On 03/27/2014 08:36 PM, Eric Wieling wrote: > I have an iptables file which blocks all traffic except traffic from networks > allocated by ARIN or are Legacy networks. I pulled the information from > http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml > > My iptables script can be found at the link below. > > http://help.nyigc.net/tmp/iptables_geoblock > > It might be helpful to someone.
Below's my solution. I specifically block China, Korea and Palestine.
That already massively reduced my amount of attacks. I can't block as
much as you because I do allow unregistered inbound SIP calls to
sip:ste...@home.mylastname.net. CN, KR and PS are currently the only
attack origins from where I wouldn't expect legit inbound traffic.
Here's my script (pulls data from ipdeny.com). The script is called in
my primary IPTABLES script after flushing and before my specific ruleset.
And it runs on my perimeter firewall.
WARNING: That's about 5000 networks to stuff into the tables! My fw is a
Phenom 8650 3-core machine and it takes about 8.5 minutes to stuff all
the rules into the kernel!
#!/bin/bash
IPTABLES="/sbin/iptables"
ANY="0.0.0.0/0"
BLOCKDIR="blocklist.d"
if ! test -d ${BLOCKDIR}; then
mkdir ${BLOCKDIR}
fi
DATE=$(date)
echo "Country blocking rules..."
echo "Downloading rules..."
curl -s http://www.ipdeny.com/ipblocks/data/countries/cn.zone -o
${BLOCKDIR}/cn.zone || echo "Warning: Couldn't download CN zone"
curl -s http://www.ipdeny.com/ipblocks/data/countries/kr.zone -o
${BLOCKDIR}/kr.zone || echo "Warning: Couldn't download KR zone"
curl -s http://www.ipdeny.com/ipblocks/data/countries/ps.zone -o
${BLOCKDIR}/ps.zone || echo "Warning: Couldn't download PS zone"
echo "Done downloading. Setting rules..."
for FILE in ${BLOCKDIR}/*zone; do
for ADDRESS in $(cat ${FILE}); do
echo "Blocking network: ${ADDRESS}..."
$IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j DROP
$IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j LOG --log-prefix
"Packet log: COUNTRY DROP "
$IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j DROP
$IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j LOG --log-prefix
"Packet log: COUNTRY DROP "
done
done
echo "Done. Started: ${DATE}, finished: $(date)"
--
(o_ Stefan Gofferje | SCLT, MCP, CCSA
//\ Reg'd Linux User #247167 | VCP #2263
V_/_ Heckler & Koch - the original point and click interface
smime.p7s
Description: S/MIME Cryptographic Signature
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
