Linux IPTables it is then!

Him Her

Him Her

VIP Member
VIP Member
Joined
Dec 23, 2011
Messages
8,145
Reaction score
6,435
Location
North Yorkshire
I'm being plagued by scripting bots hammering the living shoite out of my mail server at the moment so it's time to nail the firewall a bit. This will work on a server or workstation but it's all command-line iptables stuff - not TOO scary!

As this is a kernel function you may have to dig around a bit to get it working, especially if you have an older distro than the one I'm using (Ubuntu 12.04.1) with all updates done.

First check that iptables, xtables-addons-common and module-assistant are installed.

Code: 
You don't have permission to view the code content. Log in or register now.

If anything is already installed it won't do any harm, just report that it is already latest version. The xtables-addons allow linking iptables to GEOIP which is a geographical location database.

If you don't see references to the kernel source headers being installed then follow up with this.

Code: 
You don't have permission to view the code content. Log in or register now.

Now, create a directory for geolocation database, change to the xtables-addons directory and download the free Maxmind GeoIP files. This database is around 98% accurate and updated monthly.

Code: 
You don't have permission to view the code content. Log in or register now.

The database needs to be extracted into a usable format so install the following module:

Code: 
You don't have permission to view the code content. Log in or register now.

Run the extraction process to create all the dependent files in /usr/share/xt_geoip, these cover both IPv4 and IPv6 so you should see two new directories created (BE and LE) with files like the sample below:

Code: 
You don't have permission to view the code content. Log in or register now.

Code: 
You don't have permission to view the code content. Log in or register now.

Finally, add the following rules to iptables:

Code: 
You don't have permission to view the code content. Log in or register now.

In Rule 1 you should substitute the country codes for those countries you want to accept connections from. The codes can be obtained from here - ISO 3166 Country Codes « Maxmind Developer Site

In Rule 2 you should substitute your own network number in CIDR format.

Now you sit back and let the packets drop like flies :)
 
This would only help to drop every single user from a given country if only the following are true:

They're not using a proxy or a TOR relay
Their router/ip address is characteristic of their location (most cell phone users don't show where they really are. For instance, in America cell phone users apear to be from vastly different places than they actually are).
Every person from that country is actually someone you wish to drop.

The problem is that if they use a proxy/TOR relay, or their IP isn't really indicative of if they are in the country you wish to block (not all spammers are in a given country list), or there are legitimate users in those countries, you are going to block people that you do not want to or allow people that you do not want to to still be able to connect.

I find a very easy alternative to draconian IPTables or IPChains rules is to use DNS Block Lists. They work at the DNS level and with a bit of savvy configuration can be automatically fed into your firewall. Properly done spammers cannot contact you and your users cannot contact spammers. It works both ways to protect your network, both in and out.

Try it out if you feel experimentative. I had loads of fun when I first used this.
 
paralyzingtouch said:
This would only help to drop every single user from a given country if only the following are true:

They're not using a proxy or a TOR relay
Their router/ip address is characteristic of their location (most cell phone users don't show where they really are. For instance, in America cell phone users apear to be from vastly different places than they actually are).
Every person from that country is actually someone you wish to drop.

The problem is that if they use a proxy/TOR relay, or their IP isn't really indicative of if they are in the country you wish to block (not all spammers are in a given country list), or there are legitimate users in those countries, you are going to block people that you do not want to or allow people that you do not want to to still be able to connect.

I find a very easy alternative to draconian IPTables or IPChains rules is to use DNS Block Lists. They work at the DNS level and with a bit of savvy configuration can be automatically fed into your firewall. Properly done spammers cannot contact you and your users cannot contact spammers. It works both ways to protect your network, both in and out.

Try it out if you feel experimentative. I had loads of fun when I first used this.
Click to expand...

While what you say is true what most of these bots are doing is hammering away trying get through the security on ports 25 and 80. Many don't have a DNS entry and more processing power is taken blocking them at application level. It's easier to shoot them at the firewall.

No system is perfect though so, as you suggest, it won't help with Tor or proxies. Nor will geolocation software necessarily pin everyone down as it's their Point of Presence (POP) that gets returned rather than their actual location.

IPtables gets rid of quite a few though and helps avoid dozens of e-mails per day from fail2ban.

I confess that using DNS (or rDNS) in firewall rules hadn't occurred so I'll be taking a look :)
 
You must log in or register to reply here.

Similar threads

C
zgemma i55plus boot error "mv: can't rename 'latestatv': No such file or directory"
Replies
6
Views
1K
Ferret
Ferret
Ferret
    • Like
Mutil Stalker Plugin for those that would like to try it.
Replies
16
Views
2K
Ferret
Ferret
B
VU+ Solo Vu+ Solo Ferrari Crash Loop
Replies
4
Views
2K
Bk456
B
Ferret
[DOWNLOAD] Sim2-Unofficial-Gstreamer 1.8-DM800se-2016-04
Replies
0
Views
1K
Ferret
Ferret
Ferret
[DOWNLOAD] Sim2-Unofficial-Gstreamer 1.8-DM800-2016-04-based
Replies
0
Views
2K
Ferret
Ferret
Back
Top