LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Blocking an IP (https://www.linuxquestions.org/questions/linux-security-4/blocking-an-ip-4175421254/)

Bulletproof 08-09-2012 01:32 PM
Blocking an IP
 
The following iptable rule blocks an IP:
Quote:
iptables -A INPUT -s 1.2.3.4 -j DROP
I have the following iptable rule to filter out bad packets
Quote:
-A INPUT -p udp -m udp --dport 27015 -m length --length 0:32 -j DROP
I'd like to be able to block IPs that get dropped by the iptable rule above automatically without having to check the logs and do them manually.

Can this be done?

PS: My knowledge in this field is weak.

sundialsvcs 08-09-2012 01:48 PM
I frankly suggest that you look carefully at Shorewall, which is a very comprehensive open-source tool for building IPTables rules.

lithos 08-09-2012 01:57 PM
Hi,

I don't really know but maybe Fail2ban can be your friend.

good luck

salasi 08-09-2012 01:59 PM
Quote:
Originally Posted by Bulletproof (Post 4750130)
Can this be done?
Yes, indeedy (I think). But should it?

I'm not totally clear what advantage you hope to gain: you are already dropping the packets that you want to drop, so no advantage there. It could be more efficient (or not), but to know that we'll have to look at the details.

Quote:
Originally Posted by Bulletproof (Post 4750130)
I'd like to be able to block IPs that get dropped by the iptable rule above automatically without having to check the logs and do them manually.
There are several utilities like fail2ban, denyhosts, etc, that can be used to do blocking based on various failure conditions. If I recall correctly, fail2ban is probably the most versatile, so is probably the best place to start.

The general principle is that fail2ban is a filter, written in python, that looks through log files, and based on the entries in the log files and the conditions that you set, can make new 'block' entries. Now, I'm guessing a bit here, but my guess is that you'd have to have a pretty odd set of conditions for the fail2ban route to use fewer cpu cycles than your existing iptables rule.

So....what do you hope to gain?

(PS: the reply from Lithos came in while I was scribbling.)

Bulletproof 08-09-2012 04:44 PM
Quote:
Originally Posted by salasi (Post 4750162)
Yes, indeedy (I think). But should it?

I'm not totally clear what advantage you hope to gain: you are already dropping the packets that you want to drop, so no advantage there. It could be more efficient (or not), but to know that we'll have to look at the details.
I own a dedicated server used as a gameserver which gets DDoS'd on a daily basis - I have many iptable rules that filter out the obvious IPs used to DDoS (connections are UDP) - now by automatically banning the IP, it will prevent it from being used again to DDoS the server. Dropping the connection doesn't prevent it from being used again to DDoS 5 minutes later.

I will be looking into fail2ban, thanks a bunch to all of you for pointing me in the right direction.

unSpawn 08-09-2012 05:30 PM
Quote:
Originally Posted by Bulletproof (Post 4750290)
I own a dedicated server used as a gameserver
What games exactly? Please be specific about versions.


Quote:
Originally Posted by Bulletproof (Post 4750290)
which gets DDoS'd on a daily basis (..) Dropping the connection doesn't prevent it from being used again to DDoS 5 minutes later.
Did you ever look for updates for the game binaries you host?
What gaming experiences, logging, anomalies, evidence or whatever else made you think it's DoS attacks?
Did you ever look for specific game anti-DoS measures?
Did you even try traffic analysis based on packet captures (tcpdump / tshark, Wireshark, Snort)?


All times are GMT -5. The time now is 01:11 PM.