Skip to content

Instantly share code, notes, and snippets.

@destan

destan/iptables-blacklisting.md

Last active December 21, 2015 14:39
Show Gist options
  • Save destan/6321502 to your computer and use it in GitHub Desktop.
Save destan/6321502 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptables-blacklisting.md 
# creates a new chain, blacklistdrop, which will log, update ip in the BLACKLIST and drop packet
sudo iptables -N blacklistdrop
sudo iptables -A blacklistdrop -j LOG --log-prefix "Adding to BLACKLIST: "
sudo iptables -A blacklistdrop -m recent --name BLACKLIST --set -j DROP

# A packet is from a host that has been seen in BLACKLIST in the last 120 seconds, the this rule updates the BLACKLIST and the packet is dropped.
sudo iptables -A INPUT -m recent --name BLACKLIST --update --seconds 120 -j DROP

# If a packet is from a host that is already in ZAA_URL list and exceeding limits the this rule forwards packet to blacklistdrop list to be blacklisted and then to be dropped
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 --match string --string "zaa.html" --algo kmp  --match recent --update --name ZAA_URL --seconds 30 --hitcount 2 -j blacklistdrop

# If a packet is from a host playing good so far, add to "ZAA_URL" list and accept 
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 --match string --string "zaa.html" --algo kmp  --match recent --set --name ZAA_URL -j ACCEPT

investigate blacklisted ips

cat /proc/net/xt_recent/BLACKLIST

remove blacklisted ip

sudo sh -c 'echo "-127.0.0.1" >> /proc/net/xt_recent/blacklist'

add ip to blacklist

sudo sh -c 'echo "+127.0.0.1" >> /proc/net/xt_recent/blacklist'

reset

Put commands to reset iptables config into a file resetiptables.s then link it to global console context

... and no, there is no shorthand iptables command to reset all config at once because fuck you :/

sudo /opt/resetiptables.sh

# write content to file, save, exit

sudo chmod +x resetiptables.sh
sudo ln -sf /opt/resetiptables.sh /usr/local/bin/resetiptables

content:

sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Make iptables to log to a specific file

cd /etc/rsyslog.d/
sudo nano 50-xscores.conf

# write following 2 rows into the new file, save, exit
:msg, contains, "Adding to BLACKLIST"       /var/log/xscores.log
:msg, contains, "Adding to BLACKLIST"     ~

sudo service rsyslog restart

about 50-xscores.conf

  • first line redirects messages to the specified file
  • second line prevents mesages to be written to the default log file but it seems to be not working in Ubuntu and you can observe the same messages in your own file as well as dmesg
  • the prefix 50- is probably something to do with config priority, I don't know, it works like this so don't care
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment