Here’s how you can block traffic coming from an IP, list of IPs, full networks or even entire countries. This is done under a Debian 7 x86 server so adapt the commands to your distro of choice…
1 – Install ipset, for commands reference check http://ipset.netfilter.org
apt-getinstall ipset
2 – Setup your sets, sets are basically lists in which you’ll add all the IP or IP networks to it, in this case I’m creating a list to support IP Networks (x.x.x.x/yy form). If you need to create a set to support individual IPs use the hash:ip option.
#Create 3 lists, 2 to support networks and 1 to support single IP addresses
#hash:net = Networks
#hash:ip = single IPs
# Command is ipset -N setname [set options], but I'm using default
# options here
ipset-Nchina hash:net
ipset-Nsome-country hash:net
ipset-Nbadguys hash:ip
# Now we list the just created sets with:
ipset-L
Appropriate firewall rules heavily depend on the services being run. Below are iptables rulesets to secure your Linode if you’re running a web server. These are given as an example! A real production web server may want or require more or less configuration and these rules would not be appropriate for a file or database server, Minecraft or VPN server, etc.
iptables rules can always be modified or reset later, but these basic rulesets serve only as a beginning demonstration.
IPv4
/tmp/v4
*filter# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-AINPUT -ilo -jACCEPT
-AINPUT ! -ilo -s127.0.0.0/8 -jREJECT# Allow ping and traceroute.
-AINPUT -picmp --icmp-type3 -jACCEPT
-AINPUT -picmp --icmp-type8 -jACCEPT
-AINPUT -picmp --icmp-type11 -jACCEPT# Allow SSH connections.
-AINPUT -ptcp -mstate --stateNEW --dport22 -jACCEPT# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-AINPUT -ptcp --dport80 -jACCEPT
-AINPUT -ptcp --dport443 -jACCEPT# Accept inbound traffic from established connections.
-AINPUT -mstate --stateESTABLISHED,RELATED -jACCEPT# Log what was incoming but denied (optional but useful).
-AINPUT -mlimit --limit5/min -jLOG --log-prefix"iptables_INPUT_denied: " --log-level7# Reject all other inbound.
-AINPUT -jREJECT# Log any traffic which was sent to you
# for forwarding (optional but useful).
-AFORWARD -mlimit --limit5/min -jLOG --log-prefix"iptables_FORWARD_denied: " --log-level7# Reject all traffic forwarding.
-AFORWARD -jREJECTCOMMIT
Optional: If you plan to use Linode Longview, add this additional rule below the section for allowing HTTP and HTTPS connections:
# Allow incoming Longview connections
-A INPUT -s longview.linode.com -m state --state NEW -j ACCEPT
When the Great Firewall of China starts hosing your server with unexpected and unrelated traffic, how do you deal with it?
Discovering a problem
Three times in the last week I’ve had email reports from my Linode’s automatic warning system, informing me that the server had exceeded an average 8Mb/s output for a two hour period. Each time I logged on the traffic had gone right back down, and my website analytics never showed unusual traffic. By the third occurrence I wanted to get to the bottom of it, and I already had suspicions.
Those spikes are not normal.
Earlier in the day I’d stumbled across Craig Hockenberry’s post Fear China, where he was seeing a similar (but larger) problem over a longer period than I was. I looked into my access logs… and discovered I did indeed have the same problem, though it looks like I caught it earlier., or it was less severe.
Being DDOS’d via the Great Firewall of China
Distributed Denial of Service attacks flood a server with pointless requests from many computers all at once.
My logs showed requests for services and URLs that had nothing to do with my server, including an awful lot of BitTorrent URLs. Checking the geolocation of the requesting IPs showed they were all inside China. As Craig’s post covered – it looks a lot like there’s a mis-configuration with China’s state controlled firewall, and people’s normal traffic is sometimes being sent to entirely the wrong servers.
I wondered how bad my server was getting hit, as it didn’t seem to be in the same league as Craig’s:
Almost 27Mb/s out is roughly 95 times greater than normal for that server – close to two orders of magnitude increase, and I didn’t like that – I could imagine this getting worse rapidly.
Blocking China
As Craig discusses, there’s really no option but to block everyone from China. Unfortunately for me, I wasn’t using ipfw as a firewall so I couldn’t follow his advice. Having finally figured out how to do this I thought I’d write a step-by-step guide assuming you’ve not got a firewall already set up.
Few days ago, my friend’s WordPress website went down. After investigation, I have figured out that it was receiving massive amount of posts requests to the xmlrpc.php file, which brings the apache and mysql to eat up all the system resources and the website crashed. Fortunately, I have figured out the way to mitigate this attack using Fail2Ban, which I’ll share in this post.
Install the Fail2Ban package using the following command:
apt-get install fail2ban iptables
Make a local copy of jail.conf file for configuration change:
You would like to block outgoing access to particular remote host/ip or port for all or selected service/port. In this quick tutorial I will explain how to use iptables to block outgoing access.
Block Access To Outgoing IP Address
The following rule will block ip address 202.54.1.22 from making any outgoing connection:
iptables -A OUTPUT -d 202.54.1.22 -j DROP
The above will block chat server ip address or site having dangerous contains such as viruses or malware.
Block Access To Outgoing IP TCP / UDP Port Number
To block specific port number such tcp port # 5050, enter: iptables -A OUTPUT -p tcp --dport 5050 -j DROP
To block tcp port # 5050 for an IP address 192.168.1.2 only, enter: iptables -A OUTPUT -p tcp -d 192.168.1.2 --dport 5050 -j DROP
Finally, you need to save your firewall rules. Under CentOS / RHEL / Fedora Linux, enter: # /sbin/service iptables save OR # /etc/init.d/iptables save
