Fedora Users — Re: Blocking Ip address ranges

Re: Blocking Ip address ranges

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: Deron Meranda <deron.meranda@xxxxxxxxx>, For users of Fedora Core releases <fedora-list@xxxxxxxxxx>

Subject: Re: Blocking Ip address ranges

From: Banjo Mailing List <banjo.mailing.list@xxxxxxxxx>

Date: Wed, 26 Jan 2005 07:29:07 +1300

Cc:

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=AJoAi+Jell7pDOK+bKfQyeJe50LL6qwagYAUBKm4sl2aRNErER9G2wccXV0foRqtxGbJdAi1uxWli8pHlAH9quMQGZler6NrLHhGQDwvOcUNXUxZXBZBh2KMRIwZtLuwBdSklxrFXXptdphytL2S5DESNeAzKirfrhoIO4rXexE=

In-reply-to: <[email protected]>

List-archive: <https://www.redhat.com/archives/fedora-list>

List-help: <mailto:[email protected]?subject=help>

List-id: For users of Fedora Core releases <fedora-list.redhat.com>

List-post: <mailto:[email protected]>

List-subscribe: <http://www.redhat.com/mailman/listinfo/fedora-list>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <http://www.redhat.com/mailman/listinfo/fedora-list>, <mailto:[email protected]?subject=unsubscribe>

References: <[email protected]> <[email protected]> <[email protected]> <[email protected]>

Reply-to: Banjo Mailing List <banjo.mailing.list@xxxxxxxxx>, For users of Fedora Core releases <fedora-list@xxxxxxxxxx>

Or use portsentry. if you need any help how to do it tell me


On Tue, 25 Jan 2005 12:56:15 -0500, Deron Meranda
<deron.meranda@xxxxxxxxx> wrote:
> > I'm thinking of setting up a rule in Iptables to point to a
> > file which I can easily add the IP addresses that I need
> > to block. Is this possible and what would be the syntax?
> 
> If you really want to set up something so you can block a large number
> of IP addresses and you have the patience to keep up, yes you could
> set up some simple scripts to help you automate the iptables config.
> 
> Note though that you'll probably want to structure iptables with several
> chains to help reduce the inefficiency caused by a large number of
> rules.  For example, you might want a separate chain for each of the
> possible 256 first-octets.  This should get you started and give you some
> ideas (it can be improved upon too).
> 
> iptables -N web_block_1
> iptables -N web_block_2
> ...
> iptables -N web_block_255
> 
> Then create a chain just to dispatch these (so non-web traffic
> doesn't have to go through all these rule checks),
> 
> iptables -N web_block
> 
> Then link it into your input chain too,
> 
> iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block
> iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block
> 
> Finally in your web_block chain dispatch for each octect,
> 
> iptables -A web_block -s 1.0.0.0/8 -j web_block_1
> iptables -A web_block -s 2.0.0.0/8 -j web_block_2
> ...
> iptables -A web_block -s 255.0.0.0/8 -j web_block_255
> 
> Then you'd add specific IP addresses (or netblocks), as
> 
>   iptables -A block_192 -s 192.168.1.1 -j REJECT
> 
> Also if your script updates, be sure to also run iptables_save
> so your entries survive reboot.
> 
> Keep in mind though that iptables blocking is the *harsh*
> way to do this.  Less drastic would be to 1. ignore the logs,
> 2. reduce the logging level, 3. look at Apache's Deny
> directive.
> --
> Deron Meranda
> 
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>