Tuesday, February 12, 2013

Iptables and Blocking by Region

I'm tired of seeing certain network ranges always peppering my linux server, so I'm going to experiment with blocking via region.  I've seen several hints/tips but I want to do this with the server not taking too much of a hit.  Note that I'm mainly concerned with traffic that I typically allow, such as port 80.  I could block via apache, which may well work, but I also want to investigate using iptables.

So far, I've found:

  1. http://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
  2. http://www.parkansky.com/china.htm
  3. http://www.webhostingtalk.com/showthread.php?t=1146401 (and http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/)
  4. I could possibly use tcpwrappers as well, but I'm not sure tcpwrappers can handle the amount of ranges I want to block.

Solution #1 seems a bit too hackish.  As well, the server may take a performance hit if I decide to drop more than one region (China's netranges are broad enough as it is).

Solution #2 might not be so bad, as it leverages the htaccess function.  I've no idea how performance-intensive this method is, but it may be worth looking into.  A con is that I also run a mail server...this method won't work for mail.

Solution #3 looks good.  This method uses iptables and ipset.  Ipset lessens the performance hit when blocking thousands of IPs.

So, before hitting the bed, I decided to give solution #3 a shot.  I immediately found that the tutorial is out-of-date (it caters to Ubuntu 10.04...I'm using 12.04).  I'm attempting to work through it by leveraging the manual pages and 'ipset info', but I'm running into kernel errors such as:

root@li7-220:~# ipset create feckoff hash:ip
ipset v6.11: Kernel error received: Invalid argument

I do not have full control over my host (it is running on a linode, and the modules are locked down).  I may not be able to use this, but I'll continue to investigate.

EDIT:  Well, I'll be damned!  I got the command to take.  I had to select a more current kernel to boot up (I was using a depreciated Linode kernel).  I guess I should check that more often.  I'll continue this exercise tomorrow...I just have to ensure I've bookmarked all my reference sites.

No comments: