How to block a large number of malicious IP addresses in Linux
In many cases, you may need to block IP addresses in Linux. For example, as an end user, you may want to avoid the troubles of spyware or IP tracking. Or when you are running P2P software. You may want to filter out network links for anti-P2P activities. If you are a system administrator, you may want to disable spam IP addresses from accessing your company's email server. Or you want to prohibit some countries from accessing your web services for some reason. In many cases, however, your IP address shield list may rapidly grow to tens of thousands of IP addresses. How to deal with this?
Netfilter/IPtables Problems
In Linux, you can simply use the netfilter/iptables framework to Disable IP addresses:
- $ Sudo iptables-a input-s 1.1.1.1-p TCP-j DROP
If you want to completely block an IP address segment, you can simply use the following command:
- $ Sudo iptables-a input-s 1.1.2.0/24-p TCP-j DROP
However, if you have 1000 independent IP addresses without the CIDR (classless Inter-Domain Routing) prefix, what should you do? You need 1000 iptable rules! This is obviously not suitable for large-scale shielding.
- $ Sudo iptables-a input-s 1.1.1.1-p TCP-j DROP
- $ Sudo iptables-a input-s 2.2.2.2-p TCP-j DROP
- $ Sudo iptables-a input-s 3.3.3.3-p TCP-j DROP
- ....
What is an IP address set?
At this time, the IP address set was launched. An IP address set is a kernel feature that allows multiple (independent) IP addresses, MAC addresses, or even port numbers to be encoded and effectively stored in the bitmap/HASH kernel data structure. Once an IP Set is created, you can create an iptables rule to match the set.
You will immediately see the benefits of the IP address set, which allows you to use one iptable rule to match multiple IP addresses! You can construct an IP set using multiple IP addresses and port numbers, and dynamically update rules without affecting performance.
Install IPset in Linux
To create and manage IP sets, you need to use a user space tool called ipset.
To install it on Debian, Ubuntu, or Linux Mint:
- $ Sudo apt-get install ipset
Install Fedora or CentOS/RHEL 7:
- $ Sudo yum install ipset
Use the IPset command to Disable IP addresses
Let me use a simple example to show you how to use the ipset command.
First, let's create a new IP address set named banthis (with any name ):
- $ Sudo ipset create banthis hash: net
The second parameter (hash: net) is required and represents the set type. The IP address set has multiple types. Hash: the IP Set of the net type uses hash to store multiple CIDR blocks. If you want to store separate ip addresses in a collection, you can use hash: ip Address type.
Once an IP address set is created, run the following command to check the IP address set:
- $ Sudo ipset list
This shows a list of available IP sets and contains detailed information about the set members. By default, each IP address set can contain 65536 elements (CIDR Block ). You can add a limit by appending the "maxelem N" option.
- $ Sudo ipset create banthis hash: net maxelem 1000000
Now let's add the IP block to this collection:
- $ Sudo ipset add banthis 1.1.1.1/32
- $ Sudo ipset add banthis 1.1.2.0/24
- $ Sudo ipset add banthis 1.1.3.0/24
- $ Sudo ipset add banthis 1.1.4.10/24
You will see that the set Member has changed.
- $ Sudo ipset list
Now it is time to create an iptables rule using the IP address set. The key here is to use the "-m set -- match-set" option.
Now let's create an iptable rule that prevents previous IP blocks from accessing web services through port 80. You can run the following command:
- $ Sudo iptables-I INPUT-m set -- match-set banthis src-p tcp -- destination-port 80-j DROP
If you want to, you can save a specific IP address set to a file, and then restore it from the file:
- $ Sudo ipset save banthis-f banthis.txt
- $ Sudo ipset destroy banthis
- $ Sudo ipset restore-f banthis.txt
In the preceding command, I used the destory option to delete an existing IP set to see if I can restore it.
Disable Automatic IP Address
Now you should see that the IP address set is powerful. Maintaining the IP blacklist is cumbersome and time-consuming. In fact, there are a lot of free or paid services to help you complete this. An additional benefit is that we can see how to automatically add the IP address blacklist to the IP address set.
First, let's get a free blacklist from iblocklist.com. This website has different free and paid lists. The free version is in P2P format.
Next, I will use an open-source Python tool named iblocklist2ipset to convert a P2P blacklist to an IP address set.
First, you need to install pip (refer to this Guide to install pip ).
Run the following command to install iblocklist2ipset.
- $ Sudo pip install iblocklist2ipset
In some releases such as Fedora, you may need to run:
- $ Sudo python-pip install iblocklist2ipset
To iblocklist.com, capture the URL of any P2P list (such as the "level1" list ).
Paste the URL to the following command.
- $ Iblocklist2ipset generate \
- -- Ipset banthis "http://list.iblocklist.com /? List = ydxerpxkpcfqjaybcssw & fileformat = p2p & archiveformat = gz "\
- > Banthis.txt
After the command is run, you will get a file named banthis.txt. If you view its content, you will see the following:
- Create banthis hash: net family inet hashsize 131072 maxelem 237302
- Add banthis 1.2.4.0/24
- Add banthis 1.2.8.0/24
- Add banthis 1.9.75.8/32
- Add banthis 1.9.96.105/32
- Add banthis 1.9.102.8.0/32
- Add banthis 1.9.189.65/32
- Add banthis 1.16.0.0/14
You can use the following ipset command to load the file:
- $ Sudo ipset restore-f banthis.txt
Now you can view the automatically created IP address set:
- $ Sudo ipset list banthis
At the time of writing this article, the "level1" class table contains a list of 237,000 blocked IP addresses. You can see that many IP addresses have been added to the IP address set.
Finally, create an iptables command to block these bad guys!
Summary
This article describes how to use a powerful ipset to shield unwanted IP addresses. Combined with a third-party tool iblocklist2ipset, You can smoothly maintain your IP address shield list. Those curious about ipset performance improvement show the Benchmark Test Results of iptables in use and without ipset (note the time axis ).
Tell me how much you like this. :-)
This article permanently updates the link address: