Wednesday, March 30, 2011

How to block huge amount of IP adresses

Sometime you need to block really big numbers of IP addresses. It could be for different reasons. For example, in case of password bruteforce, DDoS attack. Of course, you can block them just in iptables. But there can be a problem. If set of IP adresses contain thousands of items iptables perfomance decreases (actually, perfomance of netfilter, as soon as iptables is just a tool for managing firewall). Your CPU load can increase too. Fortunately there is a perfect solution – ipsets.
So here is a problem. You need to add thousand of IP to your firewall. In almost all cases there are random IPs from various network. Here we suppose you run Fedora 14 box so you don’t have to recompile kernel modules.
First of all you need to install xtables-addons. You can find it in RPM fusion repository.
yum install  xtables-addons
Next create ipset chain. We’ll call it autoban:
ipset -N autoban iphash ––hashsize 4096 ––probes 2 ––resize 50
Add it to your iptables chain. It can differ depending on your firewall settings. Here we use ethin chain.
iptables -I ethin 2 -p tcp -m multiport ––dport 80,443 -m set ––match-set autoban src -j DROP
Now you can add all bad IP to your ipset. For instance, you have text file called bots.txt with one IP per line. So you can add them to ipset using simple bash script:
for i in $( cat /tmp/bots.txt ) ; do ipset -A ban $i ; done
To check run:
ipset -L autoban
Save rules to config:
/etc/init.d/ipset save
Enable ipset startup script to load after reboot.
chkconfig ipset on
Note! To prevent blocking yourself you may add simple cron task:
*/5 * * * * ipset -F
In case you made some mistake it will flush all items from all ipsets.
Also you should know ipset supports different IP sets –– ipmap, macipmap, portmap, nethash and so on.
Refer to man ipset to choose which fit your requirements.
Starting with version 5.0 ipset supports IPv6. But Fedora 14 includes ipset 4.4.

Courtesy : http://supportex.net/2011/02/block-huge-amount-ip-adresses-ipset-fedora-14/