I’m stil lreceiving huge spam/unwanted traffic from russia.
I want to ban with iptables
I already tried to stop it using fail2ban but they continuosly change their IP Address so there is no repetitive behavior wich fail2ban can trace.
This means that even if i setup rules for fail2ban they can do the first connection anyway wasting a little of my server resources.
I want to stop it now, so i decided to do it the bad way:using iptables.
I found an useful script here http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ and I’ve been modifying it in order to make the job for me. Pay attention, if you already have setup iptables rules, if you just execute the script on the page I’ve linked before, you will flush all of your rules. That’s a good reason to use mine 🙂
- I added a counter into the loop so you have a perception of what’s going on if you launch it by hand.
- I added a final line that echoes how many rules have benn created.
- I made this independent from other existing rules so you don’t have to modify already working scripts.
This very useful shell script will help to download the IP address blocks of the country I’m going to block and then it will recursively create an iptables rules for each block found in the downloaded file.
If you are interested in other world countries ip blocks just visit:http://www.ipdeny.com/ipblocks/
This is the code:
#!/bin/bash counter=1 ### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ### ISO="ru" ### Set PATH ### IPT=/sbin/iptables WGET=/usr/bin/wget EGREP=/bin/egrep ### No editing below ### SPAMLIST="countrydrop" ZONEROOT="/root/iptables" DLROOT="http://www.ipdeny.com/ipblocks/data/countries" $IPT -F $SPAMLIST # create a dir [ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT # clean old rules #cleanOldRules # create a new iptables list $IPT -N $SPAMLIST for c in $ISO do # local zone file tDB=$ZONEROOT/$c.zone # get fresh zone file $WGET -O $tDB $DLROOT/$c.zone # country specific log message SPAMDROPMSG="$c Country Drop" # get BADIPS=$(egrep -v "^#|^$" $tDB) for ipblock in $BADIPS do $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG" $IPT -A $SPAMLIST -s $ipblock -j DROP counter=`expr $counter + 1` echo -ne "Adding" $counter\\r done done echo "ADDED " $counter " IP Address Blocks" # Drop everything $IPT -I INPUT -j $SPAMLIST $IPT -I OUTPUT -j $SPAMLIST $IPT -I FORWARD -j $SPAMLIST # call your other iptable script # /path/to/other/iptables.sh exit 0
You can verify the new created rules typing:
iptables -L -n
Use the “-n” switch to avoid the dns lookup as you are going to create recursively a lot of rules.
That’s all, also if you do
tail -F /var/log/messages
You will se an amount of lines like this:
Jan 2 10:47:29 myserver kernel: [5496150.304711] ru Country DropIN=eth0 OUT= MAC=00:16:3e:54:56:49:00:0d:66:f9:ec:0a:08:00 SRC=184.108.40.206 DST=myserver LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=2422 DF PROTO=TCP SPT=57066 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
If you plan to schedule by cronjob, remember to remove all “echo” lines or to manage them redirecting the output of the command.
If you don’t want a huge messages log then comment the line:
# $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
as i did.
Any comment is appreciated, Ciao!
Incoming search terms:
- iptables mac osx block china ip (14)
- ddwrt block china ip address (2)
- fail2ban block china (1)