topic Re: How to block multiple ips with iptables in Operating System - Linux

How to block multiple ips with iptables

Geoff Wild — Mon, 26 Jul 2004 17:44:15 GMT

I have this in my iptables:

# Drop everyting from the following ip's
echo "Process the bad people ..."
$IPT -A INPUT -p ALL -s 68.122.142.182 -j DROP
$IPT -A INPUT -p ALL -s 68.144.185.86 -j DROP
$IPT -A INPUT -p ALL -s 68.157.86.130 -j DROP
$IPT -A INPUT -p ALL -s 216.185.55.67 -j DROP
$IPT -A INPUT -p ALL -s 68.210.138.17 -j DROP
$IPT -A INPUT -p ALL -s 62.81.176.46 -j DROP
$IPT -A INPUT -p ALL -s 221.142.197.203 -j DROP
$IPT -A INPUT -p ALL -s 207.250.236.66 -j DROP
$IPT -A INPUT -p ALL -s 220.120.103.188 -j DROP
$IPT -A INPUT -p ALL -s 68.47.18.119 -j DROP
$IPT -A INPUT -p ALL -s 12.219.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.9.205.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.10.212.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.10.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.11.170.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.11.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.14.31.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.17.245.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.17.252.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.18.150.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.190.183.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.108.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.131.24.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.126.223.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.161.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.162.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.165.189.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.173.10.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.117.2.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.109.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 4.0.0.0/8 -j DROP
$IPT -A INPUT -p ALL -s 24.82.81.169 -j DROP

Yet, I see these in my logwatch:

Logged 3931 packets on interface eth0
From 4.7.19.183 - 2 packets
To WWW.XXX.YYY.ZZZ - 2 packets
Service: 135 (tcp/135) (INPUT packet died:,eth0,none) - 2 packets
From 4.7.235.134 - 2 packets
To WWW.XXX.YYY.ZZZ - 2 packets
Service: http (tcp/80) (New not syn:,eth0,none) - 2 packets
From 4.13.50.245 - 1 packet
To WWW.XXX.YYY.ZZZ - 1 packet
Service: microsoft-ds (tcp/445) (INPUT packet died:,eth0,none) - 1 packet
From 4.26.83.64 - 3 packets
To WWW.XXX.YYY.ZZZ - 3 packets
Service: microsoft-ds (tcp/445) (INPUT packet died:,eth0,none) - 3 packets

Why arn't all the 4.X.X.X dropped?

Rgds...Geoff

Re: How to block multiple ips with iptables

Steven E. Protter — Mon, 26 Jul 2004 18:39:18 GMT

You seem to be trying to drop a class A address 4.x.x.x

$IPT -A INPUT -p ALL -s 4.0.0.0/8 -j DROP

$IPT -A INPUT -p ALL -s 4.0.0.0/24 -j DROP

I would on initial inspection think you are not blocking the entire ip range due to that last number after the slash.

Can you tell me how you calculated an 8 would do it for you, then I can try and tell you what the number should be in my estimation.

SEP

Re: How to block multiple ips with iptables

Stuart Browne — Mon, 26 Jul 2004 18:58:49 GMT

Nah, his rule is right SEP.

4 octets of 8 bits, first byte full match is an 8 bit netmask. so 4.0.0.0/8 matches all 4.*.*.* values.

Now, that being the case, the questions that need to be asked are these:

is 'WWW.XXX.YYY.ZZZ' the IP address on the interface 'eth0'?
Or is it another machine using this box as a gateway?

If it's the first, then whilst your rule appears correct, we need to make sure it actually went into your iptables properly. Verify the current tables by using:

iptables -nvL INPUT

Ensure that there's nothing accepting above it, and that the rule looks correct (i.e.:

312 3982 DROP all -- * * 4.0.0.0/8 0.0.0.0/0

(the first two numbers being packets/bytes matching the rule)).

If the second, this and possibly other rules would probably be more suited to the FORWARD chain.

In any case, this is why I like DROP policy INPUT/FORWARD chains in IPTables, along with '-m state --state ESTABLISHED,RELATED' rules. Much goodness.

Re: How to block multiple ips with iptables

Geoff Wild — Mon, 26 Jul 2004 21:19:04 GMT

Here's the result:

# iptables -nvL INPUT
Chain INPUT (policy DROP 9733 packets, 726K bytes)
pkts bytes target prot opt in out source destination
128K 16M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1225K 160M bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.1
0 0 DROP all -- * * 68.122.142.182 0.0.0.0/0
0 0 DROP all -- * * 68.144.185.86 0.0.0.0/0
0 0 DROP all -- * * 68.157.86.130 0.0.0.0/0
77 3080 DROP all -- * * 216.185.55.67 0.0.0.0/0
0 0 DROP all -- * * 68.210.138.17 0.0.0.0/0
0 0 DROP all -- * * 62.81.176.46 0.0.0.0/0
0 0 DROP all -- * * 221.142.197.203 0.0.0.0/0
0 0 DROP all -- * * 207.250.236.66 0.0.0.0/0
0 0 DROP all -- * * 220.120.103.188 0.0.0.0/0
0 0 DROP all -- * * 68.47.18.119 0.0.0.0/0
0 0 DROP all -- * * 12.219.16.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.9.205.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.10.212.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.10.222.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.11.170.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.11.94.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.14.31.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.17.245.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.17.252.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.18.150.0/24 0.0.0.0/0
0 0 DROP all -- * * 24.190.183.0/24 0.0.0.0/0
2 96 DROP all -- * * 64.108.112.0/24 0.0.0.0/0
0 0 DROP all -- * * 66.131.24.0/24 0.0.0.0/0
0 0 DROP all -- * * 67.126.223.0/24 0.0.0.0/0
0 0 DROP all -- * * 67.161.203.0/24 0.0.0.0/0
0 0 DROP all -- * * 67.162.171.0/24 0.0.0.0/0
0 0 DROP all -- * * 67.165.189.0/24 0.0.0.0/0
0 0 DROP all -- * * 67.173.10.0/24 0.0.0.0/0
0 0 DROP all -- * * 68.117.2.0/24 0.0.0.0/0
0 0 DROP all -- * * 193.109.140.0/24 0.0.0.0/0
5558 345K DROP all -- * * 4.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 24.82.81.169 0.0.0.0/0
1146K 155M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
24567 1206K tcp_inbound tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
47190 3866K udp_inbound udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 icmp_packets icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 336 DROP all -- * * 0.0.0.0/0 255.255.255.255
4539 359K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4 prefix `INPUT packet died: '

I got the subnet from the following table:

# class A xxx.0.0.0/8 255.0.0.0
# class B xxx.xxx.0.0/16 255.255.0.0
# class C xxx.xxx.xxx.0/24 255.255.255.0
# 128 subnet xxx.xxx.xxx.xxx/25 255.255.255.128
# 64 subnet xxx.xxx.xxx.xxx/26 255.255.255.192
# 32 subnet xxx.xxx.xxx.xxx/27 255.255.255.224
# 16 subnet xxx.xxx.xxx.xxx/28 255.255.255.240
# 8 subnet xxx.xxx.xxx.xxx/29 255.255.255.248
# 4 subnet xxx.xxx.xxx.xxx/30 255.255.255.252
# 2 subnet xxx.xxx.xxx.xxx/31 255.255.255.254
# single address xxx.xxx.xxx.xxx/32 255.255.255.255

And yes WWW.XXX.YYY.ZZZ is my eth0, primary interface.

Rgds...Geoff

Re: How to block multiple ips with iptables

Stuart Browne — Tue, 27 Jul 2004 00:12:32 GMT

Well that looks good. THe tell-tail rule of course being:

5558 345K DROP all -- * * 4.0.0.0/8 0.0.0.0/0

It looks as if it's been hit a bit too.

I guess the next thing we need is for you to run a tcpdump to get some more details of the packets.

Please note that whilst you tell them to DROP, the interface will still see them.

So, the output of something like this:

tcpdump -ni eth0 net 4.0.0.0/8

And see what we get. My guess is you're seeing a few come in the interface, get dropped, and not go anywhere else.

Re: How to block multiple ips with iptables

Geoff Wild — Tue, 27 Jul 2004 07:47:21 GMT

Yes -

# tcpdump -ni eth0 net 4.0.0.0/8
tcpdump: listening on eth0
05:49:47.041859 4.26.26.161.3271 > 64.114.228.15.microsoft-ds: . ack 3759970961 win 0
05:50:00.567311 4.27.208.9.3298 > 64.114.229.155.microsoft-ds: S 2489455283:2489455283(0) win 64240 (DF)
05:50:00.567527 64.114.229.155.microsoft-ds > 4.27.208.9.3298: R 0:0(0) ack 2489455284 win 0
05:50:02.324703 4.27.208.9.3298 > 64.114.229.155.microsoft-ds: S 2489455283:2489455283(0) win 64240 (DF)
05:50:02.325094 64.114.229.155.microsoft-ds > 4.27.208.9.3298: R 0:0(0) ack 1 win 0
05:50:04.087342 4.27.208.9.3298 > 64.114.229.155.microsoft-ds: S 2489455283:2489455283(0) win 64240 (DF)
05:50:04.087584 64.114.229.155.microsoft-ds > 4.27.208.9.3298: R 0:0(0) ack 1 win 0
05:50:08.916945 4.227.20.243.4161 > 64.114.228.115.microsoft-ds: S 2682269997:2682269997(0) win 8760 (DF)
05:50:08.917233 64.114.228.115.microsoft-ds > 4.227.20.243.4161: S 3780647258:3780647258(0) ack 2682269998 win 65535 (DF)
05:50:11.451857 4.227.20.243.4161 > 64.114.228.115.microsoft-ds: . ack 1 win 8760 (DF)
05:50:13.347482 4.227.20.243.4161 > 64.114.228.115.microsoft-ds: P 1:138(137) ack 1 win 8760 (DF)
05:50:13.347829 64.114.228.115.microsoft-ds > 4.227.20.243.4161: P 1:90(89) ack 138 win 65398 (DF)
05:50:13.372927 4.26.220.237.1140 > 64.114.228.132.microsoft-ds: S 3613026315:3613026315(0) win 64240 (DF)
05:50:13.373147 64.114.228.132.microsoft-ds > 4.26.220.237.1140: S 3782272418:3782272418(0) ack 3613026316 win 65535 (DF)
05:50:13.422068 4.26.220.237.1140 > 64.114.228.132.microsoft-ds: . ack 1 win 64240 (DF)
05:50:13.626374 4.26.220.237.1140 > 64.114.228.132.microsoft-ds: P 1:138(137) ack 1 win 64240 (DF)
05:50:13.626997 64.114.228.132.microsoft-ds > 4.26.220.237.1140: P 1:90(89) ack 138 win 65398 (DF)
05:50:13.830065 4.26.220.237.1140 > 64.114.228.132.microsoft-ds: . ack 90 win 64151 (DF)
05:50:13.836485 4.26.220.237.1140 > 64.114.228.132.microsoft-ds: P 138:306(168) ack 90 win 64151 (DF)
05:50:13.837041 64.114.228.132.microsoft-ds > 4.26.220.237.1140: P 90:347(257) ack 306 win 65230 (DF)
05:50:14.034966 4.26.220.237.1140 > 64.114.228.132.microsoft-ds: P 306:528(222) ack 347 win 63894 (DF)
05:50:14.035192 64.114.228.132.microsoft-ds > 4.26.220.237.1140: P 347:386(39) ack 528 win 65008 (DF)
05:50:14.231262 4.26.220.237.1140 > 64.114.228.132.microsoft-ds: F 528:528(0) ack 386 win 63855 (DF)
05:50:14.231530 64.114.228.132.microsoft-ds > 4.26.220.237.1140: F 386:386(0) ack 529 win 65008 (DF)
05:50:14.278521 4.26.220.237.1140 > 64.114.228.132.microsoft-ds: . ack 387 win 63855 (DF)
05:50:16.583238 64.114.228.115.microsoft-ds > 4.227.20.243.4161: P 1:90(89) ack 138 win 65398 (DF)
05:50:23.146162 64.114.228.115.microsoft-ds > 4.227.20.243.4161: P 1:90(89) ack 138 win 65398 (DF)
05:50:36.272011 64.114.228.115.microsoft-ds > 4.227.20.243.4161: P 1:90(89) ack 138 win 65398 (DF)
05:50:36.958348 4.227.20.243.4161 > 64.114.228.115.microsoft-ds: P 138:306(168) ack 90 win 8671 (DF)
05:50:36.958912 64.114.228.115.microsoft-ds > 4.227.20.243.4161: P 90:347(257) ack 306 win 65230 (DF)

36 packets received by filter
0 packets dropped by kernel

Stuart, so, my iptables is working - they just still hit the interface - and therefore are also logged by logwatch - but nothing to worry about.

Is that correct?

Thanks...Geoff

Re: How to block multiple ips with iptables

Steven E. Protter — Tue, 27 Jul 2004 09:40:03 GMT

Thanks Stuart for the correction.

After reading this all, I'm in the camp that the packets are being dropped but are still showing up in the logs.

SEP

Re: How to block multiple ips with iptables

Stuart Browne — Tue, 27 Jul 2004 18:38:25 GMT

This is concerning:

This packet *should* be dropped:

05:50:36.958348 4.227.20.243.4161 > 64.114.228.115.microsoft-ds: P 138:306(168) ack 90 win 8671 (DF)

Which would mean that 64.114.228.115 shouldn't be responding on the microsft-ds port, as the following lines show it is:

05:50:16.583238 64.114.228.115.microsoft-ds > 4.227.20.243.4161: P 1:90(89) ack 138 win 65398 (DF)
05:50:23.146162 64.114.228.115.microsoft-ds > 4.227.20.243.4161: P 1:90(89) ack 138 win 65398 (DF)
05:50:36.272011 64.114.228.115.microsoft-ds > 4.227.20.243.4161: P 1:90(89) ack 138 win 65398 (DF)

Which is bad. Now, I'm assuming 64.114.228.115 is the IP on 'eth0'?

Then it means that a machine behind the linux box (which is being SNAT/MASQUERADE'd) initiated the connection to the external box on the 4.0.0.0/8 subnet, which is then being allowed to continue communicating due to an '-m state --state ESTABLISHED,RELATED' in your FORWARD chain.

Re: How to block multiple ips with iptables

Geoff Wild — Tue, 27 Jul 2004 19:00:32 GMT

64.114.228.115 is a Windoze machine at the ISP my server is at - not my eth0.

Rgds...Geoff