check that more often. I'll continue this exercise tomorrow...I just have to ensure I've bookmarked all my reference sites.
No comments:
Post a Comment