How to block malicious IP addresses massively under Linux

In many cases, you may need to block IP addresses under Linux. For example, as an end user, you may want to be immune from spyware or IP tracking. Or when you're running the peer software. You may want to filter the Internet links for anti-peer activities. If you are a system administrator, you may want to prohibit the junk IP address from accessing your corporate mail server. Or you want to prohibit certain countries from accessing your Web services for some reason. In many cases, however, your IP address mask list may quickly grow to tens of thousands of IP. What should I do with this?

Netfilter/iptables's Problem

In Linux, it is easy to use the Netfilter/iptables framework to disallow IP addresses:

1. $ sudo iptables -A INPUT -S 1.1. 1.1 -p TCP -J DROP

If you want to completely block an IP address segment, you can do so simply by using the following command:

1. $ sudo iptables -A INPUT -S 1.1. 2.0/ P-TCP -J DROP

However, what do you do when you have 1000 independent IP addresses and do not have a CIDR (Classless Inter-domain route) prefix? You're going to have 1000 iptable rules! This is obviously not suitable for mass shielding.

2. $ sudo iptables -A INPUT -S 1.1. 1.1 -p TCP -J DROP
4. $ sudo iptables -A INPUT -s 2.2. 2.2 -p TCP -J DROP
6. $ sudo iptables -A INPUT -s 3.3. 3.3 -p TCP -J DROP
8. . . . .

What is an IP set?

This is where the IP set comes in. An IP set is a kernel feature that allows multiple (standalone) IP addresses, MAC addresses, or even port numbers to be encoded and efficiently stored in bitmap/hash kernel data structures. Once the IP set is created, you can create a iptables rule to match the collection.

You'll soon see the benefits of the IP collection, which allows you to match multiple IP addresses with one iptable rule! You can construct IP sets with multiple IP addresses and port numbers, and you can dynamically update rules without performance impact.

Installing the Ipset tool in Linux

In order to create and manage IP sets, you need to use a user space tool called Ipset.

To install on Debian, Ubuntu, or Linux Mint:

1. $ sudo apt-get install ipset

Installed on Fedora or Centos/rhel 7:

1. $ sudo yum install ipset

Use the Ipset command to disable IP

Let me show you how to use the Ipset command through a simple example.

First, let's create a new IP set named Banthis (name any):

1. $ sudo ipset create banthis hash:net

The second parameter (hash:net) is required and represents the type of the collection. There are multiple types of IP sets. An IP set of type Hash:net uses hash to store multiple CIDR blocks. If you want to store separate IP addresses in a collection, you can use the Hash:ip type.

Once you have created an IP set, you can use the following command to check:

1. $ sudo ipset list

This displays a list of available IP collections, with detailed information that contains the members of the collection. By default, each IP collection can contain 65,536 elements (this is a CIDR block). You can increase the limit by appending the "Maxelem N" option.

1. $ sudo ipset create banthis hash:net Maxelem 1000000

Now let's add the IP block to this set:

2. $ sudo ipset add banthis 1.1. 1.1/ +
4. $ sudo ipset add banthis 1.1. 2.0/
6. $ sudo ipset add banthis 1.1. 3.0/
8. $ sudo ipset add banthis 1.1. 4.10/

You will see that the members of the collection have changed.

1. $ sudo ipset list

Now it's time to create a iptables rule that uses the IP set. The key here is to use the "-M set--match-set" option.

Now let's create a iptable rule that lets those IP blocks not access the Web service through port 80. You can use the following command:

1. $ sudo iptables -I INPUT -m set --match-set banthis src -< C16>p TCP --destination-Port -J DROP

If you want, you can save a specific set of IP to a file that you can restore from the file later:

1. $ sudo ipset save banthis -F banthis. TXT
2. $ sudo ipset destroy Banthis
3. $ sudo ipset restore -f banthis. TXT

In the above command, I used the destory option to delete an existing IP set to see if I could restore it.

Automatic IP address disable

Now you should see the power of the IP collection. Maintaining the IP blacklist is a tedious and time-consuming task. In fact, there are a lot of free or paid services available to help you do this. An additional benefit is that let's look at how to automatically add IP blacklists to an IP set.

First let's get a free blacklist from iblocklist.com, this site has different free and charged lists. The free version is in-peer format.

Next I'm going to use an open-source Python tool called Iblocklist2ipset to convert the blacklist of the peer to IP set.

First, you need to install the PIP (refer to this guide to install PIP).

Use the following command to install Iblocklist2ipset.

1. $ sudo pip install iblocklist2ipset

In some distributions such as fedora, you may need to run:

1. $ sudo python-pip install iblocklist2ipset

Now to iblocklist.com, crawl any one-to-peer list URL (such as the "Level1" list).

Paste the URL into the following command.

1. $ iblocklist2ipset generate \
2. --Ipset banthis "http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=p2p& Archiveformat=gz " \
3. > banthis. TXT

After the above command is run, you will get a file named Banthis.txt. If you look at its contents, you'll see something like this:

2. Create Banthis hash:net family inet hashsize 131072 Maxelem 237302
4. Add Banthis 1.2. 4.0/
6. Add Banthis 1.2. 8.0/
8. Add banthis 1.9. 75.8/ +
10. Add banthis 1.9. 96.105/ +
12. Add banthis 1.9. 102.251/ +
14. Add banthis 1.9. 189.65/ +
16. Add Banthis 1.16. 0.0/ +

You can use the following Ipset command to load this file:

1. $ sudo ipset restore -f banthis. TXT

You can now view the automatically created IP set:

1. $ sudo ipset list banthis

When writing this article, the "Level1" table contains a list of 237,000 shielded IPs. You can see that many IP addresses have been added to the IP set.

Finally, create a iptables command to block these villains!

Summarize

In this article, I describe how you can use powerful Ipset to block unwanted IP addresses. Combined with third-party tool Iblocklist2ipset, you'll be able to smoothly maintain your IP Shield list. Those who are curious about the performance of Ipset show the benchmark results of iptables using and not using Ipset (note the time axis).

Tell me how much you like this. :-)

Via:http://xmodulo.com/block-unwanted-ip-addresses-linux.html

Dan Nanni Translator: GEEKPI proofreading: Wxy

This article by LCTT original translation, Linux China honors launch

How to block malicious IP addresses massively under Linux