Blocking Netranges Based on IP-to-Country CSV

Frank Gruellich frank at der-frank.org
Thu Sep 16 02:54:00 CEST 2004


Hello,

* Gary & Mic McFall <nutbrownhares at tds.net> 15. Sep 04:
> To be proactive, we want to automate that process via iptables & the
> CSV available at <http://ip-to-country.webhosting.info>.

I am very suspicious to configure packet filters with external
(untrusted) data.

> We have created a C program (IPCheck) in the /bin directory

Maybe it should go to /usr/local/bin/... anyway.

> We want to process the packet based on that return.

Make it to return 0 for bad and !0 for 'good' IP#s.

> I'm a relative newbie with iptables & scripts.

<URL:http://iptables-tutorial.frozentux.net/iptables-tutorial.html>

> Listed below is some very crude code,

Aah... yes.

> Any suggestions on how to shore this up so that it will work?

# You need to create the userdefined chain bevor using it:
$IPT -N INBADIPS

> #    ***** DROP BAD IPS *****
> /bin/IPCheck `grep -w "SRC =" | cut -d = -f 2`

# What are you going to use as input?  This grep needs a source to
# parse.  Will it result in a list of IP#s?  I assume a single $IP.

> if return = "Bad IP"
> $IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS

# This will not work. Use:
if /usr/local/bin/IPCheck $IP
then
	$IPT -A INPUT -i eth0 -s $IP -j INBADIPS
fi
# What do you mean with $RATELIMIT?  Are you looking for
# <URL:http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.LIMITMATCH>?

>       ***** RULES - DROP  BAD IPS *****
> #    ***** REVIEW LOG AT /var/log/iptables.log *****
> $IPT -A  INBADIPS -j LOG --log-level debug --log-prefix "BADIP:  " -j DROP

# You can't have to targets in a rule.  Split it:
$IPT -A INBADIPS -j LOG --log-level debug --log-prefix="BADIP: "
$IPT -A INBADIPS -j DROP

Some questions you should ask yourself:
 + Is this a gateway?  Should it go to FORWARD?
 + Will IP#s stay for ever at blacklist?  How and when to remove them?
 + Is this really what you want?

Hope I understood you,
 regards, Frank.
-- 
Sigmentation fault



More information about the netfilter mailing list