Sometimes you don't want any traffic from a certain organization... none at all, not even from their employees. An effective way to do just that is to determine every IP adress that belongs to a certain Autonomous System which is how IPs are generally allocated to organizations that have a significant1 presence on the internet.
- Typical stuff like
curl
andiptables
and maybesudo
if you aren't already root. hxselect
andhxnormalize
. This is probably packaged by your distro. Mine is gentoo but some folks use arch and normal people use debian.- Some version of Go2 that is at least 1.18.
This example abuses Hurricane Electric's public AS query page to get a list of CIDRs for an AS. There are probably better ways to do this, but I trust HE to be up-to-date, where a lot of databases are not.
Note that HE blocks curl
through detection of the user agent, which is completely valid; they would not want an automated system hammering this webpage for anything at scale. You, however, are a human, and you can indicate as much with a little fib.
curl -vL -A 'human/person' https://bgp.he.net/AS32934 -o as32934.html
HTML is not a good data transport format. It's really meant to be transformed into something humans can eat with their eyes, but that doesn't mean we can't ask a computer to nibble on it too. We use two tools; hxnormalize
to fix up some of the sloppy HTML and hxselect
to extract data from the HTML tables.
hxnormalize -x < as32934.html | hxselect -c -s '\n' '#table_prefixes4 > tbody > tr > td.nowrap > a' > list.v4
hxnormalize -x < as32934.html | hxselect -c -s '\n' '#table_prefixes6 > tbody > tr > td.nowrap > a' > list.v6
Note that the above two lines are specific for the format of the webpage that he.net is using today, but that may change in the future. There are other ways to get CIDRs for an AS, this one worked for me at the end of 2023.
This step uses the Go program that accompanies this gist. You can download it directly or copy/paste it into a text file. I called it cidrsquish.go
because I like a good pun (about how apples are turned into cider) but you do you. Use the cat
command to combine the IPv4 and IPv6 lists into a set of iptables
and ip6tables
commands. Adjust the flags to the commands to your liking.3
cat list.v4 list.v6 | go run cidrsquish.go -chain as32934 -sudo
You should have a list of commands that create a chain named as32934
, adds a bunch of DROP
rules, and ends the chain with a RETURN
action (if you used the command above as-is) which should be safe to paste into your server. Note that this is only a "should"... you must look at the commands before you run them to validate that they are not dangerous.4
The expected output from pasting these commands is nothing; after each command, there should be no errors. If the very first command fails, you are probably trying to update an existing chain with new IPs, which means you need to add -flush
to the command. This is dangerous! It is probably best to choose a new chain name, create it, and update the references in your INPUT
chain to point to the new one.
We're almost done, but we have the scary part left; touching your actual live firewall rules. If you're connected remotely (eg via ssh
or mosh
) then you risk locking yourself out of your server. Ideally, have a backup access option, or have a snapshot-rollback option. You need to know how to regain access anyway; today is a great day to learn if you don't.
We need to jump from our main "a packet arrived" INPUT
chain to our new chain that blocks all those IP ranges. This is done in precisely the same way as how we drop a packet, with the -j
flag. It will look like this:
sudo iptables -I INPUT -i internetif0 -j as32934
sudo ip6tables -I INPUT -i internetif0 -j as32934
You need to know what internetif0
is supposed to be. It's the network interface that's facing the internet on your server.
Once you run these, the changes are immediate. You may need to do something on your distribution to save the rules so they are restored when your server reboots. On gentoo, this is rc-service iptables save; rc-service ip6tables save
and everyone else on Earth will need to search their documentation for their distro.
If you need help, search @ironiridis@mspsocial.net
on the fediverse and send me a DM.
This is free and unencumbered software released into the public domain.
Anyone is free to copy, modify, publish, use, compile, sell, or
distribute this software, either in source code form or as a compiled
binary, for any purpose, commercial or non-commercial, and by any
means.
In jurisdictions that recognize copyright laws, the author or authors
of this software dedicate any and all copyright interest in the
software to the public domain. We make this dedication for the benefit
of the public at large and to the detriment of our heirs and
successors. We intend this dedication to be an overt act of
relinquishment in perpetuity of all present and future rights to this
software under copyright law.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
For more information, please refer to <https://unlicense.org>
Footnotes
-
Signifigant in this situation means organizations large enough to want/need a huge block of IPs. They're usually assigned either to organizations that have been on the internet for a long time, or to organizations that deal with big internet infrastrucutre. ↩
-
"uuggghh why go" Well, because the AS listing may include hundreds of CIDRs with overlaps. You don't want to process every inbound packet against 120 redundant address comparisons when two will do. The Go standard library has great built-in support for calculating ipv4 and ipv6 prefixes, and I like it, and this gist is free. ↩
-
You can run
go run cidrsquish.go -help
to see the available flags, or look at the source; they're near the top. ↩ -
I am just an enby on the internet giving you dangerous security advice with no guard rails. I could be deleting your files or seducing your loved ones. You should approach everything here with a sense of dread and foreboding. Actually, that's true for everything on the internet. ↩