Re: route add to block IP's

Fri, 20 Sep 2002 08:29:17 -0700 

Joe,
        Adding routes to different networks to block addresses is probably 
not the best of methods to go, however you may be interested in using 
ipchains/iptables depending on your kernel version.

kernel 2.4.x - iptables
iptables -A INPUT -s <offending IP> -j DROP

kernel 2.2.x - ipchains
ipchains -A inpus -s <offending IP> -j DENY


for iptables, you can do some logging and the such so you know when they 
are attempting to connect:


iptables -N kiddies
iptables -A kiddies -j LOG --log-prefix "Script Kiddie Log: " -m limit 
--limit 1/m
iptables -A kiddies -j DROP


iptables -A INPUT -s <offending ip> -j kiddies

<offending ip> in each example can represent just the IP address itself as 
well as a netblock via the CIDR notation. a quick example for CIDR looks 
like this:

IP              NETMASK         CIDR
192.168.2.0     255.255.255.0   192.168.2.0/24
10.0.0.0        255.0.0.0       10.0.0.0/8
172.16.0.0      255.255.0.0     172.16.0.0/16

CIDR basically is just the number of bits in the netwokr mask.

here is a brief explanation of the iptables rules represented by 
'kiddies'...


iptables -N kiddies                             # create a new empty chain called 
                                                # kiddies to handle anything that
                                                # points to it

iptables -A kiddies -j LOG --log-prefix \
                "Script Kiddie Log: "           # this part logs a bit of
                                                # information about the
                                                # packet

        -m limit --limit 1/m                    # this sets log limits to 
                                                # 1 per minute ( a nice 
                                                # feature to prevent 
                                                # flooding

iptables -A INPUT -s <offending ip> -j kiddies  # this tells the <offending ip>
                                                # source (-s) to go to the
                                                # chain kiddies


more information is availble via the following links:

ipchains
        http://www.netfilter.org/ipchains/

iptables
        http://www.netfilter.org
        http://www.linuxguruz.org/iptables/howto/iptables-HOWTO.html


I hope this helps at least a little, and if not i appologize.


Thanks,
Ryan Yagatich  <[EMAIL PROTECTED]>
        Pantek, Incorporated
 (877) LINUX-FIX - (440) 519-1802
===================================
B5 50 A7 EE 0E D1 1E 15 CA B0 60 E2
B3 0A 95 4E 23 CA 7D AC 5F C6 63 9C
===================================
     A bachelor is a selfish,
  undeserving guy who has cheated
some woman out of a divorce. -- Don
              Quinn


On Fri, 13 Sep 2002, Joseph Monti wrote:

>I've been an unfortunate target of various script-kiddies/worms and have
>configured apache to perform something like this on all incoming requests
>containing bad URI's:
>
>route -n add <evil IP> gw <bogus local host>
>
>The only concern I have is will this cause performance problems? I've got
>about 10 so far and I just put it up about 24hrs ago.
>
>Thanks,
>Joe Monti
>

Reply via email to