In one of our previous article we have posted an instructional guide on how to secure your Debian/Ubuntu based VPS using IPTABLES/Netfilter.
In the following article we are adding a blacklist to the firewall script which will allow you to block any abusive IP addresses or ranges of IPs in your Debian or Ubuntu based virtual server.
What is iptables?
It is is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Before proceeding any further, make sure you read the article on how to secure/design the firewall in your linux vps. This includes:
Flushing the old firewall rules
Determining service ports
Setting-up default policies
Setting-up your firewall rules
Saving your firewall rules
BLOCKING IPs USING IPTABLES
To block some abusive IP address or range of IPs, you can use the following iptables rules:
## iptables -I INPUT -s 1.2.3.4 -j DROP
## iptables -I INPUT -s 1.2.0.0/16 -j DROP
CREATING THE BLACKLIST
For better readability and maintenance, it is a good idea to have all abusing IPs in one particular file, for example /etc/blacklist.ips. This way, you can add the IP addresses or subnets in this file (one IP or subnet per line) and use the fwall-rules script below to block anything listed in this file.
So, create or edit /usr/local/bin/fwall-rules and make it as follows:
#!/bin/bash
#
# iptables firewall script
# http://www.rosehosting.com
#
IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips
echo ” * flushing old rules”
${IPTABLES} –flush
${IPTABLES} –delete-chain
${IPTABLES} –table nat –flush
${IPTABLES} –table nat –delete-chain
echo ” * setting default policies”
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT
echo ” * allowing loopback devices”
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT
${IPTABLES} -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
${IPTABLES} -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
## BLOCK ABUSING IPs HERE ##
#echo ” * BLACKLIST”
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP
echo ” * allowing ssh on port 5622″
${IPTABLES} -A INPUT -p tcp –dport 5622 -m state –state NEW -j ACCEPT
echo ” * allowing ftp on port 21″
${IPTABLES} -A INPUT -p tcp –dport 21 -m state –state NEW -j ACCEPT
echo ” * allowing dns on port 53 udp”
${IPTABLES} -A INPUT -p udp -m udp –dport 53 -j ACCEPT
echo ” * allowing dns on port 53 tcp”
${IPTABLES} -A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
echo ” * allowing http on port 80″
${IPTABLES} -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
echo ” * allowing https on port 443″
${IPTABLES} -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
echo ” * allowing smtp on port 25″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT
echo ” * allowing submission on port 587″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 587 -j ACCEPT
echo ” * allowing imaps on port 993″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 993 -j ACCEPT
echo ” * allowing pop3s on port 995″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 995 -j ACCEPT
echo ” * allowing imap on port 143″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 143 -j ACCEPT
echo ” * allowing pop3 on port 110″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 110 -j ACCEPT
echo ” * allowing ping responses”
${IPTABLES} -A INPUT -p ICMP –icmp-type 8 -j ACCEPT
# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP
#
# Block abusing IPs
# from ${BLACKLIST}
#
if [[ -f “${BLACKLIST}” ]] && [[ -s “${BLACKLIST}” ]]; then
echo ” * BLOCKING ABUSIVE IPs”
while read IP; do
${IPTABLES} -I INPUT -s “${IP}” -j DROP
done < <(cat “${BLACKLIST}”) fi # # Save settings # echo ” * SAVING RULES” if [[ -d /etc/network/if-pre-up.d ]]; then if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then echo -e “#!/bin/bash” > /etc/network/if-pre-up.d/iptables
echo -e “test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules” >> /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
fi
fi
iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules
make sure the script is executable by adding an ‘x’ bit to it:
chmod +x /usr/local/bin/fwall-rules
APPLYING THE RULES
To apply the firewall rules and block the abusers, you need to just execute the fwall-rules script and that’s it.
## fwall-rules
* flushing old rules
* setting default policies
* allowing loopback devices
* allowing ssh on port 5622
* allowing ftp on port 21
* allowing dns on port 53 udp
* allowing dns on port 53 tcp
* allowing http on port 80
* allowing https on port 443
* allowing smtp on port 25
* allowing submission on port 587
* allowing imaps on port 993
* allowing pop3s on port 995
* allowing imap on port 143
* allowing pop3 on port 110
* allowing ping responses
* BLOCKING ABUSIVE IPs
* SAVING RULES
[download id=”8″]