I thought I will put together a solution myself based on the same ingredients. The reason why is because I have realised that I have become dependent on main stream vendors to deploy solutions, and don’t always fully address the need. With the push to virtualisation, it would be good to have a powerful virtualised firewall just like the big boys. So he is what I have done so far.
High performance Ubuntu Firewall
If you run a webserver you will know that your webserver is scanned and probed from particular networks from originating from a hot-spot of countries. If your web application does not require then why not just block it.Well it can prove expensive in terms of performance, to block a whole country can take 1000’s of rules (http://www.countryipblocks.net/). Well using this solution you can do things some of the big boys cant do ( Sonicwall !). Using iptables and IPset you can create 1000’s of rules and objects with impacting heavily on performance.
Iptables is already part of all Linux Distributions, However IPset is not. You have to install it and it can be a bit awkward. However it is a piece of cake in Ubuntu 10.04 LTS.
sudo apt-get install ipset ipset-source
m-a a-i ipset
Performing the previous commands will install the required kernel modules using module-assistant, and also the user space tools. You are know ready to create your very large firewall rules. This is so much easier than patching the kernel with patcho-matic and recompiling iptables. This is how you use itm-a a-i ipset
Create your sets, you can get your network list from http://www.countryipblocks.net/ and write a script to generate the creation of the list.
ipset –create feckoff nethash
ipset –add feckoff 27.8.0.0/12
ipset –add feckoff 27.24.0.0/13
ipset –add feckoff 27.8.0.0/12
ipset –add feckoff 27.24.0.0/13
ipset –add feckoff 27.36.0.0/13
ipset –add feckoff 27.44.0.0/14
ipset –add feckoff 27.50.128.0/17
ipset –add feckoff 27.54.192.0/18
ipset –add feckoff 27.144.0.0/16
ipset –add feckoff 27.148.0.0/10
ipset –add feckoff 27.212.0.0/12
ipset –add feckoff 58.14.0.0/13
ipset –add feckoff 58.22.0.0/14
……. etc etc 100’s of subnets later you have added all your subnets, DONT MIX /32 networks or hosts
Now he comes the important bit. Now you have created your IPset you can now apply it to your rule base.ipset –add feckoff 27.8.0.0/12
ipset –add feckoff 27.24.0.0/13
ipset –add feckoff 27.8.0.0/12
ipset –add feckoff 27.24.0.0/13
ipset –add feckoff 27.36.0.0/13
ipset –add feckoff 27.44.0.0/14
ipset –add feckoff 27.50.128.0/17
ipset –add feckoff 27.54.192.0/18
ipset –add feckoff 27.144.0.0/16
ipset –add feckoff 27.148.0.0/10
ipset –add feckoff 27.212.0.0/12
ipset –add feckoff 58.14.0.0/13
ipset –add feckoff 58.22.0.0/14
……. etc etc 100’s of subnets later you have added all your subnets, DONT MIX /32 networks or hosts
iptables -A INPUT -m set –set feckoff src -j DROP
You have just blocked 1000’s of subnets with one command in your rulesetIn an ideal world you would not really want to block a whole range of subnets like this, It is not the best use of resources. However there are times when this is required to increase security of you webserver against a particular type of attack.
Courtesy : http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/
