iptables "How To"

  • katir
  • 03/26/08
  • Offline
Posted: Sun, 2011-12-25 21:09

I am trying to do my home work so as not to be such a beggar, but still the GUI for the IP tables is mysterious.

GOAL: block a range of IP addresses from any access to the server on any port WHY: I'm looking at access logs and we have a known Russian spam network range of 188.143.232.000-188.143.232.255; post spam comments to our wordpress at the rate of 1 a minute. I believe the WP module AKISMET is handingly these, but i would like to have the expertise to add REJECTs to the IpTables when I do see this happening. I'm trying to pay better attention to the logs...

SO: I assume in the IP Tables GUI we start by

Rule Comment: Block Russian Cialis/Viagra pushers Action to take "REJECT" ICMP Type ICMP-Host-prohibited (would default work)

Then we have the long "conditions' section of the form

Source address or network: Is this where I enter an IP? Can I enter a range?

then the rest of these which are marked as "ignore" ... i am not sure what can or cannot be ignored..

If you could put tool tips on that form that would help. Bottom Line:

what is the simplest entry(s) I need to make to block 1 IP or a range of IP's? from access to any port.

If you have the time are feeling very generous then you might add comments after each of the following form labels:

Destination address or network Incoming interface Outgoing interface Fragmentation Network protocol

Source TCP or UDP port Destination TCP or UDP port Source and destination port(s) TCP flags set TCP option number is set ICMP packet type Ethernet address Packet flow rate Packet burst rate Connection states Type of service Additional IPtables modules Additional parameters


I agree iptables is

  • John_B
  • 12/12/11
  • Offline
  • Mon, 2011-12-26 11:49

I agree iptables is mysterious. I found I had an upload limit, whether the settings are defaults set by Virtualmin (or whether they came from my Debian install) I do not know. Upload was limited to 150kb/s. But I could not see anything in the Virtualmin ui to set this, or anything in Virtualmin documentation about setting it from cli.

Given the lack of beginners' documentation on iptables elsewhere, a 'how to' would be useful.


Well, there's not any sort of

  • andreychek
  • 01/04/09
  • Online Now
  • Mon, 2011-12-26 21:56

Well, there's not any sort of iptables howto at the moment, but I can offer that there isn't any sort of default rate limit setup.

So, if you're being limited to 150kb/s, that's not something in iptables -- it's likely related to either the script you're using, or bandwidth throttling being done by your ISP.

But, we'll keep your request for an iptables howto in mind!

-Eric


OK so let me downgrade my

  • katir
  • 03/26/08
  • Offline
  • Tue, 2011-12-27 16:12

OK so let me downgrade my request from a big how to training on Iptables to just this:

what are the minimum entries I need to make in the iPtable interface to block a range of IP's from accessing any ports.


If you go into Webmin ->

  • andreychek
  • 01/04/09
  • Online Now
  • Tue, 2011-12-27 20:57

If you go into Webmin -> Networking -> Linux Firewall, click "Add Rule", and you can add a new firewall rule there. You could create a rule, and set it up to reject all connections from certain IP addresses.

As for specifying IP addresses -- in the "Source address or network" field, it accepts the parameters used by the iptables -s option, which is:

 
             Source specification.  Address can be either a network name, a hostname (please note that spec‐
              ifying any name to be resolved with a remote query such as DNS is a really bad idea), a network
              IP  address  (with  /mask),  or a plain IP address.  The mask can be either a network mask or a
              plain number, specifying the number of 1’s at the left side of the network mask.  Thus, a  mask
              of  24 is equivalent to 255.255.255.0.  A "!" argument before the address specification inverts
              the sense of the address. The flag --src is an alias for this option.


Ok then in the case of this

  • katir
  • 03/26/08
  • Offline
  • Tue, 2011-12-27 22:56

Ok then in the case of this known server in Russia that is a spammer of wordpress comments with posts (Last night they hit our word press every 1 minute for a hour with a comment. All of which Akismet rejected, but still that's taking up a lot of CPU cycles!)

so add Rule

ACTION TO TAKE: choose "Reject" REJECT WITH ICMP TYPE: leave the radio btn on default

CONDITION DETAILS:

the whole range is on this box in St. Petersburg

where I guess they have nothing better to do in the winter time than

drink vodka and attack the rest of us ... ha!

188.143.232.0 to 188.143.232.254

How do I express that range as a "mask" ... like this?

SOURCE ADDRESS OR NETWORK: [chose EQUALS] 188.143.232.0/254

all other options in the rule we leave as

Will that do it? "Network Mask" to me is something they sell on Halloween... (I'm off now to look that up too.)

Thanks for your patience! These logs are somewhat intimidating... to see the level of "abuse" going on.


@ John_B Great Cocos!

  • katir
  • 03/26/08
  • Offline
  • Tue, 2011-12-27 23:04

@ John_B

Great Cocos! John... here is our "how to manual" for IP Tables:

written simply enough even for a novice.

http://wiki.centos.org/HowTos/Network/IPTables


Thanks for the heads up on

  • John_B
  • 12/12/11
  • Offline
  • Wed, 2011-12-28 06:34

Thanks for the heads up on that. It is very clear.

It does not cover upload limits, so in case anyone else is encountering this I will comment on it. I was uploading at 150kB/s but seeing 1.6MB/s incoming traffic. The default must have been set in the Debian package, as not by Virtualmin. Since throttling inbound traffic means dropping good packets, it seems to be a bad idea: the inbound traffic of dropped packets was slowing the upload, but made my server unreachable anyway.


I added a new rule to block

  • katir
  • 03/26/08
  • Offline
  • Wed, 2011-12-28 21:39

I added a new rule to block an IP. But I am still seeing POSTS from this IP to the WordPress blog...

When we reject and IP in the IPTables, are access attempts still registered in the access logs? if they answer is no, they should not be, then I did not enter my rule correctly.

If I did enter my rule correctly, then it does not make sense for the access longs to register hits: or perhaps it does... and may "DROP" is better than "REJECT" since perhaps the latter is still registered in access logs but DROP is not?


I figured out what I was

  • katir
  • 03/26/08
  • Offline
  • Thu, 2011-12-29 20:01

I figured out what I was doing wrong... in the IP tables, order is significant... Today I opened a session to the server and left a tail on the secure log all day long... very interesting to watch the attacks in progress! Some one in Korea at 221.139.1.184 started a dictionary attack on SSH... so I added them at the end of the IP table and they kept getting thru. I move the rule up above "Accept if request is for ssh" and instantly the attack was stopped. Yay!

So then I added the IP of the Russian Word Press Spammers in St. Petersburg as the very first line on the IP Tables and that stopped also!